Limiting access to columns based on categories
Suppose we use the range of category numbers from
c909 to address specific PII datasets, and grant users access to these categories either by granting them direct access, or by using specific SELinux contexts to consult this data.
db_test=# SECURITY LABEL ON COLUMN tb_users.mail IS 'system_u:object_r:sepgsql_table_t:s0:c903'; db_test=# SECURITY LABEL ON COLUMN tb_users.address IS 'system_u:object_r:sepgsql_table_t:s0:c903';
With the labels applied, a user that does not have access to this category will not be able to access the data:
db_test=> SELECT sepgsql_getcon(); user_u:user_r:user_t:s0-s0:c0.c100 db_test=> SELECT uid,name,mail,address FROM tb_users; ERROR: SELinux: security policy violation;
With the category range for the user set correctly, access to the data is granted:
db_test=> SELECT sepgsql_getcon(); user_u:user_r:user_t:s0-s0:c0.c100,c900.c904 db_test=> SELECT uid,name,mail,address FROM tb_users;
It is important to understand though that most domains will be allowed to switch their category set, as long as it remains within the allowed range:
# semanage login -l Login Name SELinux User MLS/MCS Range ... ... taylor user_u s0-s0:c0.c100,c900.c903 ...
This means that, even when a user session for this user launches with a more limited category set (for instance, using the
runcon command), the user will still be able to call
runcon again to extend the category range, or use the
db_test=> SELECT sepgsql_getcon(); user_u:user_r:user_t:s0-s0:c0.c100; db_test=> SELECT sepgsql_setcon('user_u:user_r:user_t:s0-s0:c0.c100,c900.c903'); db_test=> SELECT sepgsql_getcon(); user_u:user_r:user_t:s0-s0:c0.c100,c900.c903
Constraining the user domain for sensitivity range manipulation
The SELinux policy always allows reducing the category range, so a range that initially includes the
c900 category can always switch to a category range that excludes this category. The rules within SELinux that grant domains the privilege to reduce their category range use dominance rules, which are basically algorithms running mathematical set expressions on the source and target set: if the target set is fully enclosed within the source set, then SELinux will allow the range transition to occur.
The policy however also allows for extending the category range (if the range remains within the allowed range as defined by the SELinux configuration for the user), unless the domain itself is marked as MCS-constrained. The default MCS-constrained domains are generally those domains used for sandbox usage or virtualization.
However, we can easily add more domains. For instance, to mark the user domain as MCS-constrained, load the following CIL policy:
(typeattributeset cil_gen_require mcs_constrained_type) (typeattributeset cil_gen_require user_t) (typeattributeset mcs_constrained_type (user_t))
This will prevent the
user_t domain from growing its category range again.