You are here SELinux / Trusted RUBIX Object Set Model
Trusted RUBIX Object Set Model
The Trusted RUBIX policy uses a concept called object sets to aid in implementing coherent SELinux policy over DBMS objects. Object sets ease the creation of certain types of custom DBMS policy. It is not required as custom policy may be created entirely from basic SELinux Type Enforcement rules.
An object set is a named set of DBMS objects (catalogs and subordinate schemata, tables, views, and rows) that have a common security requirement. SELinux interfaces are provided that declare a named object set and allow particular roles SQL access to the object set. For instance, if the rubix_client_r role is given SELECT access to the objset_set_1 object set, then it may select from any table in the object set. It is important to note that once a DBMS catalog has been assigned to an object set, then all subordinate schemata, tables, views, and rows will automatically belong to that object set.
Multiple object sets may reside in a single Trusted RUBIX database. The database object is not part of any object set. Each object set has its own unique group of SELinux object types used to control access. SELinux policy interfaces are provided to easily create object sets and to control SQL access to the object set based upon the DBMS subjects' domain type. Interfaces exist to simply and easily permit DDL operations (e.g., object drop and create), select, insert, delete, list user objects, and list system objects based upon the domain type of the DBMS subject and the object set being accessed. User defined object sets are named and all related SELinux constructs (e.g., roles, types) are named with a prefix equal to the object set's name.
As an example, in a cross domain environment each enclave could have a single object set to contain its DBMS objects. Each enclave would then have a unique, named set of object types that may be used to control access. SELinux interfaces could then be used to give SQL access to a domain type for each enclave as the security requirements dictate.
Each Trusted RUBIX database has a default object set that is automatically created. In addition, it may have any number of user defined object sets explicitly created. The Security Administrator can use the provided interfaces to control access to each object set. In addition, the Security Administrator may write discrete Type Enforcement rules (e.g., allow rules) to further refine the security behavior.
Each object set is contained within one or more specially typed DBMS catalogs which must be created by the object set administrator. Each object set has its own group of SELinux object types for each DBMS object class. The SELinux types created for the default object set are rubix_db_t, rubix_cat_t, rubix_schema_t, rubix_table_t, and rubix_row_t. User defined object sets have object types created for each DBMS object based upon the object set's name. For example, if an object set were created with the name objset1 then object types would be created named objset1_rubix_cat_t, objset1_rubix_schema_t, objset1_rubix_table_t, and objset1_rubix_row_t.