se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions. - bugfix: MCS policy did not constrain the following permissions. db_database:{getattr} db_table:{getattr lock} db_column:{getattr} db_procedure:{drop getattr setattr} db_blob:{getattr import export} - rework: db_table:{lock} is moved to reader side, because it makes impossible to refer read-only table with foreign-key constraint. (FK checks internally acquire explicit locks.) - bugfix: some of permissions in db_procedure class are allowed on sepgsql_trusted_proc_t, but it is a domain, not a procedure. It should allow them on sepgsql_trusted_proc_exec_t. I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid such kind of confusion, as Chris suggested before. - rework: we should not allow db_procedure:{install} on the sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted procedure implicitly. - bugfix: MLS policy dealt db_blob:{export} as writer-side permission, but it is required whrn the largeobject is refered. - bugfix: MLS policy didn't constrain the db_procedure class.
This commit is contained in:
parent
da3ed0667f
commit
350ed89156
@ -1,3 +1,4 @@
|
||||
- Postgresql updates from KaiGai Kohei.
|
||||
- Milter state directory patch from Paul Howarth.
|
||||
- Add MLS constrains for ingress/egress and secmark from Paul Moore.
|
||||
- Drop write permission from fs_read_rpc_sockets().
|
||||
|
@ -682,8 +682,8 @@ class packet
|
||||
send
|
||||
recv
|
||||
relabelto
|
||||
flow_in # not currently in use
|
||||
flow_out # not currently in use
|
||||
flow_in # deprecated
|
||||
flow_out # deprecated
|
||||
forward_in
|
||||
forward_out
|
||||
}
|
||||
@ -723,14 +723,14 @@ inherits database
|
||||
access
|
||||
install_module
|
||||
load_module
|
||||
get_param
|
||||
set_param
|
||||
get_param # deprecated
|
||||
set_param # deprecated
|
||||
}
|
||||
|
||||
class db_table
|
||||
inherits database
|
||||
{
|
||||
use
|
||||
use # deprecated
|
||||
select
|
||||
update
|
||||
insert
|
||||
@ -749,7 +749,7 @@ inherits database
|
||||
class db_column
|
||||
inherits database
|
||||
{
|
||||
use
|
||||
use # deprecated
|
||||
select
|
||||
update
|
||||
insert
|
||||
@ -759,7 +759,7 @@ class db_tuple
|
||||
{
|
||||
relabelfrom
|
||||
relabelto
|
||||
use
|
||||
use # deprecated
|
||||
select
|
||||
update
|
||||
insert
|
||||
|
10
policy/mcs
10
policy/mcs
@ -111,22 +111,22 @@ mlsconstrain { db_tuple } { insert relabelto }
|
||||
(( h1 dom h2 ) and ( l2 eq h2 ));
|
||||
|
||||
# Access control for any database objects based on MCS rules.
|
||||
mlsconstrain db_database { drop setattr relabelfrom access install_module load_module get_param set_param }
|
||||
mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain db_table { drop setattr relabelfrom select update insert delete use }
|
||||
mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain db_column { drop setattr relabelfrom select update insert use }
|
||||
mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain db_tuple { relabelfrom select update delete use }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain db_procedure { execute install }
|
||||
mlsconstrain db_procedure { drop getattr setattr execute install }
|
||||
( h1 dom h2 );
|
||||
|
||||
mlsconstrain db_blob { drop setattr relabelfrom read write }
|
||||
mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }
|
||||
( h1 dom h2 );
|
||||
|
||||
') dnl end enable_mcs
|
||||
|
21
policy/mls
21
policy/mls
@ -709,7 +709,13 @@ mlsconstrain { db_database } { getattr access get_param }
|
||||
( t1 == mlsdbread ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_table db_column } { getattr use select }
|
||||
mlsconstrain { db_table } { getattr use select lock }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsdbread ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_column } { getattr use select }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsdbread ) or
|
||||
@ -721,7 +727,7 @@ mlsconstrain { db_procedure } { getattr execute install }
|
||||
( t1 == mlsdbread ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_blob } { getattr read }
|
||||
mlsconstrain { db_blob } { getattr read export }
|
||||
(( l1 dom l2 ) or
|
||||
(( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or
|
||||
( t1 == mlsdbread ) or
|
||||
@ -741,7 +747,7 @@ mlsconstrain { db_database } { create drop setattr relabelfrom install_module lo
|
||||
( t1 == mlsdbwrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete lock }
|
||||
mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
|
||||
@ -755,7 +761,14 @@ mlsconstrain { db_column } { create drop setattr relabelfrom update insert }
|
||||
( t1 == mlsdbwrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_blob } { create drop setattr relabelfrom write import export }
|
||||
mlsconstrain { db_procedure } { create drop setattr relabelfrom }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
|
||||
( t1 == mlsdbwrite ) or
|
||||
( t2 == mlstrustedobject ));
|
||||
|
||||
mlsconstrain { db_blob } { create drop setattr relabelfrom write import }
|
||||
(( l1 eq l2 ) or
|
||||
(( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
|
||||
(( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
|
||||
|
@ -55,7 +55,7 @@ interface(`postgresql_role',`
|
||||
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
|
||||
')
|
||||
|
||||
allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
|
||||
allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock };
|
||||
allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
|
||||
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
|
||||
@ -319,14 +319,14 @@ interface(`postgresql_unpriv_client',`
|
||||
|
||||
attribute sepgsql_client_type;
|
||||
|
||||
type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t;
|
||||
type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;
|
||||
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_client_type;
|
||||
|
||||
type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
|
||||
type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_t;
|
||||
type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;
|
||||
type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
|
||||
|
||||
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(postgresql, 1.8.3)
|
||||
policy_module(postgresql, 1.8.4)
|
||||
|
||||
gen_require(`
|
||||
class db_database all_db_database_perms;
|
||||
@ -66,8 +66,9 @@ postgresql_database_object(sepgsql_db_t)
|
||||
type sepgsql_fixed_table_t;
|
||||
postgresql_table_object(sepgsql_fixed_table_t)
|
||||
|
||||
type sepgsql_proc_t;
|
||||
postgresql_procedure_object(sepgsql_proc_t)
|
||||
type sepgsql_proc_exec_t;
|
||||
typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
|
||||
postgresql_procedure_object(sepgsql_proc_exec_t)
|
||||
|
||||
type sepgsql_ro_blob_t;
|
||||
postgresql_blob_object(sepgsql_ro_blob_t)
|
||||
@ -143,7 +144,7 @@ allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
|
||||
|
||||
allow postgresql_t sepgsql_procedure_type:db_procedure *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
|
||||
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
|
||||
|
||||
allow postgresql_t sepgsql_blob_type:db_blob *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
|
||||
@ -284,27 +285,27 @@ optional_policy(`
|
||||
allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
|
||||
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
|
||||
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
|
||||
|
||||
allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
|
||||
|
||||
allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
|
||||
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
|
||||
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
|
||||
|
||||
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install };
|
||||
allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
|
||||
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
|
||||
allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
|
||||
|
||||
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
|
||||
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
|
||||
@ -338,15 +339,16 @@ allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
|
||||
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
|
||||
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
|
||||
|
||||
# unconfined domain is not allowed to invoke user defined procedure directly.
|
||||
# They have to confirm and relabel it at first.
|
||||
allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
|
||||
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
|
||||
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
|
||||
allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
|
||||
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user