OK, the attached patch adds the following types for unprivileged clients.
 - unpriv_sepgsql_table_t
 - unpriv_sepgsql_sysobj_t
 - unpriv_sepgsql_proc_exec_t
 - unpriv_sepgsql_blob_t

These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.

In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.

KaiGai Kohei
This commit is contained in:
Chris PeBenito 2009-05-21 11:28:14 +00:00
parent 80348b73a0
commit a01a4a7183
2 changed files with 53 additions and 8 deletions

View File

@ -47,18 +47,18 @@ interface(`postgresql_role',`
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop };
type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
allow $2 user_sepgsql_table_t:db_column { create drop };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
')
allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
@ -313,24 +313,55 @@ interface(`postgresql_stream_connect',`
#
interface(`postgresql_unpriv_client',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type;
attribute sepgsql_database_type, sepgsql_sysobj_table_type;
type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
')
########################################
#
# Declarations
#
typeattribute $1 sepgsql_client_type;
type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;
type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
########################################
#
# Client local policy
#
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
')
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(postgresql, 1.8.4)
policy_module(postgresql, 1.8.5)
gen_require(`
class db_database all_db_database_perms;
@ -97,6 +97,20 @@ domain_type(sepgsql_trusted_proc_t)
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;
# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)
type unpriv_sepgsql_proc_exec_t;
postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
type unpriv_sepgsql_sysobj_t;
postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
type unpriv_sepgsql_table_t;
postgresql_table_object(unpriv_sepgsql_table_t)
# Types for UBAC
type user_sepgsql_blob_t;
typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };