Tunable, optional and if(n)def blocks go below.

Tunable, optional and if(n)def blocks go below.
This commit is contained in:
Dominick Grift 2010-09-20 19:50:51 +02:00
parent 30bbb6a533
commit b46b3ad67f

View File

@ -45,14 +45,6 @@ interface(`postgresql_role',`
# Client local policy # Client local policy
# #
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
@ -69,6 +61,14 @@ interface(`postgresql_role',`
allow $2 sepgsql_trusted_proc_t:process transition; allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
') ')
######################################## ########################################
@ -358,13 +358,6 @@ interface(`postgresql_unpriv_client',`
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition; allow $1 sepgsql_trusted_proc_t:process transition;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
@ -378,6 +371,13 @@ interface(`postgresql_unpriv_client',`
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
') ')
######################################## ########################################