Tunable, optional and if(n)def blocks go below.
Tunable, optional and if(n)def blocks go below.
This commit is contained in:
parent
30bbb6a533
commit
b46b3ad67f
@ -45,14 +45,6 @@ interface(`postgresql_role',`
|
|||||||
# Client local policy
|
# Client local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
|
||||||
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
|
|
||||||
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
|
|
||||||
|
|
||||||
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
|
|
||||||
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||||
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
|
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
|
||||||
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
|
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||||
@ -69,6 +61,14 @@ interface(`postgresql_role',`
|
|||||||
|
|
||||||
allow $2 sepgsql_trusted_proc_t:process transition;
|
allow $2 sepgsql_trusted_proc_t:process transition;
|
||||||
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||||
|
|
||||||
|
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||||
|
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
|
||||||
|
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
|
||||||
|
|
||||||
|
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||||
|
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@ -358,13 +358,6 @@ interface(`postgresql_unpriv_client',`
|
|||||||
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
|
||||||
allow $1 sepgsql_trusted_proc_t:process transition;
|
allow $1 sepgsql_trusted_proc_t:process transition;
|
||||||
|
|
||||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
|
||||||
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
|
|
||||||
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
|
|
||||||
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
|
|
||||||
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
|
||||||
')
|
|
||||||
|
|
||||||
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
||||||
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
|
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
|
||||||
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
|
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
|
||||||
@ -378,6 +371,13 @@ interface(`postgresql_unpriv_client',`
|
|||||||
|
|
||||||
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
|
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
|
||||||
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
|
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
|
||||||
|
|
||||||
|
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||||
|
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
|
||||||
|
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
|
||||||
|
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||||
|
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
|
||||||
|
')
|
||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
Loading…
Reference in New Issue
Block a user