trunk: add sepostgresql policy from kaigai kohei.
This commit is contained in:
parent
67b6207a9e
commit
e8cb08aefa
@ -1,3 +1,4 @@
|
||||
- SE-Postgresql policy from KaiGai Kohei.
|
||||
- Patch for X.org dbus support from Martin Orr.
|
||||
- Patch for labeled networking controls in 2.6.25 from Paul Moore.
|
||||
- Module loading now requires setsched on kernel threads.
|
||||
|
@ -2551,6 +2551,35 @@ interface(`kernel_dontaudit_recvfrom_unlabeled_peer',`
|
||||
dontaudit $1 unlabeled_t:peer recv;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Relabel from unlabeled database objects.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`kernel_relabelfrom_unlabeled_database',`
|
||||
gen_require(`
|
||||
type unlabeled_t;
|
||||
class db_database { setattr relabelfrom };
|
||||
class db_table { setattr relabelfrom };
|
||||
class db_procedure { setattr relabelfrom };
|
||||
class db_column { setattr relabelfrom };
|
||||
class db_tuple { update relabelfrom };
|
||||
class db_blob { setattr relabelfrom };
|
||||
')
|
||||
|
||||
allow $1 unlabeled_t:db_database { setattr relabelfrom };
|
||||
allow $1 unlabeled_t:db_table { setattr relabelfrom };
|
||||
allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
|
||||
allow $1 unlabeled_t:db_column { setattr relabelfrom };
|
||||
allow $1 unlabeled_t:db_tuple { update relabelfrom };
|
||||
allow $1 unlabeled_t:db_blob { setattr relabelfrom };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Unconfined access to kernel module resources.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(kernel,1.9.4)
|
||||
policy_module(kernel,1.9.5)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -225,6 +225,10 @@ template(`apache_content_template',`
|
||||
')
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_unpriv_client(httpd_$1_script_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
nscd_socket_use(httpd_$1_script_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(apache,1.9.1)
|
||||
policy_module(apache,1.9.2)
|
||||
|
||||
#
|
||||
# NOTES:
|
||||
@ -475,6 +475,7 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
# Allow httpd to work with postgresql
|
||||
postgresql_stream_connect(httpd_t)
|
||||
postgresql_unpriv_client(httpd_t)
|
||||
|
||||
tunable_policy(`httpd_can_network_connect_db',`
|
||||
postgresql_tcp_connect(httpd_t)
|
||||
|
@ -6,8 +6,8 @@
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
/usr/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
|
||||
/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||
@ -30,8 +30,12 @@ ifdef(`distro_redhat', `
|
||||
/var/lib/pgsql/data(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
/var/lib/pgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
|
||||
/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
|
||||
/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
|
||||
ifdef(`distro_redhat', `
|
||||
/var/log/rhdb/rhdb(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
|
||||
|
@ -1,5 +1,206 @@
|
||||
## <summary>PostgreSQL relational database</summary>
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## The userdomain template for the SE-PostgreSQL.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## This template creates a delivered types which are used
|
||||
## for given userdomains.
|
||||
## </desc>
|
||||
## <param name="userdomain_prefix">
|
||||
## <summary>
|
||||
## The prefix of the user domain (e.g., user
|
||||
## is the prefix for user_t).
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_domain">
|
||||
## <summary>
|
||||
## The type of the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="user_role">
|
||||
## <summary>
|
||||
## The role associated with the user domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
template(`postgresql_userdom_template',`
|
||||
gen_require(`
|
||||
class db_database all_db_database_perms;
|
||||
class db_table all_db_table_perms;
|
||||
class db_procedure all_db_procedure_perms;
|
||||
class db_column all_db_column_perms;
|
||||
class db_tuple all_db_tuple_perms;
|
||||
class db_blob all_db_blob_perms;
|
||||
|
||||
attribute sepgsql_client_type, sepgsql_database_type;
|
||||
attribute sepgsql_sysobj_table_type;
|
||||
|
||||
type sepgsql_trusted_proc_t, sepgsql_trusted_domain_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
typeattribute $2 sepgsql_client_type;
|
||||
|
||||
type $1_sepgsql_blob_t;
|
||||
postgresql_blob_object($1_sepgsql_blob_t)
|
||||
|
||||
type $1_sepgsql_proc_t;
|
||||
postgresql_procedure_object($1_sepgsql_proc_t)
|
||||
|
||||
type $1_sepgsql_sysobj_t;
|
||||
postgresql_system_table_object($1_sepgsql_sysobj_t)
|
||||
|
||||
type $1_sepgsql_table_t;
|
||||
postgresql_table_object($1_sepgsql_table_t)
|
||||
|
||||
role $3 types sepgsql_trusted_domain_t;
|
||||
|
||||
##############################
|
||||
#
|
||||
# Client local policy
|
||||
#
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow $2 $1_sepgsql_table_t : db_table { create drop };
|
||||
type_transition $2 sepgsql_database_type:db_table $1_sepgsql_table_t;
|
||||
|
||||
allow $2 $1_sepgsql_table_t : db_column { create drop };
|
||||
|
||||
allow $2 $1_sepgsql_sysobj_t : db_tuple { update insert delete };
|
||||
type_transition $2 sepgsql_sysobj_table_type:db_tuple $1_sepgsql_sysobj_t;
|
||||
')
|
||||
|
||||
allow $2 $1_sepgsql_table_t : db_table { getattr setattr use select update insert delete };
|
||||
allow $2 $1_sepgsql_table_t : db_column { getattr setattr use select update insert };
|
||||
allow $2 $1_sepgsql_table_t : db_tuple { use select update insert delete };
|
||||
allow $2 $1_sepgsql_sysobj_t : db_tuple { use select };
|
||||
|
||||
allow $2 $1_sepgsql_proc_t : db_procedure { create drop getattr setattr execute };
|
||||
type_transition $2 sepgsql_database_type:db_procedure $1_sepgsql_proc_t;
|
||||
|
||||
allow $2 $1_sepgsql_blob_t : db_blob { create drop getattr setattr read write };
|
||||
type_transition $2 sepgsql_database_type:db_blob $1_sepgsql_blob_t;
|
||||
|
||||
allow $2 sepgsql_trusted_domain_t:process transition;
|
||||
type_transition $2 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL loadable shared library module
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a database object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_loadable_module',`
|
||||
gen_require(`
|
||||
attribute sepgsql_module_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_module_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL database object type
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a database object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_database_object',`
|
||||
gen_require(`
|
||||
attribute sepgsql_database_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_database_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL table/column/tuple object type
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a table/column/tuple object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_table_object',`
|
||||
gen_require(`
|
||||
attribute sepgsql_table_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_table_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL system table/column/tuple object type
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a table/column/tuple object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_system_table_object',`
|
||||
gen_require(`
|
||||
attribute sepgsql_table_type;
|
||||
attribute sepgsql_sysobj_table_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_table_type;
|
||||
typeattribute $1 sepgsql_sysobj_table_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL procedure object type
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a database object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_procedure_object',`
|
||||
gen_require(`
|
||||
attribute sepgsql_procedure_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_procedure_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Marks as a SE-PostgreSQL binary large object type
|
||||
## </summary>
|
||||
## <param name="type">
|
||||
## <summary>
|
||||
## Type marked as a database binary large object type.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_blob_object',`
|
||||
gen_require(`
|
||||
attribute sepgsql_blob_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_blob_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain to search postgresql's database directory.
|
||||
@ -120,3 +321,57 @@ interface(`postgresql_stream_connect',`
|
||||
# Some versions of postgresql put the sock file in /tmp
|
||||
allow $1 postgresql_tmp_t:sock_file write;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain unprivileged accesses to unifined database objects
|
||||
## managed by SE-PostgreSQL,
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_unpriv_client',`
|
||||
gen_require(`
|
||||
class db_table all_db_table_perms;
|
||||
class db_procedure all_db_procedure_perms;
|
||||
class db_blob all_db_blob_perms;
|
||||
|
||||
attribute sepgsql_client_type;
|
||||
attribute sepgsql_database_type;
|
||||
|
||||
type sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t;
|
||||
|
||||
type sepgsql_trusted_proc_t, sepgsql_trusted_domain_t;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_client_type;
|
||||
|
||||
type_transition $1 sepgsql_database_type:db_table sepgsql_table_t;
|
||||
type_transition $1 sepgsql_database_type:db_procedure sepgsql_proc_t;
|
||||
type_transition $1 sepgsql_database_type:db_blob sepgsql_blob_t;
|
||||
|
||||
type_transition $1 sepgsql_trusted_proc_t:process sepgsql_trusted_domain_t;
|
||||
allow $1 sepgsql_trusted_domain_t:process transition;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Allow the specified domain unconfined accesses to any database objects
|
||||
## managed by SE-PostgreSQL,
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`postgresql_unconfined',`
|
||||
gen_require(`
|
||||
attribute sepgsql_unconfined_type;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_unconfined_type;
|
||||
')
|
||||
|
@ -1,10 +1,27 @@
|
||||
|
||||
policy_module(postgresql,1.5.1)
|
||||
policy_module(postgresql, 1.5.2)
|
||||
|
||||
gen_require(`
|
||||
class db_database all_db_database_perms;
|
||||
class db_table all_db_table_perms;
|
||||
class db_procedure all_db_procedure_perms;
|
||||
class db_column all_db_column_perms;
|
||||
class db_tuple all_db_tuple_perms;
|
||||
class db_blob all_db_blob_perms;
|
||||
')
|
||||
|
||||
#################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow unprived users to execute DDL statement
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sepgsql_enable_users_ddl, true)
|
||||
|
||||
type postgresql_t;
|
||||
type postgresql_exec_t;
|
||||
init_daemon_domain(postgresql_t,postgresql_exec_t)
|
||||
@ -27,6 +44,58 @@ files_tmp_file(postgresql_tmp_t)
|
||||
type postgresql_var_run_t;
|
||||
files_pid_file(postgresql_var_run_t)
|
||||
|
||||
# database clients attribute
|
||||
attribute sepgsql_client_type;
|
||||
attribute sepgsql_unconfined_type;
|
||||
|
||||
# database objects attribute
|
||||
attribute sepgsql_database_type;
|
||||
attribute sepgsql_table_type;
|
||||
attribute sepgsql_sysobj_table_type;
|
||||
attribute sepgsql_procedure_type;
|
||||
attribute sepgsql_blob_type;
|
||||
attribute sepgsql_module_type;
|
||||
|
||||
# database object types
|
||||
type sepgsql_blob_t;
|
||||
postgresql_blob_object(sepgsql_blob_t)
|
||||
|
||||
type sepgsql_db_t;
|
||||
postgresql_database_object(sepgsql_db_t)
|
||||
|
||||
type sepgsql_fixed_table_t;
|
||||
postgresql_table_object(sepgsql_fixed_table_t)
|
||||
|
||||
type sepgsql_proc_t;
|
||||
postgresql_procedure_object(sepgsql_proc_t)
|
||||
|
||||
type sepgsql_ro_blob_t;
|
||||
postgresql_blob_object(sepgsql_ro_blob_t)
|
||||
|
||||
type sepgsql_ro_table_t;
|
||||
postgresql_table_object(sepgsql_ro_table_t)
|
||||
|
||||
type sepgsql_secret_blob_t;
|
||||
postgresql_blob_object(sepgsql_secret_blob_t)
|
||||
|
||||
type sepgsql_secret_table_t;
|
||||
postgresql_table_object(sepgsql_secret_table_t)
|
||||
|
||||
type sepgsql_sysobj_t;
|
||||
postgresql_system_table_object(sepgsql_sysobj_t)
|
||||
|
||||
type sepgsql_table_t;
|
||||
postgresql_table_object(sepgsql_table_t)
|
||||
|
||||
type sepgsql_trusted_proc_t;
|
||||
postgresql_procedure_object(sepgsql_trusted_proc_t)
|
||||
|
||||
# Trusted Procedure Domain
|
||||
type sepgsql_trusted_domain_t;
|
||||
domain_type(sepgsql_trusted_domain_t)
|
||||
postgresql_unconfined(sepgsql_trusted_domain_t)
|
||||
role system_r types sepgsql_trusted_domain_t;
|
||||
|
||||
########################################
|
||||
#
|
||||
# postgresql Local policy
|
||||
@ -42,6 +111,23 @@ allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:udp_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
||||
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
allow postgresql_t sepgsql_database_type:db_database *;
|
||||
type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
|
||||
|
||||
allow postgresql_t sepgsql_module_type:db_database install_module;
|
||||
# Database/Loadable module
|
||||
allow sepgsql_database_type sepgsql_module_type:db_database load_module;
|
||||
|
||||
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
|
||||
|
||||
allow postgresql_t sepgsql_procedure_type:db_procedure *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
|
||||
|
||||
allow postgresql_t sepgsql_blob_type:db_blob *;
|
||||
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
|
||||
|
||||
manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
||||
manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
||||
@ -101,6 +187,12 @@ dev_read_urand(postgresql_t)
|
||||
fs_getattr_all_fs(postgresql_t)
|
||||
fs_search_auto_mountpoints(postgresql_t)
|
||||
|
||||
selinux_get_enforce_mode(postgresql_t)
|
||||
selinux_validate_context(postgresql_t)
|
||||
selinux_compute_access_vector(postgresql_t)
|
||||
selinux_compute_create_context(postgresql_t)
|
||||
selinux_compute_relabel_context(postgresql_t)
|
||||
|
||||
term_use_controlling_term(postgresql_t)
|
||||
|
||||
corecmd_exec_bin(postgresql_t)
|
||||
@ -126,7 +218,7 @@ logging_send_syslog_msg(postgresql_t)
|
||||
|
||||
miscfiles_read_localization(postgresql_t)
|
||||
|
||||
seutil_dontaudit_search_config(postgresql_t)
|
||||
seutil_libselinux_linked(postgresql_t)
|
||||
|
||||
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
|
||||
|
||||
@ -167,3 +259,81 @@ optional_policy(`
|
||||
optional_policy(`
|
||||
udev_read_db(postgresql_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules common to all clients
|
||||
#
|
||||
|
||||
allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
|
||||
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
|
||||
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
|
||||
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
|
||||
|
||||
allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
|
||||
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
|
||||
|
||||
allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
|
||||
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
|
||||
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
|
||||
|
||||
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
|
||||
allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
|
||||
|
||||
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
|
||||
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
|
||||
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
|
||||
|
||||
# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
|
||||
# If a client tries to SELECT a table including violated tuples, these are filtered from
|
||||
# the result set as if not exist, but its access denied longs can be recorded within log files.
|
||||
# In generally, the number of tuples are much larger than the number of columns, tables and so on.
|
||||
# So, it makes a flood of logs when many tuples are violated.
|
||||
#
|
||||
# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
|
||||
# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
|
||||
# to access classified tuples and can make a audit record.
|
||||
#
|
||||
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
|
||||
dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
|
||||
|
||||
tunable_policy(`sepgsql_enable_users_ddl',`
|
||||
allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
|
||||
allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
|
||||
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# Unconfined access to this module
|
||||
#
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
|
||||
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
|
||||
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
|
||||
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
|
||||
|
||||
# unconfined domain is not allowed to invoke user defined procedure directly.
|
||||
# They have to confirm and relabel it at first.
|
||||
allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
|
||||
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
||||
|
||||
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|
||||
|
@ -38,6 +38,8 @@ ifdef(`distro_gentoo', `
|
||||
#
|
||||
# /usr
|
||||
#
|
||||
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(init,1.10.1)
|
||||
policy_module(init,1.10.2)
|
||||
|
||||
gen_require(`
|
||||
class passwd rootok;
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(libraries,2.1.0)
|
||||
policy_module(libraries,2.1.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -39,6 +39,11 @@ files_type(lib_t)
|
||||
type textrel_shlib_t alias texrel_shlib_t;
|
||||
files_type(textrel_shlib_t)
|
||||
|
||||
optional_policy(`
|
||||
postgresql_loadable_module(lib_t)
|
||||
postgresql_loadable_module(textrel_shlib_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
# ldconfig local policy
|
||||
|
@ -87,6 +87,10 @@ interface(`unconfined_domain_noaudit',`
|
||||
nscd_unconfined($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
seutil_create_bin_policy($1)
|
||||
seutil_relabelto_bin_policy($1)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(unconfined, 2.2.1)
|
||||
policy_module(unconfined, 2.2.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1197,6 +1197,10 @@ template(`userdom_unpriv_user_template', `
|
||||
netutils_run_traceroute_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_userdom_template($1,$1_t,$1_r)
|
||||
')
|
||||
|
||||
# Run pppd in pppd_t by default for user
|
||||
optional_policy(`
|
||||
ppp_run_cond($1_t,$1_r,{ $1_tty_device_t $1_devpts_t })
|
||||
@ -1366,6 +1370,10 @@ template(`userdom_admin_user_template',`
|
||||
fs_read_noxattr_fs_files($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_unconfined($1_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
userhelper_exec($1_t)
|
||||
')
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(userdomain, 3.0.1)
|
||||
policy_module(userdomain, 3.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
Loading…
Reference in New Issue
Block a user