selinux-policy/policy/modules/services/postgresql.te
Dominick Grift 0f7c400223 Use permission sets where possible.
Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.

Use permission sets where possible.
2010-09-23 14:59:23 +02:00

419 lines
15 KiB
Plaintext

policy_module(postgresql, 1.11.1)
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
')
#################################
#
# Declarations
#
## <desc>
## <p>
## Allow unprived users to execute DDL statement
## </p>
## </desc>
gen_tunable(sepgsql_enable_users_ddl, true)
## <desc>
## <p>
## Allow database admins to execute DML statement
## </p>
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t, postgresql_exec_t)
type postgresql_db_t;
files_type(postgresql_db_t)
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
type postgresql_initrc_exec_t;
init_script_file(postgresql_initrc_exec_t)
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
type postgresql_log_t;
logging_log_file(postgresql_log_t)
type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
# database clients attribute
attribute sepgsql_admin_type;
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
# database objects attribute
attribute sepgsql_database_type;
attribute sepgsql_table_type;
attribute sepgsql_sysobj_table_type;
attribute sepgsql_procedure_type;
attribute sepgsql_blob_type;
attribute sepgsql_module_type;
# database object types
type sepgsql_blob_t;
postgresql_blob_object(sepgsql_blob_t)
type sepgsql_db_t;
postgresql_database_object(sepgsql_db_t)
type sepgsql_fixed_table_t;
postgresql_table_object(sepgsql_fixed_table_t)
type sepgsql_proc_exec_t;
typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
postgresql_procedure_object(sepgsql_proc_exec_t)
type sepgsql_ro_blob_t;
postgresql_blob_object(sepgsql_ro_blob_t)
type sepgsql_ro_table_t;
postgresql_table_object(sepgsql_ro_table_t)
type sepgsql_secret_blob_t;
postgresql_blob_object(sepgsql_secret_blob_t)
type sepgsql_secret_table_t;
postgresql_table_object(sepgsql_secret_table_t)
type sepgsql_sysobj_t;
postgresql_system_table_object(sepgsql_sysobj_t)
type sepgsql_table_t;
postgresql_table_object(sepgsql_table_t)
type sepgsql_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
# Trusted Procedure Domain
type sepgsql_trusted_proc_t;
domain_type(sepgsql_trusted_proc_t)
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;
# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)
type unpriv_sepgsql_proc_exec_t;
postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
type unpriv_sepgsql_sysobj_t;
postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
type unpriv_sepgsql_table_t;
postgresql_table_object(unpriv_sepgsql_table_t)
# Types for UBAC
type user_sepgsql_blob_t;
typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
postgresql_blob_object(user_sepgsql_blob_t)
type user_sepgsql_proc_exec_t;
typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
postgresql_procedure_object(user_sepgsql_proc_exec_t)
type user_sepgsql_sysobj_t;
typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
postgresql_system_table_object(user_sepgsql_sysobj_t)
type user_sepgsql_table_t;
typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
postgresql_table_object(user_sepgsql_table_t)
########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
allow postgresql_t sepgsql_database_type:db_database *;
type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
allow postgresql_t sepgsql_module_type:db_database install_module;
# Database/Loadable module
allow sepgsql_database_type sepgsql_module_type:db_database load_module;
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
allow postgresql_t sepgsql_procedure_type:db_procedure *;
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
allow postgresql_t sepgsql_blob_type:db_blob *;
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
can_exec(postgresql_t, postgresql_exec_t )
allow postgresql_t postgresql_lock_t:file manage_file_perms;
files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)
corenet_all_recvfrom_unlabeled(postgresql_t)
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
corenet_tcp_sendrecv_generic_node(postgresql_t)
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
fs_rw_hugetlbfs_files(postgresql_t)
selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
selinux_compute_access_vector(postgresql_t)
selinux_compute_create_context(postgresql_t)
selinux_compute_relabel_context(postgresql_t)
term_use_controlling_term(postgresql_t)
corecmd_exec_bin(postgresql_t)
corecmd_exec_shell(postgresql_t)
domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)
files_dontaudit_search_home(postgresql_t)
files_read_etc_files(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
auth_use_pam(postgresql_t)
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
seutil_libselinux_linked(postgresql_t)
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t)
mta_getattr_spool(postgresql_t)
tunable_policy(`allow_execmem',`
allow postgresql_t self:process execmem;
')
optional_policy(`
consoletype_exec(postgresql_t)
')
optional_policy(`
cron_search_spool(postgresql_t)
cron_system_entry(postgresql_t, postgresql_exec_t)
')
optional_policy(`
hostname_exec(postgresql_t)
')
optional_policy(`
ipsec_match_default_spd(postgresql_t)
')
optional_policy(`
kerberos_use(postgresql_t)
')
optional_policy(`
seutil_sigchld_newrole(postgresql_t)
')
optional_policy(`
udev_read_db(postgresql_t)
')
########################################
#
# Rules common to all clients
#
allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
# If a client tries to SELECT a table including violated tuples, these are filtered from
# the result set as if not exist, but its access denied longs can be recorded within log files.
# In generally, the number of tuples are much larger than the number of columns, tables and so on.
# So, it makes a flood of logs when many tuples are violated.
#
# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
# to access classified tuples and can make a audit record.
#
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
########################################
#
# Rules common to administrator clients
#
allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
tunable_policy(`sepgsql_unconfined_dbadm',`
allow sepgsql_admin_type sepgsql_database_type:db_database *;
allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
')
########################################
#
# Unconfined access to this module
#
allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)