selinux-policy/policy/modules/services/postgresql.if
Dominick Grift ac13ad949b Use stream connect pattern.
Use stream_connect_pattern.

Use stream_connect_pattern.

Use stream_connect_pattern.

Signed-off-by: Dominick Grift <domg472@gmail.com>
2010-09-15 17:42:29 +02:00

456 lines
11 KiB
Plaintext

## <summary>PostgreSQL relational database</summary>
#######################################
## <summary>
## Role access for SE-PostgreSQL.
## </summary>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`postgresql_role',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type, sepgsql_database_type;
attribute sepgsql_sysobj_table_type;
type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
type user_sepgsql_sysobj_t, user_sepgsql_table_t;
')
########################################
#
# Declarations
#
typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
##############################
#
# Client local policy
#
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL loadable shared library module
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_loadable_module',`
gen_require(`
attribute sepgsql_module_type;
')
typeattribute $1 sepgsql_module_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL database object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_database_object',`
gen_require(`
attribute sepgsql_database_type;
')
typeattribute $1 sepgsql_database_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL table/column/tuple object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a table/column/tuple object type.
## </summary>
## </param>
#
interface(`postgresql_table_object',`
gen_require(`
attribute sepgsql_table_type;
')
typeattribute $1 sepgsql_table_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL system table/column/tuple object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a table/column/tuple object type.
## </summary>
## </param>
#
interface(`postgresql_system_table_object',`
gen_require(`
attribute sepgsql_table_type, sepgsql_sysobj_table_type;
')
typeattribute $1 sepgsql_table_type;
typeattribute $1 sepgsql_sysobj_table_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL procedure object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_procedure_object',`
gen_require(`
attribute sepgsql_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL binary large object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database binary large object type.
## </summary>
## </param>
#
interface(`postgresql_blob_object',`
gen_require(`
attribute sepgsql_blob_type;
')
typeattribute $1 sepgsql_blob_type;
')
########################################
## <summary>
## Allow the specified domain to search postgresql's database directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_search_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search;
')
########################################
## <summary>
## Allow the specified domain to manage postgresql's database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
allow $1 postgresql_db_t:lnk_file { getattr read };
')
########################################
## <summary>
## Execute postgresql in the postgresql domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`postgresql_domtrans',`
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
')
######################################
## <summary>
## Allow domain to signal postgresql
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_signal',`
gen_require(`
type postgresql_t;
')
allow $1 postgresql_t:process signal;
')
########################################
## <summary>
## Allow the specified domain to read postgresql's etc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_read_config',`
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir list_dir_perms;
allow $1 postgresql_etc_t:file read_file_perms;
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_tcp_connect',`
gen_require(`
type postgresql_t;
')
corenet_tcp_recvfrom_labeled($1, postgresql_t)
corenet_tcp_sendrecv_postgresql_port($1)
corenet_tcp_connect_postgresql_port($1)
corenet_sendrecv_postgresql_client_packets($1)
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a unix socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
files_search_pids($1)
files_search_tmp($1)
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
')
########################################
## <summary>
## Allow the specified domain unprivileged accesses to unifined database objects
## managed by SE-PostgreSQL,
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_unpriv_client',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type;
attribute sepgsql_database_type, sepgsql_sysobj_table_type;
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
')
########################################
#
# Declarations
#
typeattribute $1 sepgsql_client_type;
########################################
#
# Client local policy
#
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
')
########################################
## <summary>
## Allow the specified domain unconfined accesses to any database objects
## managed by SE-PostgreSQL,
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_unconfined',`
gen_require(`
attribute sepgsql_unconfined_type;
')
typeattribute $1 sepgsql_unconfined_type;
')
########################################
## <summary>
## All of the rules required to administrate an postgresql environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <param name="role">
## <summary>
## The role to be allowed to manage the postgresql domain.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_admin',`
gen_require(`
attribute sepgsql_admin_type;
attribute sepgsql_client_type;
type postgresql_t, postgresql_var_run_t;
type postgresql_tmp_t, postgresql_db_t;
type postgresql_etc_t, postgresql_log_t;
type postgresql_initrc_exec_t;
')
typeattribute $1 sepgsql_admin_type;
allow $1 postgresql_t:process { ptrace signal_perms };
ps_process_pattern($1, postgresql_t)
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
admin_pattern($1, postgresql_var_run_t)
files_search_var_lib($1)
admin_pattern($1, postgresql_db_t)
files_search_etc($1)
admin_pattern($1, postgresql_etc_t)
logging_search_logs($1)
admin_pattern($1, postgresql_log_t)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
postgresql_stream_connect($1)
')