selinux-policy/policy/modules/services/postgresql.if
Chris PeBenito e0ea7b15ca trunk:
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.

The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.

In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.

The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.

KaiGai Kohei
2009-05-21 11:49:33 +00:00

387 lines
9.9 KiB
Plaintext

## <summary>PostgreSQL relational database</summary>
#######################################
## <summary>
## Role access for SE-PostgreSQL.
## </summary>
## <param name="user_role">
## <summary>
## The role associated with the user domain.
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## The type of the user domain.
## </summary>
## </param>
#
interface(`postgresql_role',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type, sepgsql_database_type;
attribute sepgsql_sysobj_table_type;
type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
type user_sepgsql_sysobj_t, user_sepgsql_table_t;
')
########################################
#
# Declarations
#
typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
##############################
#
# Client local policy
#
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop setattr };
allow $2 user_sepgsql_table_t:db_column { create drop setattr };
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
allow $2 sepgsql_trusted_proc_t:process transition;
type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL loadable shared library module
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_loadable_module',`
gen_require(`
attribute sepgsql_module_type;
')
typeattribute $1 sepgsql_module_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL database object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_database_object',`
gen_require(`
attribute sepgsql_database_type;
')
typeattribute $1 sepgsql_database_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL table/column/tuple object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a table/column/tuple object type.
## </summary>
## </param>
#
interface(`postgresql_table_object',`
gen_require(`
attribute sepgsql_table_type;
')
typeattribute $1 sepgsql_table_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL system table/column/tuple object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a table/column/tuple object type.
## </summary>
## </param>
#
interface(`postgresql_system_table_object',`
gen_require(`
attribute sepgsql_table_type, sepgsql_sysobj_table_type;
')
typeattribute $1 sepgsql_table_type;
typeattribute $1 sepgsql_sysobj_table_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL procedure object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database object type.
## </summary>
## </param>
#
interface(`postgresql_procedure_object',`
gen_require(`
attribute sepgsql_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
')
########################################
## <summary>
## Marks as a SE-PostgreSQL binary large object type
## </summary>
## <param name="type">
## <summary>
## Type marked as a database binary large object type.
## </summary>
## </param>
#
interface(`postgresql_blob_object',`
gen_require(`
attribute sepgsql_blob_type;
')
typeattribute $1 sepgsql_blob_type;
')
########################################
## <summary>
## Allow the specified domain to search postgresql's database directory.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_search_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search;
')
########################################
## <summary>
## Allow the specified domain to manage postgresql's database.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir rw_dir_perms;
allow $1 postgresql_db_t:file rw_file_perms;
allow $1 postgresql_db_t:lnk_file { getattr read };
')
########################################
## <summary>
## Execute postgresql in the postgresql domain.
## </summary>
## <param name="domain">
## <summary>
## The type of the process performing this action.
## </summary>
## </param>
#
interface(`postgresql_domtrans',`
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
')
########################################
## <summary>
## Allow the specified domain to read postgresql's etc.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_read_config',`
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir list_dir_perms;
allow $1 postgresql_etc_t:file read_file_perms;
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a tcp socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_tcp_connect',`
gen_require(`
type postgresql_t;
')
corenet_tcp_recvfrom_labeled($1, postgresql_t)
corenet_tcp_sendrecv_postgresql_port($1)
corenet_tcp_connect_postgresql_port($1)
corenet_sendrecv_postgresql_client_packets($1)
')
########################################
## <summary>
## Allow the specified domain to connect to postgresql with a unix socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`postgresql_stream_connect',`
gen_require(`
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
files_search_pids($1)
allow $1 postgresql_t:unix_stream_socket connectto;
allow $1 postgresql_var_run_t:sock_file write;
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
########################################
## <summary>
## Allow the specified domain unprivileged accesses to unifined database objects
## managed by SE-PostgreSQL,
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_unpriv_client',`
gen_require(`
class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type;
attribute sepgsql_database_type, sepgsql_sysobj_table_type;
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
')
########################################
#
# Declarations
#
typeattribute $1 sepgsql_client_type;
########################################
#
# Client local policy
#
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
tunable_policy(`sepgsql_enable_users_ddl',`
allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
')
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
')
########################################
## <summary>
## Allow the specified domain unconfined accesses to any database objects
## managed by SE-PostgreSQL,
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`postgresql_unconfined',`
gen_require(`
attribute sepgsql_unconfined_type;
')
typeattribute $1 sepgsql_unconfined_type;
')