1900668638
The latest revision of the labeled policy patches which enable both labeled and unlabeled policy support for NetLabel. This revision takes into account Chris' feedback from the first version and reduces the number of interface calls in each domain down to two at present: one for unlabeled access, one for NetLabel access. The older, transport layer specific interfaces, are still present for use by third-party modules but are not used in the default policy modules. trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore. This patch changes the policy to use the netmsg initial SID as the "base" SID/context for NetLabel packets which only have MLS security attributes. Currently we use the unlabeled initial SID which makes it very difficult to distinquish between actual unlabeled packets and those packets which have MLS security attributes.
193 lines
5.9 KiB
Plaintext
193 lines
5.9 KiB
Plaintext
|
|
policy_module(postgresql,1.3.1)
|
|
|
|
#################################
|
|
#
|
|
# Declarations
|
|
#
|
|
type postgresql_t;
|
|
type postgresql_exec_t;
|
|
init_daemon_domain(postgresql_t,postgresql_exec_t)
|
|
|
|
type postgresql_db_t;
|
|
files_type(postgresql_db_t)
|
|
|
|
type postgresql_etc_t;
|
|
files_config_file(postgresql_etc_t)
|
|
|
|
type postgresql_lock_t;
|
|
files_lock_file(postgresql_lock_t)
|
|
|
|
type postgresql_log_t;
|
|
logging_log_file(postgresql_log_t)
|
|
|
|
type postgresql_tmp_t;
|
|
files_tmp_file(postgresql_tmp_t)
|
|
|
|
type postgresql_var_run_t;
|
|
files_pid_file(postgresql_var_run_t)
|
|
|
|
########################################
|
|
#
|
|
# postgresql Local policy
|
|
#
|
|
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
|
|
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
|
allow postgresql_t self:process signal_perms;
|
|
allow postgresql_t self:fifo_file { getattr read write ioctl };
|
|
allow postgresql_t self:file { getattr read };
|
|
allow postgresql_t self:sem create_sem_perms;
|
|
allow postgresql_t self:shm create_shm_perms;
|
|
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
|
allow postgresql_t self:udp_socket create_stream_socket_perms;
|
|
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
|
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
|
allow postgresql_t self:netlink_route_socket r_netlink_socket_perms;
|
|
|
|
manage_dirs_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
|
manage_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
|
manage_lnk_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
|
manage_fifo_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
|
manage_sock_files_pattern(postgresql_t,postgresql_db_t,postgresql_db_t)
|
|
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
allow postgresql_t postgresql_etc_t:dir list_dir_perms;
|
|
read_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
|
|
read_lnk_files_pattern(postgresql_t,postgresql_etc_t,postgresql_etc_t)
|
|
|
|
allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
|
|
can_exec(postgresql_t, postgresql_exec_t )
|
|
|
|
allow postgresql_t postgresql_lock_t:file manage_file_perms;
|
|
files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
|
|
|
|
manage_files_pattern(postgresql_t,postgresql_log_t,postgresql_log_t)
|
|
logging_log_filetrans(postgresql_t,postgresql_log_t,{ file dir })
|
|
|
|
manage_dirs_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
|
|
manage_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
|
|
manage_lnk_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
|
|
manage_fifo_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
|
|
manage_sock_files_pattern(postgresql_t,postgresql_tmp_t,postgresql_tmp_t)
|
|
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
|
|
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
|
|
|
|
manage_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
|
|
manage_sock_files_pattern(postgresql_t,postgresql_var_run_t,postgresql_var_run_t)
|
|
files_pid_filetrans(postgresql_t,postgresql_var_run_t,file)
|
|
|
|
kernel_read_kernel_sysctls(postgresql_t)
|
|
kernel_read_system_state(postgresql_t)
|
|
kernel_list_proc(postgresql_t)
|
|
kernel_read_all_sysctls(postgresql_t)
|
|
kernel_read_proc_symlinks(postgresql_t)
|
|
|
|
corenet_all_recvfrom_unlabeled(postgresql_t)
|
|
corenet_all_recvfrom_netlabel(postgresql_t)
|
|
corenet_tcp_sendrecv_all_if(postgresql_t)
|
|
corenet_udp_sendrecv_all_if(postgresql_t)
|
|
corenet_tcp_sendrecv_all_nodes(postgresql_t)
|
|
corenet_udp_sendrecv_all_nodes(postgresql_t)
|
|
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
|
corenet_udp_sendrecv_all_ports(postgresql_t)
|
|
corenet_tcp_bind_all_nodes(postgresql_t)
|
|
corenet_tcp_bind_postgresql_port(postgresql_t)
|
|
corenet_tcp_connect_auth_port(postgresql_t)
|
|
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
|
corenet_sendrecv_auth_client_packets(postgresql_t)
|
|
|
|
dev_read_sysfs(postgresql_t)
|
|
dev_read_urand(postgresql_t)
|
|
|
|
fs_getattr_all_fs(postgresql_t)
|
|
fs_search_auto_mountpoints(postgresql_t)
|
|
|
|
term_use_controlling_term(postgresql_t)
|
|
|
|
corecmd_exec_bin(postgresql_t)
|
|
corecmd_exec_shell(postgresql_t)
|
|
|
|
domain_dontaudit_list_all_domains_state(postgresql_t)
|
|
domain_use_interactive_fds(postgresql_t)
|
|
|
|
files_dontaudit_search_home(postgresql_t)
|
|
files_manage_etc_files(postgresql_t)
|
|
files_search_etc(postgresql_t)
|
|
files_read_etc_runtime_files(postgresql_t)
|
|
files_read_usr_files(postgresql_t)
|
|
|
|
init_read_utmp(postgresql_t)
|
|
|
|
libs_use_ld_so(postgresql_t)
|
|
libs_use_shared_libs(postgresql_t)
|
|
|
|
logging_send_syslog_msg(postgresql_t)
|
|
|
|
miscfiles_read_localization(postgresql_t)
|
|
|
|
seutil_dontaudit_search_config(postgresql_t)
|
|
|
|
sysnet_read_config(postgresql_t)
|
|
sysnet_use_ldap(postgresql_t)
|
|
|
|
userdom_dontaudit_search_sysadm_home_dirs(postgresql_t)
|
|
userdom_dontaudit_use_sysadm_ttys(postgresql_t)
|
|
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
|
|
|
|
mta_getattr_spool(postgresql_t)
|
|
|
|
ifdef(`targeted_policy', `
|
|
files_dontaudit_read_root_files(postgresql_t)
|
|
term_dontaudit_use_generic_ptys(postgresql_t)
|
|
term_dontaudit_use_unallocated_ttys(postgresql_t)
|
|
')
|
|
|
|
tunable_policy(`allow_execmem',`
|
|
allow postgresql_t self:process execmem;
|
|
')
|
|
|
|
optional_policy(`
|
|
consoletype_exec(postgresql_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
cron_search_spool(postgresql_t)
|
|
cron_system_entry(postgresql_t,postgresql_exec_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
hostname_exec(postgresql_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
kerberos_use(postgresql_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
nis_use_ypbind(postgresql_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
seutil_sigchld_newrole(postgresql_t)
|
|
')
|
|
|
|
optional_policy(`
|
|
udev_read_db(postgresql_t)
|
|
')
|
|
|
|
ifdef(`TODO',`
|
|
ifdef(`distro_debian', `
|
|
init_exec_script_files(postgresql_t)
|
|
# gross hack
|
|
postgresql_domtrans(dpkg_t)
|
|
can_exec(postgresql_t, dpkg_exec_t)
|
|
')
|
|
|
|
ifdef(`distro_gentoo', `
|
|
allow postgresql_t initrc_su_t:process { sigchld };
|
|
# "su - postgres ..." is called from initrc_t
|
|
postgresql_search_db(initrc_su_t)
|
|
dontaudit initrc_su_t sysadm_devpts_t:chr_file rw_file_perms;
|
|
')
|
|
')
|