]>
Commit | Line | Data |
---|---|---|
a1fcff33 | 1 | |
5d4f4b53 | 2 | policy_module(postgresql, 1.7.0) |
e8cb08ae CP |
3 | |
4 | gen_require(` | |
5 | class db_database all_db_database_perms; | |
6 | class db_table all_db_table_perms; | |
7 | class db_procedure all_db_procedure_perms; | |
8 | class db_column all_db_column_perms; | |
9 | class db_tuple all_db_tuple_perms; | |
10 | class db_blob all_db_blob_perms; | |
11 | ') | |
a1fcff33 CP |
12 | |
13 | ################################# | |
14 | # | |
15 | # Declarations | |
16 | # | |
e8cb08ae CP |
17 | |
18 | ## <desc> | |
19 | ## <p> | |
20 | ## Allow unprived users to execute DDL statement | |
21 | ## </p> | |
22 | ## </desc> | |
23 | gen_tunable(sepgsql_enable_users_ddl, true) | |
24 | ||
a1fcff33 CP |
25 | type postgresql_t; |
26 | type postgresql_exec_t; | |
0bfccda4 | 27 | init_daemon_domain(postgresql_t, postgresql_exec_t) |
a1fcff33 CP |
28 | |
29 | type postgresql_db_t; | |
30 | files_type(postgresql_db_t) | |
31 | ||
9bbc757a CP |
32 | type postgresql_etc_t; |
33 | files_config_file(postgresql_etc_t) | |
a1fcff33 CP |
34 | |
35 | type postgresql_lock_t; | |
36 | files_lock_file(postgresql_lock_t) | |
37 | ||
38 | type postgresql_log_t; | |
39 | logging_log_file(postgresql_log_t) | |
40 | ||
41 | type postgresql_tmp_t; | |
42 | files_tmp_file(postgresql_tmp_t) | |
43 | ||
44 | type postgresql_var_run_t; | |
45 | files_pid_file(postgresql_var_run_t) | |
46 | ||
e8cb08ae CP |
47 | # database clients attribute |
48 | attribute sepgsql_client_type; | |
49 | attribute sepgsql_unconfined_type; | |
50 | ||
51 | # database objects attribute | |
52 | attribute sepgsql_database_type; | |
53 | attribute sepgsql_table_type; | |
54 | attribute sepgsql_sysobj_table_type; | |
55 | attribute sepgsql_procedure_type; | |
56 | attribute sepgsql_blob_type; | |
57 | attribute sepgsql_module_type; | |
58 | ||
59 | # database object types | |
60 | type sepgsql_blob_t; | |
61 | postgresql_blob_object(sepgsql_blob_t) | |
62 | ||
63 | type sepgsql_db_t; | |
64 | postgresql_database_object(sepgsql_db_t) | |
65 | ||
66 | type sepgsql_fixed_table_t; | |
67 | postgresql_table_object(sepgsql_fixed_table_t) | |
68 | ||
69 | type sepgsql_proc_t; | |
70 | postgresql_procedure_object(sepgsql_proc_t) | |
71 | ||
72 | type sepgsql_ro_blob_t; | |
73 | postgresql_blob_object(sepgsql_ro_blob_t) | |
74 | ||
75 | type sepgsql_ro_table_t; | |
76 | postgresql_table_object(sepgsql_ro_table_t) | |
77 | ||
78 | type sepgsql_secret_blob_t; | |
79 | postgresql_blob_object(sepgsql_secret_blob_t) | |
80 | ||
81 | type sepgsql_secret_table_t; | |
82 | postgresql_table_object(sepgsql_secret_table_t) | |
83 | ||
84 | type sepgsql_sysobj_t; | |
85 | postgresql_system_table_object(sepgsql_sysobj_t) | |
86 | ||
87 | type sepgsql_table_t; | |
88 | postgresql_table_object(sepgsql_table_t) | |
89 | ||
7f4005e3 CP |
90 | type sepgsql_trusted_proc_exec_t; |
91 | postgresql_procedure_object(sepgsql_trusted_proc_exec_t) | |
e8cb08ae CP |
92 | |
93 | # Trusted Procedure Domain | |
7f4005e3 CP |
94 | type sepgsql_trusted_proc_t; |
95 | domain_type(sepgsql_trusted_proc_t) | |
96 | postgresql_unconfined(sepgsql_trusted_proc_t) | |
97 | role system_r types sepgsql_trusted_proc_t; | |
e8cb08ae | 98 | |
a1fcff33 CP |
99 | ######################################## |
100 | # | |
101 | # postgresql Local policy | |
102 | # | |
103 | allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; | |
165b42d2 | 104 | dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; |
57d8e6c7 | 105 | allow postgresql_t self:process signal_perms; |
0b36a214 | 106 | allow postgresql_t self:fifo_file rw_fifo_file_perms; |
a1fcff33 CP |
107 | allow postgresql_t self:sem create_sem_perms; |
108 | allow postgresql_t self:shm create_shm_perms; | |
109 | allow postgresql_t self:tcp_socket create_stream_socket_perms; | |
110 | allow postgresql_t self:udp_socket create_stream_socket_perms; | |
111 | allow postgresql_t self:unix_dgram_socket create_socket_perms; | |
112 | allow postgresql_t self:unix_stream_socket create_stream_socket_perms; | |
e8cb08ae CP |
113 | allow postgresql_t self:netlink_selinux_socket create_socket_perms; |
114 | ||
115 | allow postgresql_t sepgsql_database_type:db_database *; | |
116 | type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; | |
117 | ||
118 | allow postgresql_t sepgsql_module_type:db_database install_module; | |
119 | # Database/Loadable module | |
120 | allow sepgsql_database_type sepgsql_module_type:db_database load_module; | |
121 | ||
122 | allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; | |
123 | type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; | |
124 | ||
125 | allow postgresql_t sepgsql_procedure_type:db_procedure *; | |
126 | type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t; | |
127 | ||
128 | allow postgresql_t sepgsql_blob_type:db_blob *; | |
129 | type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; | |
a1fcff33 | 130 | |
0bfccda4 CP |
131 | manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) |
132 | manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
133 | manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
134 | manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
135 | manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
103fe280 | 136 | files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) |
a1fcff33 | 137 | |
c0868a7a | 138 | allow postgresql_t postgresql_etc_t:dir list_dir_perms; |
0bfccda4 CP |
139 | read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) |
140 | read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) | |
a1fcff33 CP |
141 | |
142 | allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; | |
143 | can_exec(postgresql_t, postgresql_exec_t ) | |
144 | ||
c0868a7a | 145 | allow postgresql_t postgresql_lock_t:file manage_file_perms; |
1c1ac67f | 146 | files_lock_filetrans(postgresql_t,postgresql_lock_t,file) |
a1fcff33 | 147 | |
0bfccda4 CP |
148 | manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) |
149 | logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) | |
a1fcff33 | 150 | |
0bfccda4 CP |
151 | manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) |
152 | manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
153 | manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
154 | manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
155 | manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
103fe280 CP |
156 | files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) |
157 | fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
a1fcff33 | 158 | |
0bfccda4 CP |
159 | manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) |
160 | manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) | |
161 | files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) | |
a1fcff33 | 162 | |
445522dc | 163 | kernel_read_kernel_sysctls(postgresql_t) |
a1fcff33 CP |
164 | kernel_read_system_state(postgresql_t) |
165 | kernel_list_proc(postgresql_t) | |
445522dc | 166 | kernel_read_all_sysctls(postgresql_t) |
a1fcff33 | 167 | kernel_read_proc_symlinks(postgresql_t) |
a1fcff33 | 168 | |
19006686 CP |
169 | corenet_all_recvfrom_unlabeled(postgresql_t) |
170 | corenet_all_recvfrom_netlabel(postgresql_t) | |
a1fcff33 CP |
171 | corenet_tcp_sendrecv_all_if(postgresql_t) |
172 | corenet_udp_sendrecv_all_if(postgresql_t) | |
a1fcff33 CP |
173 | corenet_tcp_sendrecv_all_nodes(postgresql_t) |
174 | corenet_udp_sendrecv_all_nodes(postgresql_t) | |
a1fcff33 CP |
175 | corenet_tcp_sendrecv_all_ports(postgresql_t) |
176 | corenet_udp_sendrecv_all_ports(postgresql_t) | |
177 | corenet_tcp_bind_all_nodes(postgresql_t) | |
a1fcff33 CP |
178 | corenet_tcp_bind_postgresql_port(postgresql_t) |
179 | corenet_tcp_connect_auth_port(postgresql_t) | |
141cffdd CP |
180 | corenet_sendrecv_postgresql_server_packets(postgresql_t) |
181 | corenet_sendrecv_auth_client_packets(postgresql_t) | |
a1fcff33 CP |
182 | |
183 | dev_read_sysfs(postgresql_t) | |
184 | dev_read_urand(postgresql_t) | |
185 | ||
186 | fs_getattr_all_fs(postgresql_t) | |
187 | fs_search_auto_mountpoints(postgresql_t) | |
770c015f | 188 | fs_rw_hugetlbfs_files(postgresql_t) |
a1fcff33 | 189 | |
e8cb08ae CP |
190 | selinux_get_enforce_mode(postgresql_t) |
191 | selinux_validate_context(postgresql_t) | |
192 | selinux_compute_access_vector(postgresql_t) | |
193 | selinux_compute_create_context(postgresql_t) | |
194 | selinux_compute_relabel_context(postgresql_t) | |
195 | ||
a1fcff33 | 196 | term_use_controlling_term(postgresql_t) |
a1fcff33 CP |
197 | |
198 | corecmd_exec_bin(postgresql_t) | |
a1fcff33 CP |
199 | corecmd_exec_shell(postgresql_t) |
200 | ||
1815bad1 | 201 | domain_dontaudit_list_all_domains_state(postgresql_t) |
15722ec9 | 202 | domain_use_interactive_fds(postgresql_t) |
a1fcff33 CP |
203 | |
204 | files_dontaudit_search_home(postgresql_t) | |
205 | files_manage_etc_files(postgresql_t) | |
206 | files_search_etc(postgresql_t) | |
207 | files_read_etc_runtime_files(postgresql_t) | |
208 | files_read_usr_files(postgresql_t) | |
209 | ||
09e21686 CP |
210 | auth_use_nsswitch(postgresql_t) |
211 | ||
68228b33 | 212 | init_read_utmp(postgresql_t) |
a1fcff33 CP |
213 | |
214 | libs_use_ld_so(postgresql_t) | |
215 | libs_use_shared_libs(postgresql_t) | |
216 | ||
217 | logging_send_syslog_msg(postgresql_t) | |
218 | ||
219 | miscfiles_read_localization(postgresql_t) | |
220 | ||
e8cb08ae | 221 | seutil_libselinux_linked(postgresql_t) |
a1fcff33 | 222 | |
15722ec9 | 223 | userdom_dontaudit_use_unpriv_user_fds(postgresql_t) |
a1fcff33 CP |
224 | |
225 | mta_getattr_spool(postgresql_t) | |
226 | ||
e9c6cda7 CP |
227 | sysadm_dontaudit_search_home_dirs(postgresql_t) |
228 | sysadm_dontaudit_use_ttys(postgresql_t) | |
229 | ||
a1fcff33 CP |
230 | tunable_policy(`allow_execmem',` |
231 | allow postgresql_t self:process execmem; | |
232 | ') | |
233 | ||
bb7170f6 | 234 | optional_policy(` |
a1fcff33 CP |
235 | consoletype_exec(postgresql_t) |
236 | ') | |
237 | ||
bb7170f6 | 238 | optional_policy(` |
a1fcff33 CP |
239 | cron_search_spool(postgresql_t) |
240 | cron_system_entry(postgresql_t,postgresql_exec_t) | |
241 | ') | |
242 | ||
bb7170f6 | 243 | optional_policy(` |
a1fcff33 CP |
244 | hostname_exec(postgresql_t) |
245 | ') | |
246 | ||
0b6acad1 CP |
247 | optional_policy(` |
248 | ipsec_match_default_spd(postgresql_t) | |
249 | ') | |
250 | ||
bb7170f6 | 251 | optional_policy(` |
a1fcff33 CP |
252 | kerberos_use(postgresql_t) |
253 | ') | |
254 | ||
bb7170f6 | 255 | optional_policy(` |
a1fcff33 CP |
256 | seutil_sigchld_newrole(postgresql_t) |
257 | ') | |
258 | ||
bb7170f6 | 259 | optional_policy(` |
a1fcff33 CP |
260 | udev_read_db(postgresql_t) |
261 | ') | |
e8cb08ae CP |
262 | |
263 | ######################################## | |
264 | # | |
265 | # Rules common to all clients | |
266 | # | |
267 | ||
268 | allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; | |
269 | type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; | |
270 | ||
271 | allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert }; | |
272 | allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; | |
273 | allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; | |
274 | ||
275 | allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete }; | |
276 | allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; | |
277 | allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; | |
278 | ||
279 | allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select }; | |
280 | allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; | |
281 | allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; | |
282 | ||
283 | allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; | |
284 | allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; | |
285 | ||
286 | allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select }; | |
287 | allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; | |
288 | allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; | |
289 | ||
290 | allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute }; | |
291 | allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; | |
292 | ||
293 | allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; | |
294 | allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; | |
295 | allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; | |
296 | ||
297 | # The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs. | |
298 | # If a client tries to SELECT a table including violated tuples, these are filtered from | |
299 | # the result set as if not exist, but its access denied longs can be recorded within log files. | |
300 | # In generally, the number of tuples are much larger than the number of columns, tables and so on. | |
301 | # So, it makes a flood of logs when many tuples are violated. | |
302 | # | |
303 | # The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type, | |
304 | # so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them | |
305 | # to access classified tuples and can make a audit record. | |
306 | # | |
307 | # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. | |
308 | dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; | |
309 | ||
310 | tunable_policy(`sepgsql_enable_users_ddl',` | |
0bfccda4 | 311 | allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr }; |
e8cb08ae | 312 | allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr }; |
0bfccda4 | 313 | allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete }; |
e8cb08ae CP |
314 | ') |
315 | ||
316 | ######################################## | |
317 | # | |
318 | # Unconfined access to this module | |
319 | # | |
320 | ||
321 | allow sepgsql_unconfined_type sepgsql_database_type:db_database *; | |
322 | type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; | |
323 | ||
324 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; | |
325 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t; | |
326 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; | |
327 | ||
328 | allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; | |
329 | ||
330 | # unconfined domain is not allowed to invoke user defined procedure directly. | |
331 | # They have to confirm and relabel it at first. | |
332 | allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *; | |
333 | allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto }; | |
334 | ||
335 | allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; | |
336 | ||
337 | allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; | |
338 | ||
339 | kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) |