Chris PeBenito [Thu, 18 Jun 2009 13:57:26 +0000 (13:57 +0000)]
trunk: Allow unix_update to change the security attributes associate with files so
that it can properly create the shadow file. Also allow it to read from
urandom so that it can add salt to the password hash.
Chris PeBenito [Fri, 22 May 2009 13:37:32 +0000 (13:37 +0000)]
trunk:
The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.
The current security policy does not allow them to import/export any
largeobjects without any clear reason.
NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.
Chris PeBenito [Thu, 21 May 2009 11:49:33 +0000 (11:49 +0000)]
trunk:
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.
The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.
In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.
The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.
Chris PeBenito [Thu, 21 May 2009 11:28:14 +0000 (11:28 +0000)]
trunk:
OK, the attached patch adds the following types for unprivileged clients.
- unpriv_sepgsql_table_t
- unpriv_sepgsql_sysobj_t
- unpriv_sepgsql_proc_exec_t
- unpriv_sepgsql_blob_t
These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.
In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.
Chris PeBenito [Thu, 7 May 2009 12:35:32 +0000 (12:35 +0000)]
se-postgresql update from kaigai
- rework: Add a comment of "deprecated" for deprecated permissions.
- bugfix: MCS policy did not constrain the following permissions.
db_database:{getattr}
db_table:{getattr lock}
db_column:{getattr}
db_procedure:{drop getattr setattr}
db_blob:{getattr import export}
- rework: db_table:{lock} is moved to reader side, because it makes
impossible to refer read-only table with foreign-key constraint.
(FK checks internally acquire explicit locks.)
- bugfix: some of permissions in db_procedure class are allowed
on sepgsql_trusted_proc_t, but it is a domain, not a procedure.
It should allow them on sepgsql_trusted_proc_exec_t.
I also aliased sepgsql_proc_t as sepgsql_proc_exec_t to avoid
such kind of confusion, as Chris suggested before.
- rework: we should not allow db_procedure:{install} on the
sepgsql_trusted_proc_exec_t, because of a risk to invoke trusted
procedure implicitly.
- bugfix: MLS policy dealt db_blob:{export} as writer-side permission,
but it is required whrn the largeobject is refered.
- bugfix: MLS policy didn't constrain the db_procedure class.
Chris PeBenito [Mon, 2 Mar 2009 15:16:49 +0000 (15:16 +0000)]
trunk: add MLS constrains for ingress/egress permissions from Paul Moore.
Add MLS constraints for several network related access controls including
the new ingress/egress controls and the older Secmark controls. Based on
the following post to the SELinux Reference Policy mailing list:
projects / people / stevee / selinux-policy.git / log
