]>
Commit | Line | Data |
---|---|---|
a1fcff33 | 1 | |
996779df | 2 | policy_module(postgresql, 1.8.7) |
e8cb08ae CP |
3 | |
4 | gen_require(` | |
5 | class db_database all_db_database_perms; | |
6 | class db_table all_db_table_perms; | |
7 | class db_procedure all_db_procedure_perms; | |
8 | class db_column all_db_column_perms; | |
9 | class db_tuple all_db_tuple_perms; | |
10 | class db_blob all_db_blob_perms; | |
11 | ') | |
a1fcff33 CP |
12 | |
13 | ################################# | |
14 | # | |
15 | # Declarations | |
16 | # | |
e8cb08ae CP |
17 | |
18 | ## <desc> | |
19 | ## <p> | |
20 | ## Allow unprived users to execute DDL statement | |
21 | ## </p> | |
22 | ## </desc> | |
23 | gen_tunable(sepgsql_enable_users_ddl, true) | |
24 | ||
a1fcff33 CP |
25 | type postgresql_t; |
26 | type postgresql_exec_t; | |
0bfccda4 | 27 | init_daemon_domain(postgresql_t, postgresql_exec_t) |
a1fcff33 CP |
28 | |
29 | type postgresql_db_t; | |
30 | files_type(postgresql_db_t) | |
31 | ||
9bbc757a CP |
32 | type postgresql_etc_t; |
33 | files_config_file(postgresql_etc_t) | |
a1fcff33 CP |
34 | |
35 | type postgresql_lock_t; | |
36 | files_lock_file(postgresql_lock_t) | |
37 | ||
38 | type postgresql_log_t; | |
39 | logging_log_file(postgresql_log_t) | |
40 | ||
41 | type postgresql_tmp_t; | |
42 | files_tmp_file(postgresql_tmp_t) | |
43 | ||
44 | type postgresql_var_run_t; | |
45 | files_pid_file(postgresql_var_run_t) | |
46 | ||
e8cb08ae CP |
47 | # database clients attribute |
48 | attribute sepgsql_client_type; | |
49 | attribute sepgsql_unconfined_type; | |
50 | ||
51 | # database objects attribute | |
52 | attribute sepgsql_database_type; | |
53 | attribute sepgsql_table_type; | |
54 | attribute sepgsql_sysobj_table_type; | |
55 | attribute sepgsql_procedure_type; | |
56 | attribute sepgsql_blob_type; | |
57 | attribute sepgsql_module_type; | |
58 | ||
59 | # database object types | |
60 | type sepgsql_blob_t; | |
61 | postgresql_blob_object(sepgsql_blob_t) | |
62 | ||
63 | type sepgsql_db_t; | |
64 | postgresql_database_object(sepgsql_db_t) | |
65 | ||
66 | type sepgsql_fixed_table_t; | |
67 | postgresql_table_object(sepgsql_fixed_table_t) | |
68 | ||
350ed891 CP |
69 | type sepgsql_proc_exec_t; |
70 | typealias sepgsql_proc_exec_t alias sepgsql_proc_t; | |
71 | postgresql_procedure_object(sepgsql_proc_exec_t) | |
e8cb08ae CP |
72 | |
73 | type sepgsql_ro_blob_t; | |
74 | postgresql_blob_object(sepgsql_ro_blob_t) | |
75 | ||
76 | type sepgsql_ro_table_t; | |
77 | postgresql_table_object(sepgsql_ro_table_t) | |
78 | ||
79 | type sepgsql_secret_blob_t; | |
80 | postgresql_blob_object(sepgsql_secret_blob_t) | |
81 | ||
82 | type sepgsql_secret_table_t; | |
83 | postgresql_table_object(sepgsql_secret_table_t) | |
84 | ||
85 | type sepgsql_sysobj_t; | |
86 | postgresql_system_table_object(sepgsql_sysobj_t) | |
87 | ||
88 | type sepgsql_table_t; | |
89 | postgresql_table_object(sepgsql_table_t) | |
90 | ||
7f4005e3 CP |
91 | type sepgsql_trusted_proc_exec_t; |
92 | postgresql_procedure_object(sepgsql_trusted_proc_exec_t) | |
e8cb08ae CP |
93 | |
94 | # Trusted Procedure Domain | |
7f4005e3 CP |
95 | type sepgsql_trusted_proc_t; |
96 | domain_type(sepgsql_trusted_proc_t) | |
97 | postgresql_unconfined(sepgsql_trusted_proc_t) | |
98 | role system_r types sepgsql_trusted_proc_t; | |
e8cb08ae | 99 | |
a01a4a71 CP |
100 | # Types for unprivileged client |
101 | type unpriv_sepgsql_blob_t; | |
102 | postgresql_blob_object(unpriv_sepgsql_blob_t) | |
103 | ||
104 | type unpriv_sepgsql_proc_exec_t; | |
105 | postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) | |
106 | ||
107 | type unpriv_sepgsql_sysobj_t; | |
108 | postgresql_system_table_object(unpriv_sepgsql_sysobj_t) | |
109 | ||
110 | type unpriv_sepgsql_table_t; | |
111 | postgresql_table_object(unpriv_sepgsql_table_t) | |
112 | ||
113 | # Types for UBAC | |
296273a7 CP |
114 | type user_sepgsql_blob_t; |
115 | typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; | |
116 | typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t }; | |
117 | postgresql_blob_object(user_sepgsql_blob_t) | |
118 | ||
119 | type user_sepgsql_proc_exec_t; | |
120 | typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t }; | |
121 | typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; | |
122 | postgresql_procedure_object(user_sepgsql_proc_exec_t) | |
123 | ||
124 | type user_sepgsql_sysobj_t; | |
125 | typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; | |
126 | typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; | |
127 | postgresql_system_table_object(user_sepgsql_sysobj_t) | |
128 | ||
129 | type user_sepgsql_table_t; | |
130 | typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t }; | |
131 | typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; | |
132 | postgresql_table_object(user_sepgsql_table_t) | |
133 | ||
a1fcff33 CP |
134 | ######################################## |
135 | # | |
136 | # postgresql Local policy | |
137 | # | |
138 | allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin }; | |
165b42d2 | 139 | dontaudit postgresql_t self:capability { sys_tty_config sys_admin }; |
57d8e6c7 | 140 | allow postgresql_t self:process signal_perms; |
0b36a214 | 141 | allow postgresql_t self:fifo_file rw_fifo_file_perms; |
a1fcff33 CP |
142 | allow postgresql_t self:sem create_sem_perms; |
143 | allow postgresql_t self:shm create_shm_perms; | |
144 | allow postgresql_t self:tcp_socket create_stream_socket_perms; | |
145 | allow postgresql_t self:udp_socket create_stream_socket_perms; | |
146 | allow postgresql_t self:unix_dgram_socket create_socket_perms; | |
147 | allow postgresql_t self:unix_stream_socket create_stream_socket_perms; | |
e8cb08ae CP |
148 | allow postgresql_t self:netlink_selinux_socket create_socket_perms; |
149 | ||
150 | allow postgresql_t sepgsql_database_type:db_database *; | |
151 | type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; | |
152 | ||
153 | allow postgresql_t sepgsql_module_type:db_database install_module; | |
154 | # Database/Loadable module | |
155 | allow sepgsql_database_type sepgsql_module_type:db_database load_module; | |
156 | ||
157 | allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; | |
158 | type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; | |
159 | ||
160 | allow postgresql_t sepgsql_procedure_type:db_procedure *; | |
350ed891 | 161 | type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; |
e8cb08ae CP |
162 | |
163 | allow postgresql_t sepgsql_blob_type:db_blob *; | |
164 | type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t; | |
a1fcff33 | 165 | |
0bfccda4 CP |
166 | manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) |
167 | manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
168 | manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
169 | manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
170 | manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t) | |
103fe280 | 171 | files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file }) |
a1fcff33 | 172 | |
c0868a7a | 173 | allow postgresql_t postgresql_etc_t:dir list_dir_perms; |
0bfccda4 CP |
174 | read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) |
175 | read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t) | |
a1fcff33 CP |
176 | |
177 | allow postgresql_t postgresql_exec_t:lnk_file { getattr read }; | |
178 | can_exec(postgresql_t, postgresql_exec_t ) | |
179 | ||
c0868a7a | 180 | allow postgresql_t postgresql_lock_t:file manage_file_perms; |
1c1ac67f | 181 | files_lock_filetrans(postgresql_t,postgresql_lock_t,file) |
a1fcff33 | 182 | |
0bfccda4 CP |
183 | manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t) |
184 | logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir }) | |
a1fcff33 | 185 | |
0bfccda4 CP |
186 | manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) |
187 | manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
188 | manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
189 | manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
190 | manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) | |
103fe280 CP |
191 | files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) |
192 | fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) | |
a1fcff33 | 193 | |
0bfccda4 CP |
194 | manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) |
195 | manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) | |
196 | files_pid_filetrans(postgresql_t, postgresql_var_run_t, file) | |
a1fcff33 | 197 | |
445522dc | 198 | kernel_read_kernel_sysctls(postgresql_t) |
a1fcff33 CP |
199 | kernel_read_system_state(postgresql_t) |
200 | kernel_list_proc(postgresql_t) | |
445522dc | 201 | kernel_read_all_sysctls(postgresql_t) |
a1fcff33 | 202 | kernel_read_proc_symlinks(postgresql_t) |
a1fcff33 | 203 | |
19006686 CP |
204 | corenet_all_recvfrom_unlabeled(postgresql_t) |
205 | corenet_all_recvfrom_netlabel(postgresql_t) | |
668b3093 CP |
206 | corenet_tcp_sendrecv_generic_if(postgresql_t) |
207 | corenet_udp_sendrecv_generic_if(postgresql_t) | |
c1262146 CP |
208 | corenet_tcp_sendrecv_generic_node(postgresql_t) |
209 | corenet_udp_sendrecv_generic_node(postgresql_t) | |
a1fcff33 CP |
210 | corenet_tcp_sendrecv_all_ports(postgresql_t) |
211 | corenet_udp_sendrecv_all_ports(postgresql_t) | |
c1262146 | 212 | corenet_tcp_bind_generic_node(postgresql_t) |
a1fcff33 CP |
213 | corenet_tcp_bind_postgresql_port(postgresql_t) |
214 | corenet_tcp_connect_auth_port(postgresql_t) | |
141cffdd CP |
215 | corenet_sendrecv_postgresql_server_packets(postgresql_t) |
216 | corenet_sendrecv_auth_client_packets(postgresql_t) | |
a1fcff33 CP |
217 | |
218 | dev_read_sysfs(postgresql_t) | |
219 | dev_read_urand(postgresql_t) | |
220 | ||
221 | fs_getattr_all_fs(postgresql_t) | |
222 | fs_search_auto_mountpoints(postgresql_t) | |
770c015f | 223 | fs_rw_hugetlbfs_files(postgresql_t) |
a1fcff33 | 224 | |
e8cb08ae CP |
225 | selinux_get_enforce_mode(postgresql_t) |
226 | selinux_validate_context(postgresql_t) | |
227 | selinux_compute_access_vector(postgresql_t) | |
228 | selinux_compute_create_context(postgresql_t) | |
229 | selinux_compute_relabel_context(postgresql_t) | |
230 | ||
a1fcff33 | 231 | term_use_controlling_term(postgresql_t) |
a1fcff33 CP |
232 | |
233 | corecmd_exec_bin(postgresql_t) | |
a1fcff33 CP |
234 | corecmd_exec_shell(postgresql_t) |
235 | ||
1815bad1 | 236 | domain_dontaudit_list_all_domains_state(postgresql_t) |
15722ec9 | 237 | domain_use_interactive_fds(postgresql_t) |
a1fcff33 CP |
238 | |
239 | files_dontaudit_search_home(postgresql_t) | |
240 | files_manage_etc_files(postgresql_t) | |
241 | files_search_etc(postgresql_t) | |
242 | files_read_etc_runtime_files(postgresql_t) | |
243 | files_read_usr_files(postgresql_t) | |
244 | ||
09e21686 CP |
245 | auth_use_nsswitch(postgresql_t) |
246 | ||
68228b33 | 247 | init_read_utmp(postgresql_t) |
a1fcff33 | 248 | |
a1fcff33 CP |
249 | logging_send_syslog_msg(postgresql_t) |
250 | ||
251 | miscfiles_read_localization(postgresql_t) | |
252 | ||
e8cb08ae | 253 | seutil_libselinux_linked(postgresql_t) |
a1fcff33 | 254 | |
15722ec9 | 255 | userdom_dontaudit_use_unpriv_user_fds(postgresql_t) |
296273a7 CP |
256 | userdom_dontaudit_search_user_home_dirs(postgresql_t) |
257 | userdom_dontaudit_use_user_terminals(postgresql_t) | |
a1fcff33 CP |
258 | |
259 | mta_getattr_spool(postgresql_t) | |
260 | ||
a1fcff33 CP |
261 | tunable_policy(`allow_execmem',` |
262 | allow postgresql_t self:process execmem; | |
263 | ') | |
264 | ||
bb7170f6 | 265 | optional_policy(` |
a1fcff33 CP |
266 | consoletype_exec(postgresql_t) |
267 | ') | |
268 | ||
bb7170f6 | 269 | optional_policy(` |
a1fcff33 CP |
270 | cron_search_spool(postgresql_t) |
271 | cron_system_entry(postgresql_t,postgresql_exec_t) | |
272 | ') | |
273 | ||
bb7170f6 | 274 | optional_policy(` |
a1fcff33 CP |
275 | hostname_exec(postgresql_t) |
276 | ') | |
277 | ||
0b6acad1 CP |
278 | optional_policy(` |
279 | ipsec_match_default_spd(postgresql_t) | |
280 | ') | |
281 | ||
bb7170f6 | 282 | optional_policy(` |
a1fcff33 CP |
283 | kerberos_use(postgresql_t) |
284 | ') | |
285 | ||
bb7170f6 | 286 | optional_policy(` |
a1fcff33 CP |
287 | seutil_sigchld_newrole(postgresql_t) |
288 | ') | |
289 | ||
bb7170f6 | 290 | optional_policy(` |
a1fcff33 CP |
291 | udev_read_db(postgresql_t) |
292 | ') | |
e8cb08ae CP |
293 | |
294 | ######################################## | |
295 | # | |
296 | # Rules common to all clients | |
297 | # | |
298 | ||
299 | allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; | |
300 | type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; | |
301 | ||
350ed891 | 302 | allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; |
e8cb08ae CP |
303 | allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; |
304 | allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; | |
305 | ||
350ed891 | 306 | allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; |
e8cb08ae CP |
307 | allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; |
308 | allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; | |
309 | ||
350ed891 | 310 | allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; |
e8cb08ae CP |
311 | allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; |
312 | allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; | |
313 | ||
314 | allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; | |
315 | allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; | |
316 | ||
350ed891 | 317 | allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; |
e8cb08ae CP |
318 | allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; |
319 | allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; | |
320 | ||
350ed891 CP |
321 | allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; |
322 | allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; | |
e8cb08ae CP |
323 | |
324 | allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; | |
325 | allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; | |
326 | allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; | |
327 | ||
328 | # The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs. | |
329 | # If a client tries to SELECT a table including violated tuples, these are filtered from | |
330 | # the result set as if not exist, but its access denied longs can be recorded within log files. | |
331 | # In generally, the number of tuples are much larger than the number of columns, tables and so on. | |
332 | # So, it makes a flood of logs when many tuples are violated. | |
333 | # | |
334 | # The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type, | |
335 | # so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them | |
336 | # to access classified tuples and can make a audit record. | |
337 | # | |
338 | # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. | |
339 | dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; | |
340 | ||
e8cb08ae CP |
341 | ######################################## |
342 | # | |
343 | # Unconfined access to this module | |
344 | # | |
345 | ||
346 | allow sepgsql_unconfined_type sepgsql_database_type:db_database *; | |
347 | type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; | |
348 | ||
349 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; | |
350ed891 | 350 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; |
e8cb08ae CP |
351 | type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; |
352 | ||
353 | allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; | |
354 | ||
355 | # unconfined domain is not allowed to invoke user defined procedure directly. | |
356 | # They have to confirm and relabel it at first. | |
350ed891 CP |
357 | allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; |
358 | allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; | |
359 | allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; | |
e8cb08ae CP |
360 | |
361 | allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; | |
362 | ||
363 | allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; | |
364 | ||
365 | kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type) |