[people/stevee/selinux-policy.git] / policy / modules / services / postgresql.te


policy_module(postgresql, 1.11.0)

gen_require(`
	class db_database all_db_database_perms;
	class db_table all_db_table_perms;
	class db_procedure all_db_procedure_perms;
	class db_column all_db_column_perms;
	class db_tuple all_db_tuple_perms;
	class db_blob all_db_blob_perms;
')

#################################
#
# Declarations
#

## <desc>
## <p>
## Allow unprived users to execute DDL statement
## </p>
## </desc>
gen_tunable(sepgsql_enable_users_ddl, true)

## <desc>
## <p>
## Allow database admins to execute DML statement
## </p>
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)

type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t, postgresql_exec_t)

type postgresql_db_t;
files_type(postgresql_db_t)

type postgresql_etc_t;
files_config_file(postgresql_etc_t)

type postgresql_initrc_exec_t;
init_script_file(postgresql_initrc_exec_t)

type postgresql_lock_t;
files_lock_file(postgresql_lock_t)

type postgresql_log_t;
logging_log_file(postgresql_log_t)

type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)

type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)

# database clients attribute
attribute sepgsql_admin_type;
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;

# database objects attribute
attribute sepgsql_database_type;
attribute sepgsql_table_type;
attribute sepgsql_sysobj_table_type;
attribute sepgsql_procedure_type;
attribute sepgsql_blob_type;
attribute sepgsql_module_type;

# database object types
type sepgsql_blob_t;
postgresql_blob_object(sepgsql_blob_t)

type sepgsql_db_t;
postgresql_database_object(sepgsql_db_t)

type sepgsql_fixed_table_t;
postgresql_table_object(sepgsql_fixed_table_t)

type sepgsql_proc_exec_t;
typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
postgresql_procedure_object(sepgsql_proc_exec_t)

type sepgsql_ro_blob_t;
postgresql_blob_object(sepgsql_ro_blob_t)

type sepgsql_ro_table_t;
postgresql_table_object(sepgsql_ro_table_t)

type sepgsql_secret_blob_t;
postgresql_blob_object(sepgsql_secret_blob_t)

type sepgsql_secret_table_t;
postgresql_table_object(sepgsql_secret_table_t)

type sepgsql_sysobj_t;
postgresql_system_table_object(sepgsql_sysobj_t)

type sepgsql_table_t;
postgresql_table_object(sepgsql_table_t)

type sepgsql_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_trusted_proc_exec_t)

# Trusted Procedure Domain
type sepgsql_trusted_proc_t;
domain_type(sepgsql_trusted_proc_t)
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;

# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)

type unpriv_sepgsql_proc_exec_t;
postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)

type unpriv_sepgsql_sysobj_t;
postgresql_system_table_object(unpriv_sepgsql_sysobj_t)

type unpriv_sepgsql_table_t;
postgresql_table_object(unpriv_sepgsql_table_t)

# Types for UBAC
type user_sepgsql_blob_t;
typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
postgresql_blob_object(user_sepgsql_blob_t)

type user_sepgsql_proc_exec_t;
typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
postgresql_procedure_object(user_sepgsql_proc_exec_t)

type user_sepgsql_sysobj_t;
typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
postgresql_system_table_object(user_sepgsql_sysobj_t)

type user_sepgsql_table_t;
typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
postgresql_table_object(user_sepgsql_table_t)

########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
allow postgresql_t self:netlink_selinux_socket create_socket_perms;

allow postgresql_t sepgsql_database_type:db_database *;
type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;

allow postgresql_t sepgsql_module_type:db_database install_module;
# Database/Loadable module
allow sepgsql_database_type sepgsql_module_type:db_database load_module;

allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;

allow postgresql_t sepgsql_procedure_type:db_procedure *;
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;

allow postgresql_t sepgsql_blob_type:db_blob *;
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;

manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })

allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)

allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
can_exec(postgresql_t, postgresql_exec_t )

allow postgresql_t postgresql_lock_t:file manage_file_perms;
files_lock_filetrans(postgresql_t, postgresql_lock_t, file)

manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })

manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })

manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)

kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)

corenet_all_recvfrom_unlabeled(postgresql_t)
corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
corenet_tcp_sendrecv_generic_node(postgresql_t)
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)

dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)

fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
fs_rw_hugetlbfs_files(postgresql_t)

selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
selinux_compute_access_vector(postgresql_t)
selinux_compute_create_context(postgresql_t)
selinux_compute_relabel_context(postgresql_t)

term_use_controlling_term(postgresql_t)

corecmd_exec_bin(postgresql_t)
corecmd_exec_shell(postgresql_t)

domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)

files_dontaudit_search_home(postgresql_t)
files_manage_etc_files(postgresql_t)
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)

auth_use_pam(postgresql_t)

init_read_utmp(postgresql_t)

logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)

miscfiles_read_localization(postgresql_t)

seutil_libselinux_linked(postgresql_t)

userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t)

mta_getattr_spool(postgresql_t)

tunable_policy(`allow_execmem',`
	allow postgresql_t self:process execmem;
')

optional_policy(`
	consoletype_exec(postgresql_t)
')

optional_policy(`
	cron_search_spool(postgresql_t)
	cron_system_entry(postgresql_t, postgresql_exec_t)
')

optional_policy(`
	hostname_exec(postgresql_t)
')

optional_policy(`
	ipsec_match_default_spd(postgresql_t)
')

optional_policy(`
	kerberos_use(postgresql_t)
')

optional_policy(`
	seutil_sigchld_newrole(postgresql_t)
')

optional_policy(`
	udev_read_db(postgresql_t)
')

########################################
#
# Rules common to all clients
#

allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;

allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };

allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };

allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };

allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;

allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };

allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };

allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;

# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
# If a client tries to SELECT a table including violated tuples, these are filtered from
# the result set as if not exist, but its access denied longs can be recorded within log files.
# In generally, the number of tuples are much larger than the number of columns, tables and so on.
# So, it makes a flood of logs when many tuples are violated.
#
# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
# to access classified tuples and can make a audit record.
#
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };


########################################
#
# Rules common to administrator clients
#

allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;

allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };

type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;

allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;

type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;

allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };

type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;

allow sepgsql_admin_type sepgsql_module_type:db_database install_module;

kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)

tunable_policy(`sepgsql_unconfined_dbadm',`
	allow sepgsql_admin_type sepgsql_database_type:db_database *;

	allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;

	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
	allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };

	allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
')

########################################
#
# Unconfined access to this module
#

allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;

type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;

allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;

# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };

allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;

allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;

kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
Commit	Line	Data
a1fcff33	1
29af4c13	2	policy_module(postgresql, 1.11.0)
e8cb08ae CP	3
	4	gen_require(`
	5	class db_database all_db_database_perms;
	6	class db_table all_db_table_perms;
	7	class db_procedure all_db_procedure_perms;
	8	class db_column all_db_column_perms;
	9	class db_tuple all_db_tuple_perms;
	10	class db_blob all_db_blob_perms;
	11	')
a1fcff33 CP	12
	13	#################################
	14	#
	15	# Declarations
	16	#
e8cb08ae CP	17
	18	## <desc>
	19	## <p>
	20	## Allow unprived users to execute DDL statement
	21	## </p>
	22	## </desc>
	23	gen_tunable(sepgsql_enable_users_ddl, true)
	24
22a2874d CP	25	## <desc>
	26	## <p>
	27	## Allow database admins to execute DML statement
	28	## </p>
	29	## </desc>
	30	gen_tunable(sepgsql_unconfined_dbadm, true)
	31
a1fcff33 CP	32	type postgresql_t;
a1fcff33 CP	33	type postgresql_exec_t;
0bfccda4	34	init_daemon_domain(postgresql_t, postgresql_exec_t)
a1fcff33 CP	35
	36	type postgresql_db_t;
	37	files_type(postgresql_db_t)
	38
9bbc757a CP	39	type postgresql_etc_t;
9bbc757a CP	40	files_config_file(postgresql_etc_t)
a1fcff33	41
22a2874d CP	42	type postgresql_initrc_exec_t;
	43	init_script_file(postgresql_initrc_exec_t)
	44
a1fcff33 CP	45	type postgresql_lock_t;
	46	files_lock_file(postgresql_lock_t)
	47
	48	type postgresql_log_t;
	49	logging_log_file(postgresql_log_t)
	50
	51	type postgresql_tmp_t;
	52	files_tmp_file(postgresql_tmp_t)
	53
	54	type postgresql_var_run_t;
	55	files_pid_file(postgresql_var_run_t)
	56
e8cb08ae	57	# database clients attribute
22a2874d	58	attribute sepgsql_admin_type;
e8cb08ae CP	59	attribute sepgsql_client_type;
	60	attribute sepgsql_unconfined_type;
	61
	62	# database objects attribute
	63	attribute sepgsql_database_type;
	64	attribute sepgsql_table_type;
	65	attribute sepgsql_sysobj_table_type;
	66	attribute sepgsql_procedure_type;
	67	attribute sepgsql_blob_type;
	68	attribute sepgsql_module_type;
	69
	70	# database object types
	71	type sepgsql_blob_t;
	72	postgresql_blob_object(sepgsql_blob_t)
	73
	74	type sepgsql_db_t;
	75	postgresql_database_object(sepgsql_db_t)
	76
	77	type sepgsql_fixed_table_t;
	78	postgresql_table_object(sepgsql_fixed_table_t)
	79
350ed891 CP	80	type sepgsql_proc_exec_t;
	81	typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
	82	postgresql_procedure_object(sepgsql_proc_exec_t)
e8cb08ae CP	83
	84	type sepgsql_ro_blob_t;
	85	postgresql_blob_object(sepgsql_ro_blob_t)
	86
	87	type sepgsql_ro_table_t;
	88	postgresql_table_object(sepgsql_ro_table_t)
	89
	90	type sepgsql_secret_blob_t;
	91	postgresql_blob_object(sepgsql_secret_blob_t)
	92
	93	type sepgsql_secret_table_t;
	94	postgresql_table_object(sepgsql_secret_table_t)
	95
	96	type sepgsql_sysobj_t;
	97	postgresql_system_table_object(sepgsql_sysobj_t)
	98
	99	type sepgsql_table_t;
	100	postgresql_table_object(sepgsql_table_t)
	101
7f4005e3 CP	102	type sepgsql_trusted_proc_exec_t;
7f4005e3 CP	103	postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
e8cb08ae CP	104
e8cb08ae CP	105	# Trusted Procedure Domain
7f4005e3 CP	106	type sepgsql_trusted_proc_t;
	107	domain_type(sepgsql_trusted_proc_t)
	108	postgresql_unconfined(sepgsql_trusted_proc_t)
	109	role system_r types sepgsql_trusted_proc_t;
e8cb08ae	110
a01a4a71 CP	111	# Types for unprivileged client
	112	type unpriv_sepgsql_blob_t;
	113	postgresql_blob_object(unpriv_sepgsql_blob_t)
	114
	115	type unpriv_sepgsql_proc_exec_t;
	116	postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
	117
	118	type unpriv_sepgsql_sysobj_t;
	119	postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
	120
	121	type unpriv_sepgsql_table_t;
	122	postgresql_table_object(unpriv_sepgsql_table_t)
	123
	124	# Types for UBAC
296273a7 CP	125	type user_sepgsql_blob_t;
	126	typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
	127	typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
	128	postgresql_blob_object(user_sepgsql_blob_t)
	129
	130	type user_sepgsql_proc_exec_t;
	131	typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
	132	typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
	133	postgresql_procedure_object(user_sepgsql_proc_exec_t)
	134
	135	type user_sepgsql_sysobj_t;
	136	typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
	137	typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
	138	postgresql_system_table_object(user_sepgsql_sysobj_t)
	139
	140	type user_sepgsql_table_t;
	141	typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
	142	typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
	143	postgresql_table_object(user_sepgsql_table_t)
	144
a1fcff33 CP	145	########################################
	146	#
	147	# postgresql Local policy
	148	#
	149	allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
165b42d2	150	dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
57d8e6c7	151	allow postgresql_t self:process signal_perms;
0b36a214	152	allow postgresql_t self:fifo_file rw_fifo_file_perms;
9681df1c	153	allow postgresql_t self:file { getattr read };
a1fcff33 CP	154	allow postgresql_t self:sem create_sem_perms;
	155	allow postgresql_t self:shm create_shm_perms;
	156	allow postgresql_t self:tcp_socket create_stream_socket_perms;
	157	allow postgresql_t self:udp_socket create_stream_socket_perms;
	158	allow postgresql_t self:unix_dgram_socket create_socket_perms;
	159	allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
e8cb08ae CP	160	allow postgresql_t self:netlink_selinux_socket create_socket_perms;
	161
	162	allow postgresql_t sepgsql_database_type:db_database *;
	163	type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
	164
	165	allow postgresql_t sepgsql_module_type:db_database install_module;
	166	# Database/Loadable module
	167	allow sepgsql_database_type sepgsql_module_type:db_database load_module;
	168
	169	allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
	170	type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
	171
	172	allow postgresql_t sepgsql_procedure_type:db_procedure *;
350ed891	173	type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
e8cb08ae CP	174
	175	allow postgresql_t sepgsql_blob_type:db_blob *;
	176	type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
a1fcff33	177
0bfccda4 CP	178	manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
	179	manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
	180	manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
	181	manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
	182	manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
103fe280	183	files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
a1fcff33	184
c0868a7a	185	allow postgresql_t postgresql_etc_t:dir list_dir_perms;
0bfccda4 CP	186	read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
0bfccda4 CP	187	read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
a1fcff33 CP	188
	189	allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
	190	can_exec(postgresql_t, postgresql_exec_t )
	191
c0868a7a	192	allow postgresql_t postgresql_lock_t:file manage_file_perms;
3f67f722	193	files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
a1fcff33	194
0bfccda4 CP	195	manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
0bfccda4 CP	196	logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
a1fcff33	197
0bfccda4 CP	198	manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
	199	manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
	200	manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
	201	manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
	202	manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
103fe280 CP	203	files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
103fe280 CP	204	fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
a1fcff33	205
0bfccda4 CP	206	manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
	207	manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
	208	files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
a1fcff33	209
445522dc	210	kernel_read_kernel_sysctls(postgresql_t)
a1fcff33 CP	211	kernel_read_system_state(postgresql_t)
a1fcff33 CP	212	kernel_list_proc(postgresql_t)
445522dc	213	kernel_read_all_sysctls(postgresql_t)
a1fcff33	214	kernel_read_proc_symlinks(postgresql_t)
a1fcff33	215
19006686 CP	216	corenet_all_recvfrom_unlabeled(postgresql_t)
19006686 CP	217	corenet_all_recvfrom_netlabel(postgresql_t)
668b3093 CP	218	corenet_tcp_sendrecv_generic_if(postgresql_t)
668b3093 CP	219	corenet_udp_sendrecv_generic_if(postgresql_t)
c1262146 CP	220	corenet_tcp_sendrecv_generic_node(postgresql_t)
c1262146 CP	221	corenet_udp_sendrecv_generic_node(postgresql_t)
a1fcff33 CP	222	corenet_tcp_sendrecv_all_ports(postgresql_t)
a1fcff33 CP	223	corenet_udp_sendrecv_all_ports(postgresql_t)
9681df1c	224	corenet_udp_bind_generic_node(postgresql_t)
c1262146	225	corenet_tcp_bind_generic_node(postgresql_t)
a1fcff33 CP	226	corenet_tcp_bind_postgresql_port(postgresql_t)
a1fcff33 CP	227	corenet_tcp_connect_auth_port(postgresql_t)
9681df1c	228	corenet_tcp_connect_postgresql_port(postgresql_t)
141cffdd CP	229	corenet_sendrecv_postgresql_server_packets(postgresql_t)
141cffdd CP	230	corenet_sendrecv_auth_client_packets(postgresql_t)
a1fcff33 CP	231
	232	dev_read_sysfs(postgresql_t)
	233	dev_read_urand(postgresql_t)
	234
	235	fs_getattr_all_fs(postgresql_t)
	236	fs_search_auto_mountpoints(postgresql_t)
770c015f	237	fs_rw_hugetlbfs_files(postgresql_t)
a1fcff33	238
e8cb08ae CP	239	selinux_get_enforce_mode(postgresql_t)
	240	selinux_validate_context(postgresql_t)
	241	selinux_compute_access_vector(postgresql_t)
	242	selinux_compute_create_context(postgresql_t)
	243	selinux_compute_relabel_context(postgresql_t)
	244
a1fcff33	245	term_use_controlling_term(postgresql_t)
a1fcff33 CP	246
a1fcff33 CP	247	corecmd_exec_bin(postgresql_t)
a1fcff33 CP	248	corecmd_exec_shell(postgresql_t)
a1fcff33 CP	249
1815bad1	250	domain_dontaudit_list_all_domains_state(postgresql_t)
15722ec9	251	domain_use_interactive_fds(postgresql_t)
a1fcff33 CP	252
	253	files_dontaudit_search_home(postgresql_t)
	254	files_manage_etc_files(postgresql_t)
	255	files_search_etc(postgresql_t)
	256	files_read_etc_runtime_files(postgresql_t)
	257	files_read_usr_files(postgresql_t)
	258
9681df1c	259	auth_use_pam(postgresql_t)
09e21686	260
68228b33	261	init_read_utmp(postgresql_t)
a1fcff33	262
a1fcff33	263	logging_send_syslog_msg(postgresql_t)
9681df1c	264	logging_send_audit_msgs(postgresql_t)
a1fcff33 CP	265
	266	miscfiles_read_localization(postgresql_t)
	267
e8cb08ae	268	seutil_libselinux_linked(postgresql_t)
a1fcff33	269
15722ec9	270	userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
296273a7 CP	271	userdom_dontaudit_search_user_home_dirs(postgresql_t)
296273a7 CP	272	userdom_dontaudit_use_user_terminals(postgresql_t)
a1fcff33 CP	273
	274	mta_getattr_spool(postgresql_t)
	275
a1fcff33 CP	276	tunable_policy(`allow_execmem',`
	277	allow postgresql_t self:process execmem;
	278	')
	279
bb7170f6	280	optional_policy(`
a1fcff33 CP	281	consoletype_exec(postgresql_t)
	282	')
	283
bb7170f6	284	optional_policy(`
a1fcff33	285	cron_search_spool(postgresql_t)
3f67f722	286	cron_system_entry(postgresql_t, postgresql_exec_t)
a1fcff33 CP	287	')
a1fcff33 CP	288
bb7170f6	289	optional_policy(`
a1fcff33 CP	290	hostname_exec(postgresql_t)
	291	')
	292
0b6acad1 CP	293	optional_policy(`
	294	ipsec_match_default_spd(postgresql_t)
	295	')
	296
bb7170f6	297	optional_policy(`
a1fcff33 CP	298	kerberos_use(postgresql_t)
	299	')
	300
bb7170f6	301	optional_policy(`
a1fcff33 CP	302	seutil_sigchld_newrole(postgresql_t)
	303	')
	304
bb7170f6	305	optional_policy(`
a1fcff33 CP	306	udev_read_db(postgresql_t)
a1fcff33 CP	307	')
e8cb08ae CP	308
	309	########################################
	310	#
	311	# Rules common to all clients
	312	#
	313
	314	allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
	315	type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
	316
350ed891	317	allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
e8cb08ae CP	318	allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
	319	allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
	320
350ed891	321	allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
e8cb08ae CP	322	allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
	323	allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
	324
350ed891	325	allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
e8cb08ae CP	326	allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
	327	allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
	328
	329	allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
	330	allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
	331
350ed891	332	allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
e8cb08ae CP	333	allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
	334	allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
	335
350ed891 CP	336	allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
350ed891 CP	337	allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
e8cb08ae CP	338
	339	allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
	340	allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
	341	allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
	342
	343	# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
	344	# If a client tries to SELECT a table including violated tuples, these are filtered from
	345	# the result set as if not exist, but its access denied longs can be recorded within log files.
	346	# In generally, the number of tuples are much larger than the number of columns, tables and so on.
	347	# So, it makes a flood of logs when many tuples are violated.
	348	#
	349	# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
	350	# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
	351	# to access classified tuples and can make a audit record.
	352	#
	353	# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
22a2874d CP	354	dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
	355
	356
	357	########################################
	358	#
	359	# Rules common to administrator clients
	360	#
	361
	362	allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
	363	type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
	364
	365	allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
	366	allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
	367	allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
	368
ec8d32c8 KK	369	type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
ec8d32c8 KK	370
22a2874d	371	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
ec8d32c8 KK	372	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
	373
	374	type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
22a2874d CP	375
	376	allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
	377
ec8d32c8 KK	378	type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
ec8d32c8 KK	379
22a2874d CP	380	allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
	381
	382	kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
	383
	384	tunable_policy(`sepgsql_unconfined_dbadm',`
	385	allow sepgsql_admin_type sepgsql_database_type:db_database *;
	386
	387	allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
	388
	389	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
	390	allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
	391	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
	392
	393	allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
	394	')
e8cb08ae	395
e8cb08ae CP	396	########################################
	397	#
	398	# Unconfined access to this module
	399	#
	400
	401	allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
	402	type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
	403
	404	type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
350ed891	405	type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
e8cb08ae CP	406	type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
	407
	408	allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
	409
	410	# unconfined domain is not allowed to invoke user defined procedure directly.
	411	# They have to confirm and relabel it at first.
350ed891 CP	412	allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
	413	allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
	414	allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
e8cb08ae CP	415
	416	allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
	417
	418	allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
	419
	420	kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)