policy/modules/services/postgresql.if

   1 ## <summary>PostgreSQL relational database</summary>
   2
   3 #######################################
   4 ## <summary>
   5 ##      Role access for SE-PostgreSQL.
   6 ## </summary>
   7 ## <param name="user_role">
   8 ##      <summary>
   9 ##      The role associated with the user domain.
  10 ##      </summary>
  11 ## </param>
  12 ## <param name="user_domain">
  13 ##      <summary>
  14 ##      The type of the user domain.
  15 ##      </summary>
  16 ## </param>
  17 #
  18 interface(`postgresql_role',`
  19         gen_require(`
  20                 class db_database all_db_database_perms;
  21                 class db_table all_db_table_perms;
  22                 class db_procedure all_db_procedure_perms;
  23                 class db_column all_db_column_perms;
  24                 class db_tuple all_db_tuple_perms;
  25                 class db_blob all_db_blob_perms;
  26
  27                 attribute sepgsql_client_type, sepgsql_database_type;
  28                 attribute sepgsql_sysobj_table_type;
  29
  30                 type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
  31                 type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
  32                 type user_sepgsql_sysobj_t, user_sepgsql_table_t;
  33         ')
  34
  35         ########################################
  36         #
  37         # Declarations
  38         #
  39
  40         typeattribute $2 sepgsql_client_type;
  41         role $1 types sepgsql_trusted_proc_t;
  42
  43         ##############################
  44         #
  45         # Client local policy
  46         #
  47
  48         tunable_policy(`sepgsql_enable_users_ddl',`
  49                 allow $2 user_sepgsql_table_t:db_table { create drop setattr };
  50                 allow $2 user_sepgsql_table_t:db_column { create drop setattr };
  51
  52                 allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
  53                 allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
  54         ')
  55
  56         allow $2 user_sepgsql_table_t:db_table  { getattr use select update insert delete lock };
  57         allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
  58         allow $2 user_sepgsql_table_t:db_tuple  { use select update insert delete };
  59         type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
  60
  61         allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
  62         type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
  63
  64         allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
  65         type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
  66
  67         allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
  68         type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
  69
  70         allow $2 sepgsql_trusted_proc_t:process transition;
  71         type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
  72 ')
  73
  74 ########################################
  75 ## <summary>
  76 ##      Marks as a SE-PostgreSQL loadable shared library module
  77 ## </summary>
  78 ## <param name="type">
  79 ##      <summary>
  80 ##      Type marked as a database object type.
  81 ##      </summary>
  82 ## </param>
  83 #
  84 interface(`postgresql_loadable_module',`
  85         gen_require(`
  86                 attribute sepgsql_module_type;
  87         ')
  88
  89         typeattribute $1 sepgsql_module_type;
  90 ')
  91
  92 ########################################
  93 ## <summary>
  94 ##      Marks as a SE-PostgreSQL database object type
  95 ## </summary>
  96 ## <param name="type">
  97 ##      <summary>
  98 ##      Type marked as a database object type.
  99 ##      </summary>
 100 ## </param>
 101 #
 102 interface(`postgresql_database_object',`
 103         gen_require(`
 104                 attribute sepgsql_database_type;
 105         ')
 106
 107         typeattribute $1 sepgsql_database_type;
 108 ')
 109
 110 ########################################
 111 ## <summary>
 112 ##      Marks as a SE-PostgreSQL table/column/tuple object type
 113 ## </summary>
 114 ## <param name="type">
 115 ##      <summary>
 116 ##      Type marked as a table/column/tuple object type.
 117 ##      </summary>
 118 ## </param>
 119 #
 120 interface(`postgresql_table_object',`
 121         gen_require(`
 122                 attribute sepgsql_table_type;
 123         ')
 124
 125         typeattribute $1 sepgsql_table_type;
 126 ')
 127
 128 ########################################
 129 ## <summary>
 130 ##      Marks as a SE-PostgreSQL system table/column/tuple object type
 131 ## </summary>
 132 ## <param name="type">
 133 ##      <summary>
 134 ##      Type marked as a table/column/tuple object type.
 135 ##      </summary>
 136 ## </param>
 137 #
 138 interface(`postgresql_system_table_object',`
 139         gen_require(`
 140                 attribute sepgsql_table_type, sepgsql_sysobj_table_type;
 141         ')
 142
 143         typeattribute $1 sepgsql_table_type;
 144         typeattribute $1 sepgsql_sysobj_table_type;
 145 ')
 146
 147 ########################################
 148 ## <summary>
 149 ##      Marks as a SE-PostgreSQL procedure object type
 150 ## </summary>
 151 ## <param name="type">
 152 ##      <summary>
 153 ##      Type marked as a database object type.
 154 ##      </summary>
 155 ## </param>
 156 #
 157 interface(`postgresql_procedure_object',`
 158         gen_require(`
 159                 attribute sepgsql_procedure_type;
 160         ')
 161
 162         typeattribute $1 sepgsql_procedure_type;
 163 ')
 164
 165 ########################################
 166 ## <summary>
 167 ##      Marks as a SE-PostgreSQL binary large object type
 168 ## </summary>
 169 ## <param name="type">
 170 ##      <summary>
 171 ##      Type marked as a database binary large object type.
 172 ##      </summary>
 173 ## </param>
 174 #
 175 interface(`postgresql_blob_object',`
 176         gen_require(`
 177                 attribute sepgsql_blob_type;
 178         ')
 179
 180         typeattribute $1 sepgsql_blob_type;
 181 ')
 182
 183 ########################################
 184 ## <summary>
 185 ##      Allow the specified domain to search postgresql's database directory.
 186 ## </summary>
 187 ## <param name="domain">
 188 ##      <summary>
 189 ##      Domain allowed access.
 190 ##      </summary>
 191 ## </param>
 192 #
 193 interface(`postgresql_search_db',`
 194         gen_require(`
 195                 type postgresql_db_t;
 196         ')
 197
 198         allow $1 postgresql_db_t:dir search;
 199 ')
 200
 201 ########################################
 202 ## <summary>
 203 ##      Allow the specified domain to manage postgresql's database.
 204 ## </summary>
 205 ## <param name="domain">
 206 ##      <summary>
 207 ##      Domain allowed access.
 208 ##      </summary>
 209 ## </param>
 210 interface(`postgresql_manage_db',`
 211         gen_require(`
 212                 type postgresql_db_t;
 213         ')
 214
 215         allow $1 postgresql_db_t:dir rw_dir_perms;
 216         allow $1 postgresql_db_t:file rw_file_perms;
 217         allow $1 postgresql_db_t:lnk_file { getattr read };
 218 ')
 219
 220 ########################################
 221 ## <summary>
 222 ##      Execute postgresql in the postgresql domain.
 223 ## </summary>
 224 ## <param name="domain">
 225 ##      <summary>
 226 ##      Domain allowed to transition.
 227 ##      </summary>
 228 ## </param>
 229 #
 230 interface(`postgresql_domtrans',`
 231         gen_require(`
 232                 type postgresql_t, postgresql_exec_t;
 233         ')
 234
 235         domtrans_pattern($1, postgresql_exec_t, postgresql_t)
 236 ')
 237
 238 ######################################
 239 ## <summary>
 240 ##      Allow domain to signal postgresql
 241 ## </summary>
 242 ## <param name="domain">
 243 ##      <summary>
 244 ##      Domain allowed access.
 245 ##      </summary>
 246 ## </param>
 247 #
 248 interface(`postgresql_signal',`
 249         gen_require(`
 250                 type postgresql_t;
 251         ')
 252         allow $1 postgresql_t:process signal;
 253 ')
 254
 255 ########################################
 256 ## <summary>
 257 ##      Allow the specified domain to read postgresql's etc.
 258 ## </summary>
 259 ## <param name="domain">
 260 ##      <summary>
 261 ##      Domain allowed access.
 262 ##      </summary>
 263 ## </param>
 264 ## <rolecap/>
 265 #
 266 interface(`postgresql_read_config',`
 267         gen_require(`
 268                 type postgresql_etc_t;
 269         ')
 270
 271         files_search_etc($1)
 272         allow $1 postgresql_etc_t:dir list_dir_perms;
 273         allow $1 postgresql_etc_t:file read_file_perms;
 274         allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
 275 ')
 276
 277 ########################################
 278 ## <summary>
 279 ##      Allow the specified domain to connect to postgresql with a tcp socket.
 280 ## </summary>
 281 ## <param name="domain">
 282 ##      <summary>
 283 ##      Domain allowed access.
 284 ##      </summary>
 285 ## </param>
 286 #
 287 interface(`postgresql_tcp_connect',`
 288         gen_require(`
 289                 type postgresql_t;
 290         ')
 291
 292         corenet_tcp_recvfrom_labeled($1, postgresql_t)
 293         corenet_tcp_sendrecv_postgresql_port($1)
 294         corenet_tcp_connect_postgresql_port($1)
 295         corenet_sendrecv_postgresql_client_packets($1)
 296 ')
 297
 298 ########################################
 299 ## <summary>
 300 ##      Allow the specified domain to connect to postgresql with a unix socket.
 301 ## </summary>
 302 ## <param name="domain">
 303 ##      <summary>
 304 ##      Domain allowed access.
 305 ##      </summary>
 306 ## </param>
 307 ## <rolecap/>
 308 #
 309 interface(`postgresql_stream_connect',`
 310         gen_require(`
 311                 type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
 312         ')
 313
 314         files_search_pids($1)
 315         files_search_tmp($1)
 316         stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
 317 ')
 318
 319 ########################################
 320 ## <summary>
 321 ##      Allow the specified domain unprivileged accesses to unifined database objects
 322 ##      managed by SE-PostgreSQL,
 323 ## </summary>
 324 ## <param name="domain">
 325 ##      <summary>
 326 ##      Domain allowed access.
 327 ##      </summary>
 328 ## </param>
 329 #
 330 interface(`postgresql_unpriv_client',`
 331         gen_require(`
 332                 class db_database all_db_database_perms;
 333                 class db_table all_db_table_perms;
 334                 class db_procedure all_db_procedure_perms;
 335                 class db_column all_db_column_perms;
 336                 class db_tuple all_db_tuple_perms;
 337                 class db_blob all_db_blob_perms;
 338
 339                 attribute sepgsql_client_type;
 340                 attribute sepgsql_database_type, sepgsql_sysobj_table_type;
 341
 342                 type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
 343                 type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
 344                 type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
 345         ')
 346
 347         ########################################
 348         #
 349         # Declarations
 350         #
 351
 352         typeattribute $1 sepgsql_client_type;
 353
 354         ########################################
 355         #
 356         # Client local policy
 357         #
 358
 359         type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
 360         allow $1 sepgsql_trusted_proc_t:process transition;
 361
 362         tunable_policy(`sepgsql_enable_users_ddl',`
 363                 allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
 364                 allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
 365                 allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
 366                 allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
 367         ')
 368
 369         allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
 370         allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
 371         allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
 372         type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
 373
 374         allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
 375         type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
 376
 377         allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
 378         type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
 379
 380         allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 381         type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 382 ')
 383
 384 ########################################
 385 ## <summary>
 386 ##      Allow the specified domain unconfined accesses to any database objects
 387 ##      managed by SE-PostgreSQL,
 388 ## </summary>
 389 ## <param name="domain">
 390 ##      <summary>
 391 ##      Domain allowed access.
 392 ##      </summary>
 393 ## </param>
 394 #
 395 interface(`postgresql_unconfined',`
 396         gen_require(`
 397                 attribute sepgsql_unconfined_type;
 398         ')
 399
 400         typeattribute $1 sepgsql_unconfined_type;
 401 ')
 402
 403 ########################################
 404 ## <summary>
 405 ##      All of the rules required to administrate an postgresql environment
 406 ## </summary>
 407 ## <param name="domain">
 408 ##      <summary>
 409 ##      Domain allowed access.
 410 ##      </summary>
 411 ## </param>
 412 ## <param name="role">
 413 ##      <summary>
 414 ##      The role to be allowed to manage the postgresql domain.
 415 ##      </summary>
 416 ## </param>
 417 ## <rolecap/>
 418 #
 419 interface(`postgresql_admin',`
 420         gen_require(`
 421                 attribute sepgsql_admin_type;
 422                 attribute sepgsql_client_type;
 423
 424                 type postgresql_t, postgresql_var_run_t;
 425                 type postgresql_tmp_t, postgresql_db_t;
 426                 type postgresql_etc_t, postgresql_log_t;
 427                 type postgresql_initrc_exec_t;
 428         ')
 429
 430         typeattribute $1 sepgsql_admin_type;
 431
 432         allow $1 postgresql_t:process { ptrace signal_perms };
 433         ps_process_pattern($1, postgresql_t)
 434
 435         init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
 436         domain_system_change_exemption($1)
 437         role_transition $2 postgresql_initrc_exec_t system_r;
 438         allow $2 system_r;
 439
 440         admin_pattern($1, postgresql_var_run_t)
 441
 442         files_search_var_lib($1)
 443         admin_pattern($1, postgresql_db_t)
 444
 445         files_search_etc($1)
 446         admin_pattern($1, postgresql_etc_t)
 447
 448         logging_search_logs($1)
 449         admin_pattern($1, postgresql_log_t)
 450
 451         admin_pattern($1, postgresql_tmp_t)
 452
 453         postgresql_tcp_connect($1)
 454         postgresql_stream_connect($1)
 455 ')