1 ## <summary>PostgreSQL relational database</summary>
3 #######################################
5 ## Role access for SE-PostgreSQL.
7 ## <param name="user_role">
9 ## The role associated with the user domain.
12 ## <param name="user_domain">
14 ## The type of the user domain.
18 interface(`postgresql_role',`
20 class db_database all_db_database_perms;
21 class db_table all_db_table_perms;
22 class db_procedure all_db_procedure_perms;
23 class db_column all_db_column_perms;
24 class db_tuple all_db_tuple_perms;
25 class db_blob all_db_blob_perms;
27 attribute sepgsql_client_type, sepgsql_database_type;
28 attribute sepgsql_sysobj_table_type;
30 type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
31 type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
32 type user_sepgsql_sysobj_t, user_sepgsql_table_t;
35 ########################################
40 typeattribute $2 sepgsql_client_type;
41 role $1 types sepgsql_trusted_proc_t;
43 ##############################
48 tunable_policy(`sepgsql_enable_users_ddl',`
49 allow $2 user_sepgsql_table_t:db_table { create drop setattr };
50 allow $2 user_sepgsql_table_t:db_column { create drop setattr };
52 allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
53 allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
56 allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
57 allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
58 allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
59 type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
61 allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
62 type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
64 allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
65 type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
67 allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
68 type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
70 allow $2 sepgsql_trusted_proc_t:process transition;
71 type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
74 ########################################
76 ## Marks as a SE-PostgreSQL loadable shared library module
78 ## <param name="type">
80 ## Type marked as a database object type.
84 interface(`postgresql_loadable_module',`
86 attribute sepgsql_module_type;
89 typeattribute $1 sepgsql_module_type;
92 ########################################
94 ## Marks as a SE-PostgreSQL database object type
96 ## <param name="type">
98 ## Type marked as a database object type.
102 interface(`postgresql_database_object',`
104 attribute sepgsql_database_type;
107 typeattribute $1 sepgsql_database_type;
110 ########################################
112 ## Marks as a SE-PostgreSQL table/column/tuple object type
114 ## <param name="type">
116 ## Type marked as a table/column/tuple object type.
120 interface(`postgresql_table_object',`
122 attribute sepgsql_table_type;
125 typeattribute $1 sepgsql_table_type;
128 ########################################
130 ## Marks as a SE-PostgreSQL system table/column/tuple object type
132 ## <param name="type">
134 ## Type marked as a table/column/tuple object type.
138 interface(`postgresql_system_table_object',`
140 attribute sepgsql_table_type, sepgsql_sysobj_table_type;
143 typeattribute $1 sepgsql_table_type;
144 typeattribute $1 sepgsql_sysobj_table_type;
147 ########################################
149 ## Marks as a SE-PostgreSQL procedure object type
151 ## <param name="type">
153 ## Type marked as a database object type.
157 interface(`postgresql_procedure_object',`
159 attribute sepgsql_procedure_type;
162 typeattribute $1 sepgsql_procedure_type;
165 ########################################
167 ## Marks as a SE-PostgreSQL binary large object type
169 ## <param name="type">
171 ## Type marked as a database binary large object type.
175 interface(`postgresql_blob_object',`
177 attribute sepgsql_blob_type;
180 typeattribute $1 sepgsql_blob_type;
183 ########################################
185 ## Allow the specified domain to search postgresql's database directory.
187 ## <param name="domain">
189 ## Domain allowed access.
193 interface(`postgresql_search_db',`
195 type postgresql_db_t;
198 allow $1 postgresql_db_t:dir search;
201 ########################################
203 ## Allow the specified domain to manage postgresql's database.
205 ## <param name="domain">
207 ## Domain allowed access.
210 interface(`postgresql_manage_db',`
212 type postgresql_db_t;
215 allow $1 postgresql_db_t:dir rw_dir_perms;
216 allow $1 postgresql_db_t:file rw_file_perms;
217 allow $1 postgresql_db_t:lnk_file { getattr read };
220 ########################################
222 ## Execute postgresql in the postgresql domain.
224 ## <param name="domain">
226 ## Domain allowed to transition.
230 interface(`postgresql_domtrans',`
232 type postgresql_t, postgresql_exec_t;
235 domtrans_pattern($1, postgresql_exec_t, postgresql_t)
238 ######################################
240 ## Allow domain to signal postgresql
242 ## <param name="domain">
244 ## Domain allowed access.
248 interface(`postgresql_signal',`
252 allow $1 postgresql_t:process signal;
255 ########################################
257 ## Allow the specified domain to read postgresql's etc.
259 ## <param name="domain">
261 ## Domain allowed access.
266 interface(`postgresql_read_config',`
268 type postgresql_etc_t;
272 allow $1 postgresql_etc_t:dir list_dir_perms;
273 allow $1 postgresql_etc_t:file read_file_perms;
274 allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
277 ########################################
279 ## Allow the specified domain to connect to postgresql with a tcp socket.
281 ## <param name="domain">
283 ## Domain allowed access.
287 interface(`postgresql_tcp_connect',`
292 corenet_tcp_recvfrom_labeled($1, postgresql_t)
293 corenet_tcp_sendrecv_postgresql_port($1)
294 corenet_tcp_connect_postgresql_port($1)
295 corenet_sendrecv_postgresql_client_packets($1)
298 ########################################
300 ## Allow the specified domain to connect to postgresql with a unix socket.
302 ## <param name="domain">
304 ## Domain allowed access.
309 interface(`postgresql_stream_connect',`
311 type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
314 files_search_pids($1)
316 stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t}, { postgresql_var_run_t postgresql_tmp_t}, postgresql_t)
319 ########################################
321 ## Allow the specified domain unprivileged accesses to unifined database objects
322 ## managed by SE-PostgreSQL,
324 ## <param name="domain">
326 ## Domain allowed access.
330 interface(`postgresql_unpriv_client',`
332 class db_database all_db_database_perms;
333 class db_table all_db_table_perms;
334 class db_procedure all_db_procedure_perms;
335 class db_column all_db_column_perms;
336 class db_tuple all_db_tuple_perms;
337 class db_blob all_db_blob_perms;
339 attribute sepgsql_client_type;
340 attribute sepgsql_database_type, sepgsql_sysobj_table_type;
342 type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
343 type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
344 type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
347 ########################################
352 typeattribute $1 sepgsql_client_type;
354 ########################################
356 # Client local policy
359 type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
360 allow $1 sepgsql_trusted_proc_t:process transition;
362 tunable_policy(`sepgsql_enable_users_ddl',`
363 allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
364 allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
365 allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
366 allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };
369 allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
370 allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
371 allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
372 type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
374 allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
375 type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
377 allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
378 type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
380 allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
381 type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
384 ########################################
386 ## Allow the specified domain unconfined accesses to any database objects
387 ## managed by SE-PostgreSQL,
389 ## <param name="domain">
391 ## Domain allowed access.
395 interface(`postgresql_unconfined',`
397 attribute sepgsql_unconfined_type;
400 typeattribute $1 sepgsql_unconfined_type;
403 ########################################
405 ## All of the rules required to administrate an postgresql environment
407 ## <param name="domain">
409 ## Domain allowed access.
412 ## <param name="role">
414 ## The role to be allowed to manage the postgresql domain.
419 interface(`postgresql_admin',`
421 attribute sepgsql_admin_type;
422 attribute sepgsql_client_type;
424 type postgresql_t, postgresql_var_run_t;
425 type postgresql_tmp_t, postgresql_db_t;
426 type postgresql_etc_t, postgresql_log_t;
427 type postgresql_initrc_exec_t;
430 typeattribute $1 sepgsql_admin_type;
432 allow $1 postgresql_t:process { ptrace signal_perms };
433 ps_process_pattern($1, postgresql_t)
435 init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
436 domain_system_change_exemption($1)
437 role_transition $2 postgresql_initrc_exec_t system_r;
440 admin_pattern($1, postgresql_var_run_t)
442 files_search_var_lib($1)
443 admin_pattern($1, postgresql_db_t)
446 admin_pattern($1, postgresql_etc_t)
448 logging_search_logs($1)
449 admin_pattern($1, postgresql_log_t)
451 admin_pattern($1, postgresql_tmp_t)
453 postgresql_tcp_connect($1)
454 postgresql_stream_connect($1)