policy/modules/services/postgresql.te

   1
   2 policy_module(postgresql, 1.11.0)
   3
   4 gen_require(`
   5         class db_database all_db_database_perms;
   6         class db_table all_db_table_perms;
   7         class db_procedure all_db_procedure_perms;
   8         class db_column all_db_column_perms;
   9         class db_tuple all_db_tuple_perms;
  10         class db_blob all_db_blob_perms;
  11 ')
  12
  13 #################################
  14 #
  15 # Declarations
  16 #
  17
  18 ## <desc>
  19 ## <p>
  20 ## Allow unprived users to execute DDL statement
  21 ## </p>
  22 ## </desc>
  23 gen_tunable(sepgsql_enable_users_ddl, true)
  24
  25 ## <desc>
  26 ## <p>
  27 ## Allow database admins to execute DML statement
  28 ## </p>
  29 ## </desc>
  30 gen_tunable(sepgsql_unconfined_dbadm, true)
  31
  32 type postgresql_t;
  33 type postgresql_exec_t;
  34 init_daemon_domain(postgresql_t, postgresql_exec_t)
  35
  36 type postgresql_db_t;
  37 files_type(postgresql_db_t)
  38
  39 type postgresql_etc_t;
  40 files_config_file(postgresql_etc_t)
  41
  42 type postgresql_initrc_exec_t;
  43 init_script_file(postgresql_initrc_exec_t)
  44
  45 type postgresql_lock_t;
  46 files_lock_file(postgresql_lock_t)
  47
  48 type postgresql_log_t;
  49 logging_log_file(postgresql_log_t)
  50
  51 type postgresql_tmp_t;
  52 files_tmp_file(postgresql_tmp_t)
  53
  54 type postgresql_var_run_t;
  55 files_pid_file(postgresql_var_run_t)
  56
  57 # database clients attribute
  58 attribute sepgsql_admin_type;
  59 attribute sepgsql_client_type;
  60 attribute sepgsql_unconfined_type;
  61
  62 # database objects attribute
  63 attribute sepgsql_database_type;
  64 attribute sepgsql_table_type;
  65 attribute sepgsql_sysobj_table_type;
  66 attribute sepgsql_procedure_type;
  67 attribute sepgsql_blob_type;
  68 attribute sepgsql_module_type;
  69
  70 # database object types
  71 type sepgsql_blob_t;
  72 postgresql_blob_object(sepgsql_blob_t)
  73
  74 type sepgsql_db_t;
  75 postgresql_database_object(sepgsql_db_t)
  76
  77 type sepgsql_fixed_table_t;
  78 postgresql_table_object(sepgsql_fixed_table_t)
  79
  80 type sepgsql_proc_exec_t;
  81 typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
  82 postgresql_procedure_object(sepgsql_proc_exec_t)
  83
  84 type sepgsql_ro_blob_t;
  85 postgresql_blob_object(sepgsql_ro_blob_t)
  86
  87 type sepgsql_ro_table_t;
  88 postgresql_table_object(sepgsql_ro_table_t)
  89
  90 type sepgsql_secret_blob_t;
  91 postgresql_blob_object(sepgsql_secret_blob_t)
  92
  93 type sepgsql_secret_table_t;
  94 postgresql_table_object(sepgsql_secret_table_t)
  95
  96 type sepgsql_sysobj_t;
  97 postgresql_system_table_object(sepgsql_sysobj_t)
  98
  99 type sepgsql_table_t;
 100 postgresql_table_object(sepgsql_table_t)
 101
 102 type sepgsql_trusted_proc_exec_t;
 103 postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
 104
 105 # Trusted Procedure Domain
 106 type sepgsql_trusted_proc_t;
 107 domain_type(sepgsql_trusted_proc_t)
 108 postgresql_unconfined(sepgsql_trusted_proc_t)
 109 role system_r types sepgsql_trusted_proc_t;
 110
 111 # Types for unprivileged client
 112 type unpriv_sepgsql_blob_t;
 113 postgresql_blob_object(unpriv_sepgsql_blob_t)
 114
 115 type unpriv_sepgsql_proc_exec_t;
 116 postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
 117
 118 type unpriv_sepgsql_sysobj_t;
 119 postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
 120
 121 type unpriv_sepgsql_table_t;
 122 postgresql_table_object(unpriv_sepgsql_table_t)
 123
 124 # Types for UBAC
 125 type user_sepgsql_blob_t;
 126 typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
 127 typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
 128 postgresql_blob_object(user_sepgsql_blob_t)
 129
 130 type user_sepgsql_proc_exec_t;
 131 typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
 132 typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
 133 postgresql_procedure_object(user_sepgsql_proc_exec_t)
 134
 135 type user_sepgsql_sysobj_t;
 136 typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
 137 typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
 138 postgresql_system_table_object(user_sepgsql_sysobj_t)
 139
 140 type user_sepgsql_table_t;
 141 typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
 142 typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
 143 postgresql_table_object(user_sepgsql_table_t)
 144
 145 ########################################
 146 #
 147 # postgresql Local policy
 148 #
 149 allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
 150 dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
 151 allow postgresql_t self:process signal_perms;
 152 allow postgresql_t self:fifo_file rw_fifo_file_perms;
 153 allow postgresql_t self:file { getattr read };
 154 allow postgresql_t self:sem create_sem_perms;
 155 allow postgresql_t self:shm create_shm_perms;
 156 allow postgresql_t self:tcp_socket create_stream_socket_perms;
 157 allow postgresql_t self:udp_socket create_stream_socket_perms;
 158 allow postgresql_t self:unix_dgram_socket create_socket_perms;
 159 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
 160 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
 161
 162 allow postgresql_t sepgsql_database_type:db_database *;
 163 type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
 164
 165 allow postgresql_t sepgsql_module_type:db_database install_module;
 166 # Database/Loadable module
 167 allow sepgsql_database_type sepgsql_module_type:db_database load_module;
 168
 169 allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
 170 type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
 171
 172 allow postgresql_t sepgsql_procedure_type:db_procedure *;
 173 type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
 174
 175 allow postgresql_t sepgsql_blob_type:db_blob *;
 176 type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
 177
 178 manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 179 manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 180 manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 181 manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 182 manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
 183 files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
 184
 185 allow postgresql_t postgresql_etc_t:dir list_dir_perms;
 186 read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
 187 read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
 188
 189 allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
 190 can_exec(postgresql_t, postgresql_exec_t )
 191
 192 allow postgresql_t postgresql_lock_t:file manage_file_perms;
 193 files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
 194
 195 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
 196 logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
 197
 198 manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 199 manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 200 manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 201 manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 202 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
 203 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
 204 fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
 205
 206 manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 207 manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
 208 files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
 209
 210 kernel_read_kernel_sysctls(postgresql_t)
 211 kernel_read_system_state(postgresql_t)
 212 kernel_list_proc(postgresql_t)
 213 kernel_read_all_sysctls(postgresql_t)
 214 kernel_read_proc_symlinks(postgresql_t)
 215
 216 corenet_all_recvfrom_unlabeled(postgresql_t)
 217 corenet_all_recvfrom_netlabel(postgresql_t)
 218 corenet_tcp_sendrecv_generic_if(postgresql_t)
 219 corenet_udp_sendrecv_generic_if(postgresql_t)
 220 corenet_tcp_sendrecv_generic_node(postgresql_t)
 221 corenet_udp_sendrecv_generic_node(postgresql_t)
 222 corenet_tcp_sendrecv_all_ports(postgresql_t)
 223 corenet_udp_sendrecv_all_ports(postgresql_t)
 224 corenet_udp_bind_generic_node(postgresql_t)
 225 corenet_tcp_bind_generic_node(postgresql_t)
 226 corenet_tcp_bind_postgresql_port(postgresql_t)
 227 corenet_tcp_connect_auth_port(postgresql_t)
 228 corenet_tcp_connect_postgresql_port(postgresql_t)
 229 corenet_sendrecv_postgresql_server_packets(postgresql_t)
 230 corenet_sendrecv_auth_client_packets(postgresql_t)
 231
 232 dev_read_sysfs(postgresql_t)
 233 dev_read_urand(postgresql_t)
 234
 235 fs_getattr_all_fs(postgresql_t)
 236 fs_search_auto_mountpoints(postgresql_t)
 237 fs_rw_hugetlbfs_files(postgresql_t)
 238
 239 selinux_get_enforce_mode(postgresql_t)
 240 selinux_validate_context(postgresql_t)
 241 selinux_compute_access_vector(postgresql_t)
 242 selinux_compute_create_context(postgresql_t)
 243 selinux_compute_relabel_context(postgresql_t)
 244
 245 term_use_controlling_term(postgresql_t)
 246
 247 corecmd_exec_bin(postgresql_t)
 248 corecmd_exec_shell(postgresql_t)
 249
 250 domain_dontaudit_list_all_domains_state(postgresql_t)
 251 domain_use_interactive_fds(postgresql_t)
 252
 253 files_dontaudit_search_home(postgresql_t)
 254 files_manage_etc_files(postgresql_t)
 255 files_search_etc(postgresql_t)
 256 files_read_etc_runtime_files(postgresql_t)
 257 files_read_usr_files(postgresql_t)
 258
 259 auth_use_pam(postgresql_t)
 260
 261 init_read_utmp(postgresql_t)
 262
 263 logging_send_syslog_msg(postgresql_t)
 264 logging_send_audit_msgs(postgresql_t)
 265
 266 miscfiles_read_localization(postgresql_t)
 267
 268 seutil_libselinux_linked(postgresql_t)
 269
 270 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
 271 userdom_dontaudit_search_user_home_dirs(postgresql_t)
 272 userdom_dontaudit_use_user_terminals(postgresql_t)
 273
 274 mta_getattr_spool(postgresql_t)
 275
 276 tunable_policy(`allow_execmem',`
 277         allow postgresql_t self:process execmem;
 278 ')
 279
 280 optional_policy(`
 281         consoletype_exec(postgresql_t)
 282 ')
 283
 284 optional_policy(`
 285         cron_search_spool(postgresql_t)
 286         cron_system_entry(postgresql_t, postgresql_exec_t)
 287 ')
 288
 289 optional_policy(`
 290         hostname_exec(postgresql_t)
 291 ')
 292
 293 optional_policy(`
 294         ipsec_match_default_spd(postgresql_t)
 295 ')
 296
 297 optional_policy(`
 298         kerberos_use(postgresql_t)
 299 ')
 300
 301 optional_policy(`
 302         seutil_sigchld_newrole(postgresql_t)
 303 ')
 304
 305 optional_policy(`
 306         udev_read_db(postgresql_t)
 307 ')
 308
 309 ########################################
 310 #
 311 # Rules common to all clients
 312 #
 313
 314 allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
 315 type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
 316
 317 allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
 318 allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
 319 allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
 320
 321 allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
 322 allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
 323 allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
 324
 325 allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
 326 allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
 327 allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
 328
 329 allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
 330 allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
 331
 332 allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
 333 allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
 334 allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
 335
 336 allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
 337 allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
 338
 339 allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
 340 allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
 341 allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 342
 343 # The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
 344 # If a client tries to SELECT a table including violated tuples, these are filtered from
 345 # the result set as if not exist, but its access denied longs can be recorded within log files.
 346 # In generally, the number of tuples are much larger than the number of columns, tables and so on.
 347 # So, it makes a flood of logs when many tuples are violated.
 348 #
 349 # The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
 350 # so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
 351 # to access classified tuples and can make a audit record.
 352 #
 353 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
 354 dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
 355
 356
 357 ########################################
 358 #
 359 # Rules common to administrator clients
 360 #
 361
 362 allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
 363 type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
 364
 365 allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
 366 allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
 367 allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
 368
 369 type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
 370
 371 allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
 372 allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
 373
 374 type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
 375
 376 allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
 377
 378 type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
 379
 380 allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
 381
 382 kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
 383
 384 tunable_policy(`sepgsql_unconfined_dbadm',`
 385         allow sepgsql_admin_type sepgsql_database_type:db_database *;
 386
 387         allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
 388
 389         allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
 390         allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
 391         allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
 392
 393         allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
 394 ')
 395
 396 ########################################
 397 #
 398 # Unconfined access to this module
 399 #
 400
 401 allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
 402 type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
 403
 404 type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
 405 type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
 406 type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
 407
 408 allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
 409
 410 # unconfined domain is not allowed to invoke user defined procedure directly.
 411 # They have to confirm and relabel it at first.
 412 allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
 413 allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
 414 allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
 415
 416 allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
 417
 418 allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
 419
 420 kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)