]> git.ipfire.org Git - people/stevee/selinux-policy.git/blob - policy/modules/services/postgresql.te
projects / people / stevee / selinux-policy.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
trunk: bump module versions for release.
[people/stevee/selinux-policy.git] / policy / modules / services / postgresql.te
1
2 policy_module(postgresql, 1.8.0)
3
4 gen_require(`
5 class db_database all_db_database_perms;
6 class db_table all_db_table_perms;
7 class db_procedure all_db_procedure_perms;
8 class db_column all_db_column_perms;
9 class db_tuple all_db_tuple_perms;
10 class db_blob all_db_blob_perms;
11 ')
12
13 #################################
14 #
15 # Declarations
16 #
17
18 ## <desc>
19 ## <p>
20 ## Allow unprived users to execute DDL statement
21 ## </p>
22 ## </desc>
23 gen_tunable(sepgsql_enable_users_ddl, true)
24
25 type postgresql_t;
26 type postgresql_exec_t;
27 init_daemon_domain(postgresql_t, postgresql_exec_t)
28
29 type postgresql_db_t;
30 files_type(postgresql_db_t)
31
32 type postgresql_etc_t;
33 files_config_file(postgresql_etc_t)
34
35 type postgresql_lock_t;
36 files_lock_file(postgresql_lock_t)
37
38 type postgresql_log_t;
39 logging_log_file(postgresql_log_t)
40
41 type postgresql_tmp_t;
42 files_tmp_file(postgresql_tmp_t)
43
44 type postgresql_var_run_t;
45 files_pid_file(postgresql_var_run_t)
46
47 # database clients attribute
48 attribute sepgsql_client_type;
49 attribute sepgsql_unconfined_type;
50
51 # database objects attribute
52 attribute sepgsql_database_type;
53 attribute sepgsql_table_type;
54 attribute sepgsql_sysobj_table_type;
55 attribute sepgsql_procedure_type;
56 attribute sepgsql_blob_type;
57 attribute sepgsql_module_type;
58
59 # database object types
60 type sepgsql_blob_t;
61 postgresql_blob_object(sepgsql_blob_t)
62
63 type sepgsql_db_t;
64 postgresql_database_object(sepgsql_db_t)
65
66 type sepgsql_fixed_table_t;
67 postgresql_table_object(sepgsql_fixed_table_t)
68
69 type sepgsql_proc_t;
70 postgresql_procedure_object(sepgsql_proc_t)
71
72 type sepgsql_ro_blob_t;
73 postgresql_blob_object(sepgsql_ro_blob_t)
74
75 type sepgsql_ro_table_t;
76 postgresql_table_object(sepgsql_ro_table_t)
77
78 type sepgsql_secret_blob_t;
79 postgresql_blob_object(sepgsql_secret_blob_t)
80
81 type sepgsql_secret_table_t;
82 postgresql_table_object(sepgsql_secret_table_t)
83
84 type sepgsql_sysobj_t;
85 postgresql_system_table_object(sepgsql_sysobj_t)
86
87 type sepgsql_table_t;
88 postgresql_table_object(sepgsql_table_t)
89
90 type sepgsql_trusted_proc_exec_t;
91 postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
92
93 # Trusted Procedure Domain
94 type sepgsql_trusted_proc_t;
95 domain_type(sepgsql_trusted_proc_t)
96 postgresql_unconfined(sepgsql_trusted_proc_t)
97 role system_r types sepgsql_trusted_proc_t;
98
99 type user_sepgsql_blob_t;
100 typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
101 typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
102 postgresql_blob_object(user_sepgsql_blob_t)
103
104 type user_sepgsql_proc_exec_t;
105 typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
106 typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
107 postgresql_procedure_object(user_sepgsql_proc_exec_t)
108
109 type user_sepgsql_sysobj_t;
110 typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
111 typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
112 postgresql_system_table_object(user_sepgsql_sysobj_t)
113
114 type user_sepgsql_table_t;
115 typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
116 typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
117 postgresql_table_object(user_sepgsql_table_t)
118
119 ########################################
120 #
121 # postgresql Local policy
122 #
123 allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
124 dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
125 allow postgresql_t self:process signal_perms;
126 allow postgresql_t self:fifo_file rw_fifo_file_perms;
127 allow postgresql_t self:sem create_sem_perms;
128 allow postgresql_t self:shm create_shm_perms;
129 allow postgresql_t self:tcp_socket create_stream_socket_perms;
130 allow postgresql_t self:udp_socket create_stream_socket_perms;
131 allow postgresql_t self:unix_dgram_socket create_socket_perms;
132 allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
133 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
134
135 allow postgresql_t sepgsql_database_type:db_database *;
136 type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
137
138 allow postgresql_t sepgsql_module_type:db_database install_module;
139 # Database/Loadable module
140 allow sepgsql_database_type sepgsql_module_type:db_database load_module;
141
142 allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
143 type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
144
145 allow postgresql_t sepgsql_procedure_type:db_procedure *;
146 type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
147
148 allow postgresql_t sepgsql_blob_type:db_blob *;
149 type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
150
151 manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
152 manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
153 manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
154 manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
155 manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
156 files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
157
158 allow postgresql_t postgresql_etc_t:dir list_dir_perms;
159 read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
160 read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
161
162 allow postgresql_t postgresql_exec_t:lnk_file { getattr read };
163 can_exec(postgresql_t, postgresql_exec_t )
164
165 allow postgresql_t postgresql_lock_t:file manage_file_perms;
166 files_lock_filetrans(postgresql_t,postgresql_lock_t,file)
167
168 manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
169 logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
170
171 manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
172 manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
173 manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
174 manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
175 manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
176 files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
177 fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
178
179 manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
180 manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
181 files_pid_filetrans(postgresql_t, postgresql_var_run_t, file)
182
183 kernel_read_kernel_sysctls(postgresql_t)
184 kernel_read_system_state(postgresql_t)
185 kernel_list_proc(postgresql_t)
186 kernel_read_all_sysctls(postgresql_t)
187 kernel_read_proc_symlinks(postgresql_t)
188
189 corenet_all_recvfrom_unlabeled(postgresql_t)
190 corenet_all_recvfrom_netlabel(postgresql_t)
191 corenet_tcp_sendrecv_all_if(postgresql_t)
192 corenet_udp_sendrecv_all_if(postgresql_t)
193 corenet_tcp_sendrecv_all_nodes(postgresql_t)
194 corenet_udp_sendrecv_all_nodes(postgresql_t)
195 corenet_tcp_sendrecv_all_ports(postgresql_t)
196 corenet_udp_sendrecv_all_ports(postgresql_t)
197 corenet_tcp_bind_all_nodes(postgresql_t)
198 corenet_tcp_bind_postgresql_port(postgresql_t)
199 corenet_tcp_connect_auth_port(postgresql_t)
200 corenet_sendrecv_postgresql_server_packets(postgresql_t)
201 corenet_sendrecv_auth_client_packets(postgresql_t)
202
203 dev_read_sysfs(postgresql_t)
204 dev_read_urand(postgresql_t)
205
206 fs_getattr_all_fs(postgresql_t)
207 fs_search_auto_mountpoints(postgresql_t)
208 fs_rw_hugetlbfs_files(postgresql_t)
209
210 selinux_get_enforce_mode(postgresql_t)
211 selinux_validate_context(postgresql_t)
212 selinux_compute_access_vector(postgresql_t)
213 selinux_compute_create_context(postgresql_t)
214 selinux_compute_relabel_context(postgresql_t)
215
216 term_use_controlling_term(postgresql_t)
217
218 corecmd_exec_bin(postgresql_t)
219 corecmd_exec_shell(postgresql_t)
220
221 domain_dontaudit_list_all_domains_state(postgresql_t)
222 domain_use_interactive_fds(postgresql_t)
223
224 files_dontaudit_search_home(postgresql_t)
225 files_manage_etc_files(postgresql_t)
226 files_search_etc(postgresql_t)
227 files_read_etc_runtime_files(postgresql_t)
228 files_read_usr_files(postgresql_t)
229
230 auth_use_nsswitch(postgresql_t)
231
232 init_read_utmp(postgresql_t)
233
234 logging_send_syslog_msg(postgresql_t)
235
236 miscfiles_read_localization(postgresql_t)
237
238 seutil_libselinux_linked(postgresql_t)
239
240 userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
241 userdom_dontaudit_search_user_home_dirs(postgresql_t)
242 userdom_dontaudit_use_user_terminals(postgresql_t)
243
244 mta_getattr_spool(postgresql_t)
245
246 tunable_policy(`allow_execmem',`
247 allow postgresql_t self:process execmem;
248 ')
249
250 optional_policy(`
251 consoletype_exec(postgresql_t)
252 ')
253
254 optional_policy(`
255 cron_search_spool(postgresql_t)
256 cron_system_entry(postgresql_t,postgresql_exec_t)
257 ')
258
259 optional_policy(`
260 hostname_exec(postgresql_t)
261 ')
262
263 optional_policy(`
264 ipsec_match_default_spd(postgresql_t)
265 ')
266
267 optional_policy(`
268 kerberos_use(postgresql_t)
269 ')
270
271 optional_policy(`
272 seutil_sigchld_newrole(postgresql_t)
273 ')
274
275 optional_policy(`
276 udev_read_db(postgresql_t)
277 ')
278
279 ########################################
280 #
281 # Rules common to all clients
282 #
283
284 allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
285 type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
286
287 allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
288 allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
289 allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
290
291 allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
292 allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
293 allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
294
295 allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
296 allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
297 allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
298
299 allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
300 allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
301
302 allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
303 allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
304 allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
305
306 allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
307 allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
308
309 allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
310 allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
311 allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
312
313 # The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
314 # If a client tries to SELECT a table including violated tuples, these are filtered from
315 # the result set as if not exist, but its access denied longs can be recorded within log files.
316 # In generally, the number of tuples are much larger than the number of columns, tables and so on.
317 # So, it makes a flood of logs when many tuples are violated.
318 #
319 # The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
320 # so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
321 # to access classified tuples and can make a audit record.
322 #
323 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
324 dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
325
326 tunable_policy(`sepgsql_enable_users_ddl',`
327 allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
328 allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
329 allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
330 ')
331
332 ########################################
333 #
334 # Unconfined access to this module
335 #
336
337 allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
338 type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
339
340 type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
341 type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
342 type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
343
344 allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
345
346 # unconfined domain is not allowed to invoke user defined procedure directly.
347 # They have to confirm and relabel it at first.
348 allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
349 allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
350
351 allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
352
353 allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
354
355 kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
The IPFire selinux policy.