|
Chris PeBenito |
fee4864 |
policy_module(postgresql, 1.11.1)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
gen_require(`
|
|
Chris PeBenito |
e8cb08a |
class db_database all_db_database_perms;
|
|
Chris PeBenito |
e8cb08a |
class db_table all_db_table_perms;
|
|
Chris PeBenito |
e8cb08a |
class db_procedure all_db_procedure_perms;
|
|
Chris PeBenito |
e8cb08a |
class db_column all_db_column_perms;
|
|
Chris PeBenito |
e8cb08a |
class db_tuple all_db_tuple_perms;
|
|
Chris PeBenito |
e8cb08a |
class db_blob all_db_blob_perms;
|
|
Chris PeBenito |
e8cb08a |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
#################################
|
|
Chris PeBenito |
17de1b7 |
#
|
|
Chris PeBenito |
17de1b7 |
# Declarations
|
|
Chris PeBenito |
17de1b7 |
#
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
## <desc>
|
|
Dominick Grift |
18f2a72 |
##
|
|
Dominick Grift |
18f2a72 |
## Allow unprived users to execute DDL statement
|
|
Dominick Grift |
18f2a72 |
##
|
|
Chris PeBenito |
e8cb08a |
## </desc>
|
|
Chris PeBenito |
e8cb08a |
gen_tunable(sepgsql_enable_users_ddl, true)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
22a2874 |
## <desc>
|
|
Dominick Grift |
18f2a72 |
##
|
|
Dominick Grift |
18f2a72 |
## Allow database admins to execute DML statement
|
|
Dominick Grift |
18f2a72 |
##
|
|
Chris PeBenito |
22a2874 |
## </desc>
|
|
Chris PeBenito |
22a2874 |
gen_tunable(sepgsql_unconfined_dbadm, true)
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_t;
|
|
Chris PeBenito |
17de1b7 |
type postgresql_exec_t;
|
|
Chris PeBenito |
0bfccda |
init_daemon_domain(postgresql_t, postgresql_exec_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_db_t;
|
|
Chris PeBenito |
17de1b7 |
files_type(postgresql_db_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_etc_t;
|
|
Chris PeBenito |
17de1b7 |
files_config_file(postgresql_etc_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
22a2874 |
type postgresql_initrc_exec_t;
|
|
Chris PeBenito |
22a2874 |
init_script_file(postgresql_initrc_exec_t)
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_lock_t;
|
|
Chris PeBenito |
17de1b7 |
files_lock_file(postgresql_lock_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_log_t;
|
|
Chris PeBenito |
17de1b7 |
logging_log_file(postgresql_log_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_tmp_t;
|
|
Chris PeBenito |
17de1b7 |
files_tmp_file(postgresql_tmp_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
type postgresql_var_run_t;
|
|
Chris PeBenito |
17de1b7 |
files_pid_file(postgresql_var_run_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
e8cb08a |
# database clients attribute
|
|
Chris PeBenito |
22a2874 |
attribute sepgsql_admin_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_client_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_unconfined_type;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
# database objects attribute
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_database_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_table_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_sysobj_table_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_procedure_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_blob_type;
|
|
Chris PeBenito |
e8cb08a |
attribute sepgsql_module_type;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
# database object types
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_blob_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_blob_object(sepgsql_blob_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_db_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_database_object(sepgsql_db_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_fixed_table_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_table_object(sepgsql_fixed_table_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
type sepgsql_proc_exec_t;
|
|
Chris PeBenito |
350ed89 |
typealias sepgsql_proc_exec_t alias sepgsql_proc_t;
|
|
Chris PeBenito |
350ed89 |
postgresql_procedure_object(sepgsql_proc_exec_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_ro_blob_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_blob_object(sepgsql_ro_blob_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_ro_table_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_table_object(sepgsql_ro_table_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_secret_blob_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_blob_object(sepgsql_secret_blob_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_secret_table_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_table_object(sepgsql_secret_table_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_sysobj_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_system_table_object(sepgsql_sysobj_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type sepgsql_table_t;
|
|
Chris PeBenito |
e8cb08a |
postgresql_table_object(sepgsql_table_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
7f4005e |
type sepgsql_trusted_proc_exec_t;
|
|
Chris PeBenito |
7f4005e |
postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
# Trusted Procedure Domain
|
|
Chris PeBenito |
7f4005e |
type sepgsql_trusted_proc_t;
|
|
Chris PeBenito |
7f4005e |
domain_type(sepgsql_trusted_proc_t)
|
|
Chris PeBenito |
7f4005e |
postgresql_unconfined(sepgsql_trusted_proc_t)
|
|
Chris PeBenito |
7f4005e |
role system_r types sepgsql_trusted_proc_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
a01a4a7 |
# Types for unprivileged client
|
|
Chris PeBenito |
a01a4a7 |
type unpriv_sepgsql_blob_t;
|
|
Chris PeBenito |
a01a4a7 |
postgresql_blob_object(unpriv_sepgsql_blob_t)
|
|
Chris PeBenito |
a01a4a7 |
|
|
Chris PeBenito |
a01a4a7 |
type unpriv_sepgsql_proc_exec_t;
|
|
Chris PeBenito |
a01a4a7 |
postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
|
|
Chris PeBenito |
a01a4a7 |
|
|
Chris PeBenito |
a01a4a7 |
type unpriv_sepgsql_sysobj_t;
|
|
Chris PeBenito |
a01a4a7 |
postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
|
|
Chris PeBenito |
a01a4a7 |
|
|
Chris PeBenito |
a01a4a7 |
type unpriv_sepgsql_table_t;
|
|
Chris PeBenito |
a01a4a7 |
postgresql_table_object(unpriv_sepgsql_table_t)
|
|
Chris PeBenito |
a01a4a7 |
|
|
Chris PeBenito |
a01a4a7 |
# Types for UBAC
|
|
Chris PeBenito |
296273a |
type user_sepgsql_blob_t;
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
|
|
Chris PeBenito |
296273a |
postgresql_blob_object(user_sepgsql_blob_t)
|
|
Chris PeBenito |
296273a |
|
|
Chris PeBenito |
296273a |
type user_sepgsql_proc_exec_t;
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_proc_exec_t alias { staff_sepgsql_proc_exec_t sysadm_sepgsql_proc_exec_t };
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
|
|
Chris PeBenito |
296273a |
postgresql_procedure_object(user_sepgsql_proc_exec_t)
|
|
Chris PeBenito |
296273a |
|
|
Chris PeBenito |
296273a |
type user_sepgsql_sysobj_t;
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
|
|
Chris PeBenito |
296273a |
postgresql_system_table_object(user_sepgsql_sysobj_t)
|
|
Chris PeBenito |
296273a |
|
|
Chris PeBenito |
296273a |
type user_sepgsql_table_t;
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_table_t alias { staff_sepgsql_table_t sysadm_sepgsql_table_t };
|
|
Chris PeBenito |
296273a |
typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
|
|
Chris PeBenito |
296273a |
postgresql_table_object(user_sepgsql_table_t)
|
|
Chris PeBenito |
296273a |
|
|
Chris PeBenito |
17de1b7 |
########################################
|
|
Chris PeBenito |
17de1b7 |
#
|
|
Chris PeBenito |
17de1b7 |
# postgresql Local policy
|
|
Chris PeBenito |
17de1b7 |
#
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
|
|
Chris PeBenito |
17de1b7 |
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:process signal_perms;
|
|
Chris PeBenito |
0b36a21 |
allow postgresql_t self:fifo_file rw_fifo_file_perms;
|
|
Jeremy Solt |
9681df1 |
allow postgresql_t self:file { getattr read };
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:sem create_sem_perms;
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:shm create_shm_perms;
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:udp_socket create_stream_socket_perms;
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:unix_dgram_socket create_socket_perms;
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t sepgsql_database_type:db_database *;
|
|
Chris PeBenito |
e8cb08a |
type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t sepgsql_module_type:db_database install_module;
|
|
Chris PeBenito |
e8cb08a |
# Database/Loadable module
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_database_type sepgsql_module_type:db_database load_module;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
|
|
Chris PeBenito |
e8cb08a |
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t sepgsql_procedure_type:db_procedure *;
|
|
Chris PeBenito |
350ed89 |
type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow postgresql_t sepgsql_blob_type:db_blob *;
|
|
Chris PeBenito |
e8cb08a |
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
0bfccda |
manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
|
Chris PeBenito |
0bfccda |
manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
|
Chris PeBenito |
0bfccda |
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
|
Chris PeBenito |
0bfccda |
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
|
Chris PeBenito |
0bfccda |
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
|
|
Chris PeBenito |
17de1b7 |
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
c0868a7 |
allow postgresql_t postgresql_etc_t:dir list_dir_perms;
|
|
Chris PeBenito |
0bfccda |
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
|
Chris PeBenito |
0bfccda |
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Dominick Grift |
0f7c400 |
allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
|
|
Chris PeBenito |
17de1b7 |
can_exec(postgresql_t, postgresql_exec_t )
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
c0868a7 |
allow postgresql_t postgresql_lock_t:file manage_file_perms;
|
|
Chris PeBenito |
3f67f72 |
files_lock_filetrans(postgresql_t, postgresql_lock_t, file)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
0bfccda |
manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
|
|
Chris PeBenito |
0bfccda |
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
0bfccda |
manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
|
|
Chris PeBenito |
0bfccda |
manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
|
|
Chris PeBenito |
0bfccda |
manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
|
|
Chris PeBenito |
0bfccda |
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
|
|
Chris PeBenito |
0bfccda |
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
|
|
Chris PeBenito |
17de1b7 |
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
|
|
Chris PeBenito |
17de1b7 |
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file })
|
|
Chris PeBenito |
17de1b7 |
|
|
 |
3eaa993 |
manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
|
|
Chris PeBenito |
0bfccda |
manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
|
|
Chris PeBenito |
0bfccda |
manage_sock_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t)
|
|
Jeremy Solt |
17759c7 |
files_pid_filetrans(postgresql_t, postgresql_var_run_t, { dir file })
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
kernel_read_kernel_sysctls(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
kernel_read_system_state(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
kernel_list_proc(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
kernel_read_all_sysctls(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
kernel_read_proc_symlinks(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
1900668 |
corenet_all_recvfrom_unlabeled(postgresql_t)
|
|
Chris PeBenito |
1900668 |
corenet_all_recvfrom_netlabel(postgresql_t)
|
|
Chris PeBenito |
668b309 |
corenet_tcp_sendrecv_generic_if(postgresql_t)
|
|
Chris PeBenito |
668b309 |
corenet_udp_sendrecv_generic_if(postgresql_t)
|
|
Chris PeBenito |
c126214 |
corenet_tcp_sendrecv_generic_node(postgresql_t)
|
|
Chris PeBenito |
c126214 |
corenet_udp_sendrecv_generic_node(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_udp_sendrecv_all_ports(postgresql_t)
|
|
Jeremy Solt |
9681df1 |
corenet_udp_bind_generic_node(postgresql_t)
|
|
Chris PeBenito |
c126214 |
corenet_tcp_bind_generic_node(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_tcp_bind_postgresql_port(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_tcp_connect_auth_port(postgresql_t)
|
|
Jeremy Solt |
9681df1 |
corenet_tcp_connect_postgresql_port(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corenet_sendrecv_auth_client_packets(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
dev_read_sysfs(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
dev_read_urand(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
fs_getattr_all_fs(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
fs_search_auto_mountpoints(postgresql_t)
|
|
Chris PeBenito |
770c015 |
fs_rw_hugetlbfs_files(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
e8cb08a |
selinux_get_enforce_mode(postgresql_t)
|
|
Chris PeBenito |
e8cb08a |
selinux_validate_context(postgresql_t)
|
|
Chris PeBenito |
e8cb08a |
selinux_compute_access_vector(postgresql_t)
|
|
Chris PeBenito |
e8cb08a |
selinux_compute_create_context(postgresql_t)
|
|
Chris PeBenito |
e8cb08a |
selinux_compute_relabel_context(postgresql_t)
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
17de1b7 |
term_use_controlling_term(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
corecmd_exec_bin(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
corecmd_exec_shell(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
domain_dontaudit_list_all_domains_state(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
domain_use_interactive_fds(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
files_dontaudit_search_home(postgresql_t)
|
|
|
c2dae98 |
files_read_etc_files(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
files_read_etc_runtime_files(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
files_read_usr_files(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Jeremy Solt |
9681df1 |
auth_use_pam(postgresql_t)
|
|
Chris PeBenito |
09e2168 |
|
|
Chris PeBenito |
17de1b7 |
init_read_utmp(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
logging_send_syslog_msg(postgresql_t)
|
|
Jeremy Solt |
9681df1 |
logging_send_audit_msgs(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
miscfiles_read_localization(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
e8cb08a |
seutil_libselinux_linked(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
|
|
Chris PeBenito |
296273a |
userdom_dontaudit_search_user_home_dirs(postgresql_t)
|
|
Chris PeBenito |
296273a |
userdom_dontaudit_use_user_terminals(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
mta_getattr_spool(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
tunable_policy(`allow_execmem',`
|
|
Chris PeBenito |
17de1b7 |
allow postgresql_t self:process execmem;
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
consoletype_exec(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
cron_search_spool(postgresql_t)
|
|
Chris PeBenito |
3f67f72 |
cron_system_entry(postgresql_t, postgresql_exec_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
hostname_exec(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
0b6acad |
ipsec_match_default_spd(postgresql_t)
|
|
Chris PeBenito |
0b6acad |
')
|
|
Chris PeBenito |
0b6acad |
|
|
Chris PeBenito |
0b6acad |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
kerberos_use(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
seutil_sigchld_newrole(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
17de1b7 |
|
|
Chris PeBenito |
17de1b7 |
optional_policy(`
|
|
Chris PeBenito |
17de1b7 |
udev_read_db(postgresql_t)
|
|
Chris PeBenito |
17de1b7 |
')
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
########################################
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
# Rules common to all clients
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
|
|
Chris PeBenito |
e8cb08a |
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
|
|
Chris PeBenito |
e8cb08a |
# If a client tries to SELECT a table including violated tuples, these are filtered from
|
|
Chris PeBenito |
e8cb08a |
# the result set as if not exist, but its access denied longs can be recorded within log files.
|
|
Chris PeBenito |
e8cb08a |
# In generally, the number of tuples are much larger than the number of columns, tables and so on.
|
|
Chris PeBenito |
e8cb08a |
# So, it makes a flood of logs when many tuples are violated.
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
|
|
Chris PeBenito |
e8cb08a |
# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
|
|
Chris PeBenito |
e8cb08a |
# to access classified tuples and can make a audit record.
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
|
|
Chris PeBenito |
22a2874 |
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
########################################
|
|
Chris PeBenito |
22a2874 |
#
|
|
Chris PeBenito |
22a2874 |
# Rules common to administrator clients
|
|
Chris PeBenito |
22a2874 |
#
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
|
|
Chris PeBenito |
22a2874 |
type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
|
|
Chris PeBenito |
22a2874 |
|
|
KaiGai Kohei |
ec8d32c |
type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
|
|
KaiGai Kohei |
ec8d32c |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
|
|
KaiGai Kohei |
ec8d32c |
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
|
|
KaiGai Kohei |
ec8d32c |
|
|
KaiGai Kohei |
ec8d32c |
type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
|
|
Chris PeBenito |
22a2874 |
|
|
KaiGai Kohei |
ec8d32c |
type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
|
|
KaiGai Kohei |
ec8d32c |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
tunable_policy(`sepgsql_unconfined_dbadm',`
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
|
|
Chris PeBenito |
22a2874 |
|
|
Chris PeBenito |
22a2874 |
allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
|
|
Chris PeBenito |
22a2874 |
')
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
########################################
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
# Unconfined access to this module
|
|
Chris PeBenito |
e8cb08a |
#
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
|
|
Chris PeBenito |
e8cb08a |
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
|
|
Chris PeBenito |
350ed89 |
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
|
|
Chris PeBenito |
e8cb08a |
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
# unconfined domain is not allowed to invoke user defined procedure directly.
|
|
Chris PeBenito |
e8cb08a |
# They have to confirm and relabel it at first.
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *;
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
|
|
Chris PeBenito |
350ed89 |
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
|
|
Chris PeBenito |
e8cb08a |
|
|
Chris PeBenito |
e8cb08a |
kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)
|