diff -rNU3 serefpolicy-2.4.5.orig/policy/flask/access_vectors serefpolicy-2.4.5.sepgsql/policy/flask/access_vectors
--- serefpolicy-2.4.5.orig/policy/flask/access_vectors 2006-11-27 12:00:21.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/flask/access_vectors 2006-11-27 12:17:56.000000000 +0900
@@ -80,6 +80,20 @@
}
#
+# Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+ create
+ drop
+ getattr
+ setattr
+ relabelfrom
+ relabelto
+}
+
+#
# Define the access vectors.
#
# class class_name [ inherits common_name ] { permission_name ... }
@@ -639,3 +653,55 @@
translate
contains
}
+
+# definition for SE-PostgreSQL
+class database
+inherits database
+{
+ access
+ create_obj
+ drop_obj
+}
+
+class table
+inherits database
+{
+ select
+ update
+ insert
+ delete
+}
+
+class procedure
+inherits database
+{
+ execute
+ entrypoint
+}
+
+class column
+inherits database
+{
+ select
+ update
+ insert
+# delete # arguable one
+}
+
+class tuple
+{
+ relabelfrom
+ relabelto
+ select
+ update
+ insert
+ delete
+}
+
+class blob
+inherits database
+{
+ read
+ write
+}
+
diff -rNU3 serefpolicy-2.4.5.orig/policy/flask/security_classes serefpolicy-2.4.5.sepgsql/policy/flask/security_classes
--- serefpolicy-2.4.5.orig/policy/flask/security_classes 2006-11-17 22:47:47.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/flask/security_classes 2006-11-27 12:13:29.000000000 +0900
@@ -95,4 +95,12 @@
class context # userspace
+# SE-PostgreSQL relation
+class database # userspace
+class table # userspace
+class procedure # userspace
+class column # userspace
+class tuple # userspace
+class blob # userspace
+
# FLASK
diff -rNU3 serefpolicy-2.4.5.orig/policy/mcs serefpolicy-2.4.5.sepgsql/policy/mcs
--- serefpolicy-2.4.5.orig/policy/mcs 2006-11-17 22:47:47.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/mcs 2006-11-27 13:10:04.000000000 +0900
@@ -98,4 +98,28 @@
mlsconstrain process { sigkill sigstop }
(( h1 dom h2 ) or ( t1 == mcskillall ));
+# MCS policy for SE-PostgreSQL
+#-------------------------------
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { database table procedure column blob } { create relabelto }
+ ((h1 dom h2) and ( l1 domby h2 ) and ( l2 eq h2 ));
+mlsconstrain tuple { insert relabelto }
+ (( h1 dom h2 ) and ( l1 domby h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain database { drop setattr relabelfrom access create_obj drop_obj }
+ ( h1 dom h2 );
+mlsconstrain table { drop setattr relabelfrom select update insert delete }
+ ( h1 dom h2 );
+mlsconstrain column { drop setattr relabelfrom select update insert }
+ ( h1 dom h2 );
+mlsconstrain tuple { relabelfrom select update delete }
+ ( h1 dom h2 );
+mlsconstrain procedure { execute }
+ ( h1 dom h2 );
+mlsconstrain blob { drop setattr relabelfrom read write }
+ ( h1 dom h2 );
+
') dnl end enable_mcs
diff -rNU3 serefpolicy-2.4.5.orig/policy/modules/services/postgresql.if serefpolicy-2.4.5.sepgsql/policy/modules/services/postgresql.if
--- serefpolicy-2.4.5.orig/policy/modules/services/postgresql.if 2006-11-17 22:47:48.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/modules/services/postgresql.if 2006-11-27 13:40:33.000000000 +0900
@@ -118,3 +118,79 @@
# Some versions of postgresql put the sock file in /tmp
allow $1 postgresql_tmp_t:sock_file write;
')
+
+########################################
+##
+## Marks the specified type as a database object type.
+##
+##
+##
+## Type marked as a database object type.
+##
+##
+#
+interface(`sepgsql_database_object',`
+ gen_require(`
+ attribute sepgsql_database_object;
+ ')
+ typeattribute $1 sepgsql_database_object;
+')
+
+########################################
+##
+## Allows the specified domain unconfined access.
+##
+##
+##
+## Domain allowed to access.
+##
+##
+#
+interface(`sepgsql_full_access',`
+ gen_require(`
+ class database database_full_perms;
+ class table table_full_perms;
+ class procedure proc_full_perms;
+ class column column_full_perms;
+ class tuple tuple_full_perms;
+ class blob blob_full_perms;
+
+ bool sepgsql_enable_auditallow;
+
+ type postgresql_t;
+ type sepgsql_db_t;
+ type sepgsql_table_t;
+ type sepgsql_proc_t;
+ type sepgsql_trusted_proc_t;
+ type sepgsql_blob_t;
+ ')
+ allow $1 sepgsql_db_t : database database_full_perms;
+ allow $1 sepgsql_table_t : table table_full_perms;
+ allow $1 sepgsql_table_t : column column_full_perms;
+ allow $1 sepgsql_table_t : tuple tuple_full_perms;
+ allow $1 sepgsql_proc_t : procedure proc_full_perms;
+ allow $1 sepgsql_trusted_proc_t : procedure proc_full_perms;
+ allow $1 sepgsql_blob_t : blob blob_full_perms;
+
+ if (sepgsql_enable_auditallow) {
+ auditallow $1 sepgsql_db_t : database database_full_perms;
+ auditallow $1 sepgsql_table_t : table table_full_perms;
+ auditallow $1 sepgsql_table_t : column column_full_perms;
+ auditallow $1 sepgsql_table_t : tuple tuple_full_perms;
+ auditallow $1 sepgsql_proc_t : procedure proc_full_perms;
+ auditallow $1 sepgsql_trusted_proc_t : procedure proc_full_perms;
+ auditallow $1 sepgsql_blob_t : blob blob_full_perms;
+ }
+
+ type_transition $1 { $1 postgresql_t } : database sepgsql_db_t;
+ type_transition $1 sepgsql_db_t : table sepgsql_table_t;
+ type_transition $1 sepgsql_db_t : procedure sepgsql_proc_t;
+ type_transition $1 sepgsql_db_t : blob sepgsql_blob_t;
+ ifdef(`enable_mcs',`
+ range_transition $1 sepgsql_trusted_proc_t mcs_systemhigh;
+ ')
+ ifdef(`enable_mls',`
+ range_transition $1 sepgsql_trusted_proc_t mls_systemhigh;
+ ')
+')
+
diff -rNU3 serefpolicy-2.4.5.orig/policy/modules/services/postgresql.te serefpolicy-2.4.5.sepgsql/policy/modules/services/postgresql.te
--- serefpolicy-2.4.5.orig/policy/modules/services/postgresql.te 2006-11-17 22:47:49.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/modules/services/postgresql.te 2006-11-27 13:29:10.000000000 +0900
@@ -27,6 +27,14 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+# SE-PostgreSQL related
+bool sepgsql_enable_auditallow false;
+type sepgsql_db_t;
+type sepgsql_table_t;
+type sepgsql_proc_t;
+type sepgsql_trusted_proc_t;
+type sepgsql_blob_t;
+
########################################
#
# postgresql Local policy
@@ -142,6 +150,8 @@
mta_getattr_spool(postgresql_t)
+sepgsql_full_access(postgresql_t)
+
ifdef(`targeted_policy', `
files_dontaudit_read_root_files(postgresql_t)
term_dontaudit_use_generic_ptys(postgresql_t)
diff -rNU3 serefpolicy-2.4.5.orig/policy/modules/system/unconfined.te serefpolicy-2.4.5.sepgsql/policy/modules/system/unconfined.te
--- serefpolicy-2.4.5.orig/policy/modules/system/unconfined.te 2006-11-27 12:00:21.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/modules/system/unconfined.te 2006-11-27 13:42:36.000000000 +0900
@@ -135,6 +135,10 @@
')
optional_policy(`
+ sepgsql_full_access(unconfined_t)
+ ')
+
+ optional_policy(`
# cjp: this should probably be removed:
rpc_domtrans_nfsd(unconfined_t)
')
diff -rNU3 serefpolicy-2.4.5.orig/policy/support/obj_perm_sets.spt serefpolicy-2.4.5.sepgsql/policy/support/obj_perm_sets.spt
--- serefpolicy-2.4.5.orig/policy/support/obj_perm_sets.spt 2006-11-17 22:47:50.000000000 +0900
+++ serefpolicy-2.4.5.sepgsql/policy/support/obj_perm_sets.spt 2006-11-27 13:43:14.000000000 +0900
@@ -224,3 +224,25 @@
#
define(`client_stream_socket_perms', `{ create ioctl read getattr write setattr append bind getopt setopt shutdown }')
define(`server_stream_socket_perms', `{ client_stream_socket_perms listen accept }')
+
+#
+# Database objects (used in Security Enhanced PostgreSQL)
+#
+define(`database_full_perms', `{ create drop getattr setattr relabelfrom relabelto access create_obj drop_obj }')
+define(`database_user_perms', `{ getattr access create_obj drop_obj }')
+
+define(`table_full_perms', `{ create drop getattr setattr relabelfrom relabelto select update insert delete }')
+define(`table_user_perms', `{ create drop getattr setattr select update insert delete }')
+
+define(`proc_full_perms', `{ create drop getattr setattr relabelfrom relabelto execute entrypoint }')
+define(`proc_user_perms', `{ getattr execute entrypoint }')
+
+define(`column_full_perms', `{ create drop getattr setattr relabelfrom relabelto select update insert }')
+define(`column_user_perms', `{ create drop getattr setattr select update insert }')
+
+define(`tuple_full_perms', `{ relabelfrom relabelto select update insert delete }')
+define(`tuple_user_perms', `{ select update insert delete }')
+
+define(`blob_full_perms', `{ create drop getattr setattr relabelfrom relabelto read write }')
+define(`blob_user_perms', `{ create drop getattr setattr read write }')
+