Fedora/SE-PostgreSQL

[KaiGai Kohei <kaigai@kaigai.gr.jp>]

[-- Attachment #1: Type: text/plain, Size: 1314 bytes --]

Hi,

A week ago, I submitted a review request of SE-PostgreSQL to
the Fedora project as follows:
  https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522

The biggest issue is lack of definitions of new object classes
and access vectors related to database.
Rest of policies can be installed as a binary security policy module
packed within the RPM package, but these definitions and MLS/MCS rules
cannot be moduled.

The attached patch adds these definitions to the base policy.

I remember Chris said as follows at the past.
> Is the code on a path to being merged upstream?  I'm hesitant to apply
> class changes until the code is on a plan to be merged.

However, I would like you to consider it again.
I believe that spread of using secure applications, like SE-PostgreSQL,
can help promote SELinux more, and it's so worthful to make it more
uncomplicated to maintain.

In addition, the next release of PostgreSQL with new features (8.4) is
planed at the autumn 2008. It means that any SE-PostgreSQL users have to
replace the default selinux-policy package by the modified one for a year
and more, at least. I think it's a senseless work.

It may be a time the definitions of object classes related to database are
integrated into the base security policy.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

[-- Attachment #2: refpolicy-add-sepgsql-definitions.patch.patch --]
[-- Type: text/plain, Size: 9785 bytes --]

Index: refpolicy/policy/flask/security_classes
===================================================================
--- refpolicy/policy/flask/security_classes	(revision 2385)
+++ refpolicy/policy/flask/security_classes	(working copy)
@@ -99,4 +99,12 @@
 
 class memprotect
 
+# SE-PostgreSQL relation
+class database			# userspace
+class table			# userspace
+class procedure			# userspace
+class column			# userspace
+class tuple			# userspace
+class blob			# userspace
+
 # FLASK
Index: refpolicy/policy/flask/access_vectors
===================================================================
--- refpolicy/policy/flask/access_vectors	(revision 2385)
+++ refpolicy/policy/flask/access_vectors	(working copy)
@@ -80,6 +80,20 @@
 }
 
 #
+#  Define a common prefix for userspace database object access vectors.
+#
+
+common database
+{
+	create
+	drop
+	getattr
+	setattr
+	relabelfrom
+	relabelto
+}
+
+#
 # Define the access vectors.
 #
 # class class_name [ inherits common_name ] { permission_name ... }
@@ -655,3 +669,61 @@
 {
 	mmap_zero
 }
+
+# definition for SE-PostgreSQL
+class database
+inherits database
+{
+	access
+	install_module
+	load_module
+	get_param
+	set_param
+}
+
+class table
+inherits database
+{
+	use
+	select
+	update
+	insert
+	delete
+	lock
+}
+
+class procedure
+inherits database
+{
+	execute
+	entrypoint
+}
+
+class column
+inherits database
+{
+	use
+	select
+	update
+	insert
+}
+
+class tuple
+{
+	relabelfrom
+	relabelto
+	use
+	select
+	update
+	insert
+	delete
+}
+
+class blob
+inherits database
+{
+	read
+	write
+	import
+	export
+}
Index: refpolicy/policy/mcs
===================================================================
--- refpolicy/policy/mcs	(revision 2385)
+++ refpolicy/policy/mcs	(working copy)
@@ -98,4 +98,28 @@
 mlsconstrain process { sigkill sigstop }
 	(( h1 dom h2 ) or ( t1 == mcskillall ));
 
+# MCS policy for SE-PostgreSQL
+#-------------------------------
+
+# Any database object must be dominated by the relabeling subject
+# clearance, also the objects are single-level.
+mlsconstrain { database table procedure column blob } { create relabelto }
+	((h1 dom h2) and ( l1 domby h2 ) and ( l2 eq h2 ));
+mlsconstrain tuple { insert relabelto }
+	(( h1 dom h2 ) and ( l1 domby h2 ) and ( l2 eq h2 ));
+
+# Access control for any database objects based on MCS rules.
+mlsconstrain database { drop setattr relabelfrom access install_module load_module get_param set_param }
+	( h1 dom h2 );
+mlsconstrain table { drop setattr relabelfrom select update insert delete use }
+	( h1 dom h2 );
+mlsconstrain column { drop setattr relabelfrom select update insert use }
+	( h1 dom h2 );
+mlsconstrain tuple { relabelfrom select update delete use }
+	( h1 dom h2 );
+mlsconstrain procedure { execute }
+	( h1 dom h2 );
+mlsconstrain blob { drop setattr relabelfrom read write }
+	( h1 dom h2 );
+
 ') dnl end enable_mcs
Index: refpolicy/policy/modules/kernel/mls.te
===================================================================
--- refpolicy/policy/modules/kernel/mls.te	(revision 2385)
+++ refpolicy/policy/modules/kernel/mls.te	(working copy)
@@ -43,6 +43,14 @@
 attribute mlsxwinwritecolormap;
 attribute mlsxwinwritexinput;
 
+attribute mlsdatabaseread;
+attribute mlsdatabasereadtoclr;
+attribute mlsdatabasewrite;
+attribute mlsdatabasewritetoclr;
+attribute mlsdatabasewriteinrange;
+attribute mlsdatabaseupgrade;
+attribute mlsdatabasedowngrade;
+
 attribute mlstrustedobject;
 
 attribute privrangetrans;
Index: refpolicy/policy/modules/kernel/mls.if
===================================================================
--- refpolicy/policy/modules/kernel/mls.if	(revision 2385)
+++ refpolicy/policy/modules/kernel/mls.if	(working copy)
@@ -406,6 +406,82 @@
 
 ########################################
 ## <summary>
+##      Make specified domain MLS trusted
+##      for reading from databases at higher levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_read_up',`
+	gen_require(`
+		attribute mlsdatabaseread;
+	')
+
+	typeattribute $1 mlsdatabaseread;
+')
+
+########################################
+## <summary>
+##       Make specified domain MLS trusted
+##       for writing to databases at lower levels.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_write_down',`
+	gen_require(`
+		attribute mlsdatabasewrite;
+	')
+
+	typeattribute $1 mlsdatabasewrite;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for raising the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_upgrade',`
+	gen_require(`
+		attribute mlsdatabaseupgrade;
+	')
+
+	typeattribute $1 mlsdatabaseupgrade;
+')
+
+########################################
+## <summary>
+##      Make specified domain MLS trusted
+##      for lowering the level of databases.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`mls_database_downgrade',`
+	gen_require(`
+		attribute mlsdatabasedowngrade;
+	')
+
+	typeattribute $1 mlsdatabasedowngrade;
+')
+
+########################################
+## <summary>
 ##	Make specified object MLS trusted.
 ## </summary>
 ## <desc>
Index: refpolicy/policy/mls
===================================================================
--- refpolicy/policy/mls	(revision 2385)
+++ refpolicy/policy/mls	(working copy)
@@ -600,4 +600,109 @@
 mlsconstrain context contains
 	( h1 dom h2 );
 
+#
+# MLS policy for the database related classes
+#
+
+# make sure these database classes are "single level"
+mlsconstrain { database table procedure column blob } { create relabelto }
+	( l2 eq h2 );
+mlsconstrain { tuple } { insert relabelto }
+	( l2 eq h2 );
+
+# new file labels must be dominated by the relabeling subjects clearance
+mlsconstrain { database table procedure column tuple blob } { relabelto }
+	( h1 dom h2 );
+
+# the database "read" ops (note the check is dominance of the low level)
+mlsconstrain { database table procedure column blob } { getattr }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { database } { access get_param }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { table column } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { procedure } { execute }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { blob } { read }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { tuple } { use select }
+	(( l1 dom l2 ) or
+	 (( t1 == mlsdatabasereadtoclr ) and ( h1 dom l2 )) or
+	 ( t1 == mlsdatabaseread ) or
+	 ( t2 == mlstrustedobject ));
+
+# the "single level" file "write" ops
+mlsconstrain { database table procedure column blob } { create drop setattr relabelfrom }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { database } { install_module load_module set_param }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { table } { update insert delete lock }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { column } { update insert }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { blob } { write import export }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+mlsconstrain { tuple } { relabelfrom update insert delete }
+	(( l1 eq l2 ) or
+	 (( t1 == mlsdatabasewritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+	 (( t2 == mlsdatabasewriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or
+	 ( t1 == mlsdatabasewrite ) or
+	 ( t2 == mlstrustedobject ));
+
+# the database upgrade/downgrade rule
+mlsvalidatetrans { database table procedure column tuple blob }
+	((( l1 eq l2 ) or
+	  (( t3 == mlsdatabaseupgrade ) and ( l1 domby l2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( l1 dom l2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( l1 incomp l2 ))) and
+	 (( l1 eq h2 ) or
+	  (( t3 == mlsdatabaseupgrade ) and ( h1 domby h2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( h1 dom h2 )) or
+	  (( t3 == mlsdatabasedowngrade ) and ( h1 incomp h2 ))));
+
 ') dnl end enable_mls