Index: policy/flask/security_classes
===================================================================
--- policy/flask/security_classes (revision 2936)
+++ policy/flask/security_classes (working copy)
@@ -119,4 +119,9 @@
# kernel services that need to override task security, e.g. cachefiles
class kernel_service
+# More Database stuff
+class db_catalog # userspace
+class db_schema # userspace
+class db_sequence # userspace
+
# FLASK
Index: policy/flask/access_vectors
===================================================================
--- policy/flask/access_vectors (revision 2936)
+++ policy/flask/access_vectors (working copy)
@@ -723,14 +723,12 @@
access
install_module
load_module
- get_param
- set_param
+ superuser
}
class db_table
inherits database
{
- use
select
update
insert
@@ -749,7 +747,6 @@
class db_column
inherits database
{
- use
select
update
insert
@@ -759,7 +756,6 @@
{
relabelfrom
relabelto
- use
select
update
insert
@@ -793,3 +789,29 @@
use_as_override
create_files_as
}
+
+# More database stuff
+class db_catalog
+inherits database
+{
+ search
+ add_object
+ remove_object
+ associate
+}
+
+class db_schema
+inherits database
+{
+ search
+ add_object
+ remove_object
+ associate
+}
+
+class db_sequence
+inherits database
+{
+ get_value
+ set_value
+}
Index: policy/modules/kernel/kernel.if
===================================================================
--- policy/modules/kernel/kernel.if (revision 2936)
+++ policy/modules/kernel/kernel.if (working copy)
@@ -2563,18 +2563,22 @@
gen_require(`
type unlabeled_t;
class db_database { setattr relabelfrom };
+ class db_schema { setattr relabelfrom };
class db_table { setattr relabelfrom };
class db_procedure { setattr relabelfrom };
class db_column { setattr relabelfrom };
class db_tuple { update relabelfrom };
+ class db_sequence { setattr relabelfrom };
class db_blob { setattr relabelfrom };
')
allow $1 unlabeled_t:db_database { setattr relabelfrom };
+ allow $1 unlabeled_t:db_schema { setattr relabelfrom };
allow $1 unlabeled_t:db_table { setattr relabelfrom };
allow $1 unlabeled_t:db_procedure { setattr relabelfrom };
allow $1 unlabeled_t:db_column { setattr relabelfrom };
allow $1 unlabeled_t:db_tuple { update relabelfrom };
+ allow $1 unlabeled_t:db_sequence { setattr relabelfrom };
allow $1 unlabeled_t:db_blob { setattr relabelfrom };
')
Index: policy/modules/services/postgresql.if
===================================================================
--- policy/modules/services/postgresql.if (revision 2936)
+++ policy/modules/services/postgresql.if (working copy)
@@ -17,57 +17,12 @@
#
interface(`postgresql_role',`
gen_require(`
- class db_database all_db_database_perms;
- class db_table all_db_table_perms;
- class db_procedure all_db_procedure_perms;
- class db_column all_db_column_perms;
- class db_tuple all_db_tuple_perms;
- class db_blob all_db_blob_perms;
-
- attribute sepgsql_client_type, sepgsql_database_type;
- attribute sepgsql_sysobj_table_type;
-
- type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;
- type user_sepgsql_blob_t, user_sepgsql_proc_exec_t;
- type user_sepgsql_sysobj_t, user_sepgsql_table_t;
+ type sepgsql_trusted_proc_t;
')
- ########################################
- #
- # Declarations
- #
-
- typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
- ##############################
- #
- # Client local policy
- #
-
- tunable_policy(`sepgsql_enable_users_ddl',`
- allow $2 user_sepgsql_table_t:db_table { create drop };
- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
-
- allow $2 user_sepgsql_table_t:db_column { create drop };
-
- allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
- ')
-
- allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete };
- allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
- allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
- allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
-
- allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
- type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
-
- allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
- type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
-
- allow $2 sepgsql_trusted_proc_t:process transition;
- type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
+ postgresql_unpriv_client($2)
')
########################################
@@ -108,6 +63,24 @@
########################################
##
+## Marks as a SE-PostgreSQL schema object type
+##
+##
+##
+## Type marked as a schema object type.
+##
+##
+#
+interface(`postgresql_schema_object',`
+ gen_require(`
+ attribute sepgsql_schema_type;
+ ')
+
+ typeattribute $1 sepgsql_schema_type;
+')
+
+########################################
+##
## Marks as a SE-PostgreSQL table/column/tuple object type
##
##
@@ -163,6 +136,24 @@
########################################
##
+## Marks as a SE-PostgreSQL sequence object type
+##
+##
+##
+## Type marked as a sequence object type.
+##
+##
+#
+interface(`postgresql_sequence_object',`
+ gen_require(`
+ attribute sepgsql_sequence_type;
+ ')
+
+ typeattribute $1 sepgsql_sequence_type;
+')
+
+########################################
+##
## Marks as a SE-PostgreSQL binary large object type
##
##
@@ -181,6 +172,24 @@
########################################
##
+## Marks as a SE-PostgreSQL object type stored within temporary schema
+##
+##
+##
+## Type marked as a temporary database object type.
+##
+##
+#
+interface(`postgresql_temporary_object',`
+ gen_require(`
+ attribute sepgsql_temporary_type;
+ ')
+
+ typeattribute $1 sepgsql_temporary_type;
+')
+
+########################################
+##
## Allow the specified domain to search postgresql's database directory.
##
##
@@ -313,22 +322,46 @@
#
interface(`postgresql_unpriv_client',`
gen_require(`
+ class db_database all_db_database_perms;
+ class db_schema all_db_schema_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_sequence all_db_sequence_perms;
class db_blob all_db_blob_perms;
- attribute sepgsql_client_type;
+ attribute sepgsql_client_type, sepgsql_database_type;
- type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_t, sepgsql_blob_t;
+ type sepgsql_schema_t, sepgsql_temp_schema_t;
+ type user_sepgsql_table_t, user_sepgsql_proc_exec_t;
+ type user_sepgsql_sequence_t, user_sepgsql_blob_t;
+ type sepgsql_temp_table_t, sepgsql_temp_proc_exec_t, sepgsql_temp_sequence_t;
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
')
+ ########################################
+ #
+ # Declarations
+ #
+
typeattribute $1 sepgsql_client_type;
- type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
- type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_t;
- type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
+ ##############################
+ #
+ # Type transitions
+ #
+ type_transition $1 sepgsql_schema_t:db_table user_sepgsql_table_t;
+ type_transition $1 sepgsql_schema_t:db_procedure user_sepgsql_proc_exec_t;
+ type_transition $1 sepgsql_schema_t:db_sequence user_sepgsql_sequence_t;
+ type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
+ type_transition $1 sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t;
+ type_transition $1 sepgsql_temp_schema_t:db_sequence sepgsql_temp_sequence_t;
+
+ type_transition $1 sepgsql_database_type:db_blob user_sepgsql_blob_t;
+
+ # Trusted procedure invocation
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
')
@@ -346,8 +379,31 @@
#
interface(`postgresql_unconfined',`
gen_require(`
+ class db_database {superuser};
+
attribute sepgsql_unconfined_type;
')
typeattribute $1 sepgsql_unconfined_type;
+
+ allow $1 $1 : db_database {superuser};
')
+
+########################################
+##
+## Allow the specified domain unconfined accesses to any database objects
+## managed by SE-PostgreSQL, without db_database:{superuser} privilege.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`postgresql_unconfined_without_superuser',`
+ gen_require(`
+ attribute sepgsql_unconfined_type;
+ ')
+
+ typeattribute $1 sepgsql_unconfined_type;
+')
Index: policy/modules/services/postgresql.te
===================================================================
--- policy/modules/services/postgresql.te (revision 2936)
+++ policy/modules/services/postgresql.te (working copy)
@@ -1,12 +1,14 @@
-policy_module(postgresql, 1.8.3)
+policy_module(postgresql, 1.9.1)
gen_require(`
class db_database all_db_database_perms;
+ class db_schema all_db_schema_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
class db_column all_db_column_perms;
class db_tuple all_db_tuple_perms;
+ class db_sequence all_db_sequence_perms;
class db_blob all_db_blob_perms;
')
@@ -50,10 +52,13 @@
# database objects attribute
attribute sepgsql_database_type;
+attribute sepgsql_schema_type;
attribute sepgsql_table_type;
attribute sepgsql_sysobj_table_type;
attribute sepgsql_procedure_type;
attribute sepgsql_blob_type;
+attribute sepgsql_sequence_type;
+attribute sepgsql_temporary_type;
attribute sepgsql_module_type;
# database object types
@@ -66,8 +71,9 @@
type sepgsql_fixed_table_t;
postgresql_table_object(sepgsql_fixed_table_t)
-type sepgsql_proc_t;
-postgresql_procedure_object(sepgsql_proc_t)
+type sepgsql_proc_exec_t;
+typealias sepgsql_proc_exec_t alias { sepgsql_proc_t };
+postgresql_procedure_object(sepgsql_proc_exec_t)
type sepgsql_ro_blob_t;
postgresql_blob_object(sepgsql_ro_blob_t)
@@ -75,25 +81,46 @@
type sepgsql_ro_table_t;
postgresql_table_object(sepgsql_ro_table_t)
+type sepgsql_schema_t;
+postgresql_schema_object(sepgsql_schema_t)
+
type sepgsql_secret_blob_t;
postgresql_blob_object(sepgsql_secret_blob_t)
type sepgsql_secret_table_t;
postgresql_table_object(sepgsql_secret_table_t)
+type sepgsql_sequence_t;
+postgresql_sequence_object(sepgsql_sequence_t)
+
type sepgsql_sysobj_t;
postgresql_system_table_object(sepgsql_sysobj_t)
type sepgsql_table_t;
postgresql_table_object(sepgsql_table_t)
+type sepgsql_temp_proc_exec_t;
+postgresql_procedure_object(sepgsql_temp_proc_exec_t)
+postgresql_temporary_object(sepgsql_temp_proc_exec_t)
+
+type sepgsql_temp_schema_t;
+postgresql_schema_object(sepgsql_temp_schema_t)
+
+type sepgsql_temp_sequence_t;
+postgresql_sequence_object(sepgsql_temp_sequence_t)
+postgresql_temporary_object(sepgsql_temp_sequence_t)
+
+type sepgsql_temp_table_t;
+postgresql_table_object(sepgsql_temp_table_t)
+postgresql_temporary_object(sepgsql_temp_table_t)
+
type sepgsql_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
# Trusted Procedure Domain
type sepgsql_trusted_proc_t;
domain_type(sepgsql_trusted_proc_t)
-postgresql_unconfined(sepgsql_trusted_proc_t)
+postgresql_unconfined_without_superuser(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;
type user_sepgsql_blob_t;
@@ -106,6 +133,10 @@
typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };
postgresql_procedure_object(user_sepgsql_proc_exec_t)
+type user_sepgsql_sequence_t;
+typealias user_sepgsql_sequence_t alias { staff_sepgsql_sequence_t sysadm_sepgsql_sequence_t };
+typealias user_sepgsql_sequence_t alias { auditadm_sepgsql_sequence_t secadm_sepgsql_sequence_t };
+
type user_sepgsql_sysobj_t;
typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };
typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };
@@ -116,11 +147,17 @@
typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };
postgresql_table_object(user_sepgsql_table_t)
+# Relationship between schema and database objects
+allow { sepgsql_table_type - sepgsql_temporary_type } sepgsql_schema_t : db_schema { associate };
+allow { sepgsql_procedure_type - sepgsql_temporary_type } sepgsql_schema_t : db_schema { associate };
+allow { sepgsql_sequence_type - sepgsql_temporary_type } sepgsql_schema_t : db_schema { associate };
+allow { sepgsql_temporary_type } sepgsql_temp_schema_t : db_schema { associate };
+
########################################
#
# postgresql Local policy
#
-allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin };
+allow postgresql_t self:capability { kill dac_override dac_read_search chown fowner fsetid setuid setgid sys_nice sys_tty_config sys_admin audit_write };
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
@@ -130,6 +167,7 @@
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:netlink_audit_socket create_socket_perms;
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
allow postgresql_t sepgsql_database_type:db_database *;
@@ -139,11 +177,14 @@
# Database/Loadable module
allow sepgsql_database_type sepgsql_module_type:db_database load_module;
+allow postgresql_t sepgsql_schema_type:db_schema *;
+type_transition postgresql_t sepgsql_schema_type:db_schema sepgsql_schema_t;
+
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
-type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;
+type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t;
allow postgresql_t sepgsql_procedure_type:db_procedure *;
-type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_t;
+type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
allow postgresql_t sepgsql_blob_type:db_blob *;
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;
@@ -281,35 +322,56 @@
# Rules common to all clients
#
-allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };
-type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;
+allow sepgsql_client_type sepgsql_db_t:db_database { getattr access };
+type_transition sepgsql_client_type postgresql_t:db_database sepgsql_db_t;
-allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert };
-allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };
-allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
+allow sepgsql_client_type sepgsql_schema_t:db_schema { search };
+allow sepgsql_client_type sepgsql_temp_schema_t:db_schema { search add_object remove_object };
-allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete };
-allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert };
-allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert };
-allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select };
-allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
-allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
+allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock };
+allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert };
+allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete };
+allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock };
+allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select };
+allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select };
+
allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
-allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select };
-allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
-allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock };
+allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select };
+allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { select update insert delete };
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install };
allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_sequence_t:db_sequence { getattr get_value };
+
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
+allow sepgsql_client_type sepgsql_temp_table_t:db_table { create drop getattr setattr select update insert delete lock };
+allow sepgsql_client_type sepgsql_temp_table_t:db_column { create drop getattr setattr select update insert };
+allow sepgsql_client_type sepgsql_temp_table_t:db_tuple { select update insert delete };
+
+allow sepgsql_client_type sepgsql_temp_proc_exec_t:db_procedure { create drop getattr setattr execute };
+
+allow sepgsql_client_type sepgsql_temp_sequence_t:db_sequence { create drop getattr setattr get_value set_value };
+
+allow sepgsql_client_type user_sepgsql_table_t:db_table { getattr select update insert delete lock };
+allow sepgsql_client_type user_sepgsql_table_t:db_column { getattr select update insert };
+allow sepgsql_client_type user_sepgsql_table_t:db_tuple { select update insert delete };
+
+allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { getattr execute };
+
+allow sepgsql_client_type user_sepgsql_sequence_t:db_sequence { getattr get_value set_value };
+
# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
# If a client tries to SELECT a table including violated tuples, these are filtered from
# the result set as if not exist, but its access denied longs can be recorded within log files.
@@ -321,12 +383,14 @@
# to access classified tuples and can make a audit record.
#
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
-dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { select update insert delete };
tunable_policy(`sepgsql_enable_users_ddl',`
- allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr };
- allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr };
- allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete };
+ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_object remove_object };
+ allow sepgsql_client_type user_sepgsql_table_t:db_table { create drop setattr };
+ allow sepgsql_client_type user_sepgsql_table_t:db_column { create drop setattr };
+ allow sepgsql_client_type user_sepgsql_proc_exec_t:db_procedure { create drop setattr };
+ allow sepgsql_client_type user_sepgsql_sequence_t:db_sequence { create drop setattr };
')
########################################
@@ -334,20 +398,33 @@
# Unconfined access to this module
#
-allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
-type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;
+allow sepgsql_unconfined_type sepgsql_database_type:db_database ~{superuser};
+type_transition sepgsql_unconfined_type postgresql_t:db_database sepgsql_db_t;
-type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;
-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_t;
+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
+
+type_transition sepgsql_unconfined_type sepgsql_schema_t:db_table sepgsql_table_t;
+type_transition sepgsql_unconfined_type sepgsql_schema_t:db_procedure sepgsql_proc_exec_t;
+type_transition sepgsql_unconfined_type sepgsql_schema_t:db_sequence sepgsql_sequence_t;
+
+type_transition sepgsql_unconfined_type sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
+type_transition sepgsql_unconfined_type sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t;
+type_transition sepgsql_unconfined_type sepgsql_temp_schema_t:db_sequence sepgsql_temp_sequence_t;
+
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;
allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
-allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
+# In addition, trusted procedure is not allowed to install.
+allow sepgsql_unconfined_type sepgsql_proc_t:db_procedure *;
+allow sepgsql_unconfined_type sepgsql_trusted_proc_t:db_procedure ~{ install };
+allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };
+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;
+
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;
Index: config/appconfig-mls/db_contexts
===================================================================
--- config/appconfig-mls/db_contexts (revision 0)
+++ config/appconfig-mls/db_contexts (revision 0)
@@ -0,0 +1,16 @@
+#
+# Config file for SE-PostgreSQL extension
+#
+
+#
+# db_database object
+# ------------------
+database * system_u:object_r:sepgsql_db_t:s0
+
+#
+# db_schema object
+# ----------------
+schema pg_temp_* system_u:object_r:sepgsql_temp_schema_t:s0
+
+# NOTE: all the database objects stored in pg_temp_* namespace is
+# released at end of the session.
Index: config/appconfig-standard/db_contexts
===================================================================
--- config/appconfig-standard/db_contexts (revision 0)
+++ config/appconfig-standard/db_contexts (revision 0)
@@ -0,0 +1,16 @@
+#
+# Config file for SE-PostgreSQL extension
+#
+
+#
+# db_database object
+# ------------------
+database * system_u:object_r:sepgsql_db_t
+
+#
+# db_schema object
+# ----------------
+schema pg_temp_* system_u:object_r:sepgsql_temp_schema_t
+
+# NOTE: all the database objects stored in pg_temp_* namespace is
+# released at end of the session.
Index: config/appconfig-mcs/db_contexts
===================================================================
--- config/appconfig-mcs/db_contexts (revision 0)
+++ config/appconfig-mcs/db_contexts (revision 0)
@@ -0,0 +1,16 @@
+#
+# Config file for SE-PostgreSQL extension
+#
+
+#
+# db_database object
+# ------------------
+database * system_u:object_r:sepgsql_db_t:s0
+
+#
+# db_schema object
+# ----------------
+schema pg_temp_* system_u:object_r:sepgsql_temp_schema_t:s0
+
+# NOTE: all the database objects stored in pg_temp_* namespace is
+# released at end of the session.