From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: refpolicy@oss.tresys.com, selinux@tycho.nsa.gov,
Joshua Brindle <method@manicmethod.com>
Subject: Re: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
Date: Fri, 08 May 2009 12:56:05 +0900 [thread overview]
Message-ID: <4A03AD55.8020207@ak.jp.nec.com> (raw)
In-Reply-To: <1241699079.19211.1251.camel@gorn.columbia.tresys.com>
[-- Attachment #1: Type: text/plain, Size: 1499 bytes --]
>>>> - rework: All the newly created database objects by unprivileged
>>>> clients are prefixed with "user_", and these are controled via
>>>> sepgsql_enable_users_ddl.
>>> I don't think we should be mixing user content with other unpriv
>>> clients.
>> I would like to discriminate between a procedure declared by unpriv
>> client and by administrative client, because the policy allows the
>> unprefixed "sepgsql_proc_exec_t" to be installed as a system internal
>> component, but it is undesirable to install unpriv-user defined
>> procedures as is.
>>
>> If the "user_" prefix is unpreferable, how do you think other prefixes
>> something like "anon_", "unpriv_" and so on?
>
> I think we should go with unpriv_ for now.
OK, the attached patch adds the following types for unprivileged clients.
- unpriv_sepgsql_table_t
- unpriv_sepgsql_sysobj_t
- unpriv_sepgsql_proc_exec_t
- unpriv_sepgsql_blob_t
These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.
In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: refpolicy-sepgsql-1-unpriv-types.patch --]
[-- Type: text/x-patch, Size: 4557 bytes --]
Index: policy/modules/services/postgresql.if
===================================================================
--- policy/modules/services/postgresql.if (revision 2982)
+++ policy/modules/services/postgresql.if (working copy)
@@ -47,18 +47,17 @@
tunable_policy(`sepgsql_enable_users_ddl',`
allow $2 user_sepgsql_table_t:db_table { create drop };
- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
-
allow $2 user_sepgsql_table_t:db_column { create drop };
-
allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
')
allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
+
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
@@ -313,24 +312,55 @@
#
interface(`postgresql_unpriv_client',`
gen_require(`
+ class db_database all_db_database_perms;
class db_table all_db_table_perms;
class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
class db_blob all_db_blob_perms;
attribute sepgsql_client_type;
+ attribute sepgsql_database_type, sepgsql_sysobj_table_type;
- type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;
type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+ type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+ type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
')
+ ########################################
+ #
+ # Declarations
+ #
+
typeattribute $1 sepgsql_client_type;
- type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
- type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;
- type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
+ ########################################
+ #
+ # Client local policy
+ #
type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
allow $1 sepgsql_trusted_proc_t:process transition;
+
+ tunable_policy(`sepgsql_enable_users_ddl',`
+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+ ')
+
+ allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+ allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+ allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
+
+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+ type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
')
########################################
Index: policy/modules/services/postgresql.te
===================================================================
--- policy/modules/services/postgresql.te (revision 2982)
+++ policy/modules/services/postgresql.te (working copy)
@@ -97,6 +97,20 @@
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;
+# Types for unprivileged client
+type unpriv_sepgsql_blob_t;
+postgresql_blob_object(unpriv_sepgsql_blob_t)
+
+type unpriv_sepgsql_proc_exec_t;
+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
+type unpriv_sepgsql_sysobj_t;
+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+type unpriv_sepgsql_table_t;
+postgresql_table_object(unpriv_sepgsql_table_t)
+
+# Types for UBAC
type user_sepgsql_blob_t;
typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };
WARNING: multiple messages have this Message-ID (diff)
From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
Date: Fri, 08 May 2009 12:56:05 +0900 [thread overview]
Message-ID: <4A03AD55.8020207@ak.jp.nec.com> (raw)
In-Reply-To: <1241699079.19211.1251.camel@gorn.columbia.tresys.com>
>>>> - rework: All the newly created database objects by unprivileged
>>>> clients are prefixed with "user_", and these are controled via
>>>> sepgsql_enable_users_ddl.
>>> I don't think we should be mixing user content with other unpriv
>>> clients.
>> I would like to discriminate between a procedure declared by unpriv
>> client and by administrative client, because the policy allows the
>> unprefixed "sepgsql_proc_exec_t" to be installed as a system internal
>> component, but it is undesirable to install unpriv-user defined
>> procedures as is.
>>
>> If the "user_" prefix is unpreferable, how do you think other prefixes
>> something like "anon_", "unpriv_" and so on?
>
> I think we should go with unpriv_ for now.
OK, the attached patch adds the following types for unprivileged clients.
- unpriv_sepgsql_table_t
- unpriv_sepgsql_sysobj_t
- unpriv_sepgsql_proc_exec_t
- unpriv_sepgsql_blob_t
These types are the default for unprivileged and unprefixed domains,
such as httpd_t and others.
In addition, TYPE_TRANSITION rules are moved to outside of tunable
of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
tunable because UBAC domains (user_t and so on) were allowed to
create sepgsql_table_t, and its default was pointed to this type
when sepgsql_enable_users_ddl is disabled.
However, it has different meanings now, so the TYPE_TRANSITION rules
should be unconditional.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-sepgsql-1-unpriv-types.patch
Type: text/x-patch
Size: 4557 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/9306855a/attachment.bin
next prev parent reply other threads:[~2009-05-08 3:56 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-31 8:55 [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-03-31 8:55 ` [refpolicy] " KaiGai Kohei
2009-03-31 10:05 ` Andy Warner
2009-03-31 10:05 ` [refpolicy] " Andy Warner
2009-03-31 13:51 ` KaiGai Kohei
2009-03-31 13:51 ` [refpolicy] " KaiGai Kohei
2009-03-31 15:11 ` Andy Warner
2009-03-31 15:11 ` [refpolicy] " Andy Warner
2009-03-31 20:34 ` KaiGai Kohei
2009-03-31 20:34 ` [refpolicy] " KaiGai Kohei
2009-03-31 20:39 ` Andy Warner
2009-03-31 20:39 ` [refpolicy] " Andy Warner
2009-03-31 20:46 ` Joshua Brindle
2009-03-31 21:08 ` Andy Warner
2009-03-31 21:08 ` [refpolicy] " Andy Warner
2009-04-01 17:05 ` Joshua Brindle
2009-04-01 0:30 ` KaiGai Kohei
2009-04-01 0:30 ` [refpolicy] " KaiGai Kohei
2009-04-02 8:15 ` KaiGai Kohei
2009-04-02 8:15 ` KaiGai Kohei
2009-04-02 14:27 ` Joshua Brindle
2009-04-02 15:09 ` Christopher J. PeBenito
2009-04-02 15:09 ` Christopher J. PeBenito
2009-04-03 1:17 ` KaiGai Kohei
2009-04-03 1:17 ` KaiGai Kohei
2009-04-03 18:12 ` Joshua Brindle
2009-04-05 0:52 ` KaiGai Kohei
2009-04-05 0:52 ` KaiGai Kohei
2009-04-06 2:15 ` KaiGai Kohei
2009-04-06 2:15 ` KaiGai Kohei
2009-04-06 18:48 ` SELinux packages version (svn2950) Hasan Rezaul-CHR010
2009-04-06 19:18 ` Joshua Brindle
2009-04-06 19:48 ` Hasan Rezaul-CHR010
2009-04-06 20:14 ` Joshua Brindle
2009-04-06 20:30 ` Hasan Rezaul-CHR010
2009-04-06 20:37 ` Joshua Brindle
2009-04-12 23:45 ` [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL KaiGai Kohei
2009-04-12 23:45 ` KaiGai Kohei
2009-04-20 20:07 ` Christopher J. PeBenito
2009-04-20 20:07 ` Christopher J. PeBenito
2009-04-20 23:27 ` KaiGai Kohei
2009-04-20 23:27 ` KaiGai Kohei
2009-05-07 12:24 ` Christopher J. PeBenito
2009-05-07 12:24 ` Christopher J. PeBenito
2009-05-08 3:56 ` KaiGai Kohei [this message]
2009-05-08 3:56 ` KaiGai Kohei
2009-05-08 4:05 ` KaiGai Kohei
2009-05-08 4:05 ` KaiGai Kohei
2009-05-21 11:49 ` Christopher J. PeBenito
2009-05-21 11:49 ` Christopher J. PeBenito
2009-05-08 4:12 ` KaiGai Kohei
2009-05-08 4:12 ` KaiGai Kohei
2009-05-22 13:38 ` Christopher J. PeBenito
2009-05-22 13:38 ` Christopher J. PeBenito
2009-05-21 11:28 ` Christopher J. PeBenito
2009-05-21 11:28 ` Christopher J. PeBenito
2009-04-21 2:51 ` KaiGai Kohei
2009-04-21 2:51 ` KaiGai Kohei
2009-05-07 13:08 ` Christopher J. PeBenito
2009-05-07 13:08 ` Christopher J. PeBenito
2009-04-03 0:25 ` KaiGai Kohei
2009-04-03 0:25 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A03AD55.8020207@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=method@manicmethod.com \
--cc=refpolicy@oss.tresys.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.