diff for duplicates of <4A03AD55.8020207@ak.jp.nec.com> diff --git a/a/1.txt b/N1/1.txt index 9d920b2..181f4ec 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -35,3 +35,10 @@ Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: refpolicy-sepgsql-1-unpriv-types.patch +Type: text/x-patch +Size: 4557 bytes +Desc: not available +Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/9306855a/attachment.bin diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 8d92eeb..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,5 +0,0 @@ -Content-Type: text/x-patch; - name="refpolicy-sepgsql-1-unpriv-types.patch" -Content-Transfer-Encoding: 7bit -Content-Disposition: inline; - filename="refpolicy-sepgsql-1-unpriv-types.patch" diff --git a/a/2.txt b/a/2.txt deleted file mode 100644 index b9f9c92..0000000 --- a/a/2.txt +++ /dev/null @@ -1,111 +0,0 @@ -Index: policy/modules/services/postgresql.if -=================================================================== ---- policy/modules/services/postgresql.if (revision 2982) -+++ policy/modules/services/postgresql.if (working copy) -@@ -47,18 +47,17 @@ - - tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_table_t:db_table { create drop }; -- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; -- - allow $2 user_sepgsql_table_t:db_column { create drop }; -- - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -- type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - ') - - allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; -+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; -+ - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; -+ type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; -@@ -313,24 +312,55 @@ - # - interface(`postgresql_unpriv_client',` - gen_require(` -+ class db_database all_db_database_perms; - class db_table all_db_table_perms; - class db_procedure all_db_procedure_perms; -+ class db_column all_db_column_perms; -+ class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; -+ attribute sepgsql_database_type, sepgsql_sysobj_table_type; - -- type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t; - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; -+ type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; -+ type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; - ') - -+ ######################################## -+ # -+ # Declarations -+ # -+ - typeattribute $1 sepgsql_client_type; - -- type_transition $1 sepgsql_db_t:db_table sepgsql_table_t; -- type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t; -- type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t; -+ ######################################## -+ # -+ # Client local policy -+ # - - type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - allow $1 sepgsql_trusted_proc_t:process transition; -+ -+ tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; -+ allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; -+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ ') -+ -+ allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; -+ allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; -+ allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; -+ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; -+ -+ allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; -+ type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; -+ -+ allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; -+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; -+ -+ allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; -+ type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - ') - - ######################################## -Index: policy/modules/services/postgresql.te -=================================================================== ---- policy/modules/services/postgresql.te (revision 2982) -+++ policy/modules/services/postgresql.te (working copy) -@@ -97,6 +97,20 @@ - postgresql_unconfined(sepgsql_trusted_proc_t) - role system_r types sepgsql_trusted_proc_t; - -+# Types for unprivileged client -+type unpriv_sepgsql_blob_t; -+postgresql_blob_object(unpriv_sepgsql_blob_t) -+ -+type unpriv_sepgsql_proc_exec_t; -+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) -+ -+type unpriv_sepgsql_sysobj_t; -+postgresql_system_table_object(unpriv_sepgsql_sysobj_t) -+ -+type unpriv_sepgsql_table_t; -+postgresql_table_object(unpriv_sepgsql_table_t) -+ -+# Types for UBAC - type user_sepgsql_blob_t; - typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; - typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t }; diff --git a/a/content_digest b/N1/content_digest index 740d009..a59f212 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -7,14 +7,11 @@ "ref\01240258044.19211.767.camel@gorn.columbia.tresys.com\0" "ref\049ED04DF.8050306@ak.jp.nec.com\0" "ref\01241699079.19211.1251.camel@gorn.columbia.tresys.com\0" - "From\0KaiGai Kohei <kaigai@ak.jp.nec.com>\0" - "Subject\0Re: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL\0" + "From\0kaigai@ak.jp.nec.com (KaiGai Kohei)\0" + "Subject\0[refpolicy] [RFC] Security policy reworks for SE-PostgreSQL\0" "Date\0Fri, 08 May 2009 12:56:05 +0900\0" - "To\0Christopher J. PeBenito <cpebenito@tresys.com>\0" - "Cc\0refpolicy@oss.tresys.com" - selinux@tycho.nsa.gov - " Joshua Brindle <method@manicmethod.com>\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" ">>>> - rework: All the newly created database objects by unprivileged\n" ">>>> clients are prefixed with \"user_\", and these are controled via\n" @@ -52,120 +49,13 @@ "Thanks,\n" "-- \n" "OSS Platform Development Division, NEC\n" - KaiGai Kohei <kaigai@ak.jp.nec.com> - "\01:2\0" - "fn\0refpolicy-sepgsql-1-unpriv-types.patch\0" - "b\0" - "Index: policy/modules/services/postgresql.if\n" - "===================================================================\n" - "--- policy/modules/services/postgresql.if\t(revision 2982)\n" - "+++ policy/modules/services/postgresql.if\t(working copy)\n" - "@@ -47,18 +47,17 @@\n" - " \n" - " \ttunable_policy(`sepgsql_enable_users_ddl',`\n" - " \t\tallow $2 user_sepgsql_table_t:db_table { create drop };\n" - "-\t\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\n" - "-\n" - " \t\tallow $2 user_sepgsql_table_t:db_column { create drop };\n" - "-\n" - " \t\tallow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "-\t\ttype_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;\n" - " \t')\n" - " \n" - " \tallow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock };\n" - " \tallow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };\n" - " \tallow $2 user_sepgsql_table_t:db_tuple\t{ use select update insert delete };\n" - "+\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\n" - "+\n" - " \tallow $2 user_sepgsql_sysobj_t:db_tuple\t{ use select };\n" - "+\ttype_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;\n" - " \n" - " \tallow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };\n" - " \ttype_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;\n" - "@@ -313,24 +312,55 @@\n" - " #\n" - " interface(`postgresql_unpriv_client',`\n" - " \tgen_require(`\n" - "+\t\tclass db_database all_db_database_perms;\n" - " \t\tclass db_table all_db_table_perms;\n" - " \t\tclass db_procedure all_db_procedure_perms;\n" - "+\t\tclass db_column all_db_column_perms;\n" - "+\t\tclass db_tuple all_db_tuple_perms;\n" - " \t\tclass db_blob all_db_blob_perms;\n" - " \n" - " \t\tattribute sepgsql_client_type;\n" - "+\t\tattribute sepgsql_database_type, sepgsql_sysobj_table_type;\n" - " \n" - "-\t\ttype sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;\n" - " \t\ttype sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;\n" - "+\t\ttype unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;\n" - "+\t\ttype unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;\n" - " \t')\n" - " \n" - "+\t########################################\n" - "+\t#\n" - "+\t# Declarations\n" - "+\t#\n" - "+\n" - " \ttypeattribute $1 sepgsql_client_type;\n" - " \n" - "-\ttype_transition $1 sepgsql_db_t:db_table sepgsql_table_t;\n" - "-\ttype_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;\n" - "-\ttype_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;\n" - "+\t########################################\n" - "+\t#\n" - "+\t# Client local policy\n" - "+\t#\n" - " \n" - " \ttype_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;\n" - " \tallow $1 sepgsql_trusted_proc_t:process transition;\n" - "+\n" - "+\ttunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\t\tallow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };\n" - "+\t\tallow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };\n" - "+\t\tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "+\t')\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };\n" - "+\tallow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };\n" - "+\tallow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };\n" - "+\ttype_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };\n" - "+\ttype_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };\n" - "+\ttype_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };\n" - "+\ttype_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;\n" - " ')\n" - " \n" - " ########################################\n" - "Index: policy/modules/services/postgresql.te\n" - "===================================================================\n" - "--- policy/modules/services/postgresql.te\t(revision 2982)\n" - "+++ policy/modules/services/postgresql.te\t(working copy)\n" - "@@ -97,6 +97,20 @@\n" - " postgresql_unconfined(sepgsql_trusted_proc_t)\n" - " role system_r types sepgsql_trusted_proc_t;\n" - " \n" - "+# Types for unprivileged client\n" - "+type unpriv_sepgsql_blob_t;\n" - "+postgresql_blob_object(unpriv_sepgsql_blob_t)\n" - "+\n" - "+type unpriv_sepgsql_proc_exec_t;\n" - "+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)\n" - "+\n" - "+type unpriv_sepgsql_sysobj_t;\n" - "+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)\n" - "+\n" - "+type unpriv_sepgsql_table_t;\n" - "+postgresql_table_object(unpriv_sepgsql_table_t)\n" - "+\n" - "+# Types for UBAC\n" - " type user_sepgsql_blob_t;\n" - " typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };\n" - typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t }; + "KaiGai Kohei <kaigai@ak.jp.nec.com>\n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: refpolicy-sepgsql-1-unpriv-types.patch\n" + "Type: text/x-patch\n" + "Size: 4557 bytes\n" + "Desc: not available\n" + Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20090508/9306855a/attachment.bin -5daa2045b9bbcdb75bb267ed0aa7bb79927d722c181d95cc1adef2cc935ba7a7 +7b6daa8fb7df1863511eb70d22941c33d7acc0561a8caa97bde4ed93462d89f5
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.