Re: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL

From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: refpolicy@oss.tresys.com, selinux@tycho.nsa.gov,
	Joshua Brindle <method@manicmethod.com>
Subject: Re: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
Date: Fri, 08 May 2009 13:12:17 +0900	[thread overview]
Message-ID: <4A03B121.9040700@ak.jp.nec.com> (raw)
In-Reply-To: <4A03AD55.8020207@ak.jp.nec.com>

[-- Attachment #1: Type: text/plain, Size: 2275 bytes --]

The attached patch allows unprivileged clients to export from or import
to the largeobject owned by themselves.

The current security policy does not allow them to import/export any
largeobjects without any clear reason.

NOTE: Export of the largeobject means that it dumps whole of the
largeobject into a local file, so SE-PostgreSQL checks both of
db_blob:{read export} on the largeobject and file:{write} on the
local file. Import is a reversal behavior.

Thanks,

KaiGai Kohei wrote:
>>>>> - rework: All the newly created database objects by unprivileged
>>>>>   clients are prefixed with "user_", and these are controled via
>>>>>   sepgsql_enable_users_ddl.
>>>> I don't think we should be mixing user content with other unpriv
>>>> clients.
>>> I would like to discriminate between a procedure declared by unpriv
>>> client and by administrative client, because the policy allows the
>>> unprefixed "sepgsql_proc_exec_t" to be installed as a system internal
>>> component, but it is undesirable to install unpriv-user defined
>>> procedures as is.
>>>
>>> If the "user_" prefix is unpreferable, how do you think other prefixes
>>> something like "anon_", "unpriv_" and so on?
>> I think we should go with unpriv_ for now.
> 
> OK, the attached patch adds the following types for unprivileged clients.
>  - unpriv_sepgsql_table_t
>  - unpriv_sepgsql_sysobj_t
>  - unpriv_sepgsql_proc_exec_t
>  - unpriv_sepgsql_blob_t
> 
> These types are the default for unprivileged and unprefixed domains,
> such as httpd_t and others.
> 
> In addition, TYPE_TRANSITION rules are moved to outside of tunable
> of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
> tunable because UBAC domains (user_t and so on) were allowed to
> create sepgsql_table_t, and its default was pointed to this type
> when sepgsql_enable_users_ddl is disabled.
> However, it has different meanings now, so the TYPE_TRANSITION rules
> should be unconditional.
> 
> Thanks,
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy@oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[-- Attachment #2: refpolicy-sepgsql-3-db_blob-import-export.patch --]
[-- Type: text/x-patch, Size: 1082 bytes --]

--- policy/modules/services/postgresql.if.2	2009-05-08 11:58:46.000000000 +0900
+++ policy/modules/services/postgresql.if.3	2009-05-08 11:59:28.000000000 +0900
@@ -63,7 +63,7 @@
 	allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
 
-	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+	allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 	type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
 
 	allow $2 sepgsql_trusted_proc_t:process transition;
@@ -361,7 +361,7 @@
 	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
 	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
 
-	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
 	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 ')
 
