diff for duplicates of <4D352D3B.8000303@ak.jp.nec.com> diff --git a/a/1.txt b/N1/1.txt index 9d7b554..59a755b 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -30,3 +30,17 @@ Don't forget to add the following line in %fileList macro of the specfile Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: selinux-policy-sepgsql.rhel6.patch +Type: application/octect-stream +Size: 39879 bytes +Desc: not available +Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110118/362c949e/attachment-0002.bin +-------------- next part -------------- +A non-text attachment was scrubbed... +Name: selinux-policy-sepgsql.fedora.patch +Type: application/octect-stream +Size: 40240 bytes +Desc: not available +Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110118/362c949e/attachment-0003.bin diff --git a/a/2.bin b/a/2.bin deleted file mode 100644 index 0d7ee17..0000000 --- a/a/2.bin +++ /dev/null @@ -1,928 +0,0 @@ -diff -rupN serefpolicy-3.7.19.old/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-mcs/sepgsql_contexts ---- serefpolicy-3.7.19.old/config/appconfig-mcs/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.7.19.new/config/appconfig-mcs/sepgsql_contexts 2011-01-18 12:35:31.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (MCS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t:s0 -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t:s0 -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_table *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t:s0 -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.* system_u:object_r:sepgsql_lang_t:s0 -diff -rupN serefpolicy-3.7.19.old/config/appconfig-mls/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-mls/sepgsql_contexts ---- serefpolicy-3.7.19.old/config/appconfig-mls/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.7.19.new/config/appconfig-mls/sepgsql_contexts 2011-01-18 12:35:31.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (MLS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t:s0 -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t:s0 -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_table *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t:s0 -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.* system_u:object_r:sepgsql_lang_t:s0 -diff -rupN serefpolicy-3.7.19.old/config/appconfig-standard/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-standard/sepgsql_contexts ---- serefpolicy-3.7.19.old/config/appconfig-standard/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.7.19.new/config/appconfig-standard/sepgsql_contexts 2011-01-18 12:35:31.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (none-MLS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t -+db_table *.*.* system_u:object_r:sepgsql_table_t -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t -+db_column *.*.*.* system_u:object_r:sepgsql_table_t -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t -+db_tuple *.*.* system_u:object_r:sepgsql_table_t -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t -+db_language *.* system_u:object_r:sepgsql_lang_t -diff -rupN serefpolicy-3.7.19.old/Makefile serefpolicy-3.7.19.new/Makefile ---- serefpolicy-3.7.19.old/Makefile 2011-01-18 12:23:49.000000000 +0900 -+++ serefpolicy-3.7.19.new/Makefile 2011-01-18 12:36:28.000000000 +0900 -@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff -rupN serefpolicy-3.7.19.old/policy/flask/access_vectors serefpolicy-3.7.19.new/policy/flask/access_vectors ---- serefpolicy-3.7.19.old/policy/flask/access_vectors 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/flask/access_vectors 2011-01-18 12:42:15.000000000 +0900 -@@ -816,3 +816,32 @@ inherits x_device - - class x_keyboard - inherits x_device -+ -+class db_schema -+inherits database -+{ -+ search -+ add_name -+ remove_name -+} -+ -+class db_view -+inherits database -+{ -+ expand -+} -+ -+class db_sequence -+inherits database -+{ -+ get_value -+ next_value -+ set_value -+} -+ -+class db_language -+inherits database -+{ -+ implement -+ execute -+} -diff -rupN serefpolicy-3.7.19.old/policy/flask/security_classes serefpolicy-3.7.19.new/policy/flask/security_classes ---- serefpolicy-3.7.19.old/policy/flask/security_classes 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/flask/security_classes 2011-01-18 12:42:15.000000000 +0900 -@@ -125,4 +125,10 @@ class tun_socket - class x_pointer # userspace - class x_keyboard # userspace - -+# More Database stuff -+class db_schema # userspace -+class db_view # userspace -+class db_sequence # userspace -+class db_language # userspace -+ - # FLASK -diff -rupN serefpolicy-3.7.19.old/policy/mcs serefpolicy-3.7.19.new/policy/mcs ---- serefpolicy-3.7.19.old/policy/mcs 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/mcs 2011-01-18 12:42:15.000000000 +0900 -@@ -107,7 +107,7 @@ mlsconstrain process { sigkill sigstop } - - # Any database object must be dominated by the relabeling subject - # clearance, also the objects are single-level. --mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - - mlsconstrain { db_tuple } { insert relabelto } -@@ -117,6 +117,9 @@ mlsconstrain { db_tuple } { insert relab - mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } - ( h1 dom h2 ); - -+mlsconstrain db_language { drop getattr setattr relabelfrom execute } -+ ( h1 dom h2 ); -+ - mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } - ( h1 dom h2 ); - -@@ -126,7 +129,16 @@ mlsconstrain db_column { drop getattr se - mlsconstrain db_tuple { relabelfrom select update delete use } - ( h1 dom h2 ); - --mlsconstrain db_procedure { drop getattr setattr execute install } -+mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_view { drop getattr setattr relabelfrom expand } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_language { drop getattr setattr relabelfrom execute } - ( h1 dom h2 ); - - mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } -diff -rupN serefpolicy-3.7.19.old/policy/mls serefpolicy-3.7.19.new/policy/mls ---- serefpolicy-3.7.19.old/policy/mls 2011-01-18 12:23:49.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/mls 2011-01-18 12:42:15.000000000 +0900 -@@ -727,13 +727,13 @@ mlsconstrain context contains - # - - # make sure these database classes are "single level" --mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } - ( l2 eq h2 ); - mlsconstrain { db_tuple } { insert relabelto } - ( l2 eq h2 ); - - # new database labels must be dominated by the relabeling subjects clearance --mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } - ( h1 dom h2 ); - - # the database "read" ops (note the check is dominance of the low level) -@@ -743,6 +743,12 @@ mlsconstrain { db_database } { getattr a - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_schema } { getattr search } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_table } { getattr use select lock } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -@@ -755,12 +761,30 @@ mlsconstrain { db_column } { getattr use - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_sequence } { getattr get_value next_value } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ -+mlsconstrain { db_view } { getattr expand } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_procedure } { getattr execute install } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_language } { getattr execute } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_blob } { getattr read export } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -@@ -781,6 +805,13 @@ mlsconstrain { db_database } { create dr - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -795,6 +826,20 @@ mlsconstrain { db_column } { create drop - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ -+mlsconstrain { db_view } { create drop setattr relabelfrom } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_procedure } { create drop setattr relabelfrom } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -802,6 +847,13 @@ mlsconstrain { db_procedure } { create d - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_language } { create drop setattr relabelfrom } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_blob } { create drop setattr relabelfrom write import } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -817,7 +869,7 @@ mlsconstrain { db_tuple } { relabelfrom - ( t2 == mlstrustedobject )); - - # the database upgrade/downgrade rule --mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob } -+mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } - ((( l1 eq l2 ) or - (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or -diff -rupN serefpolicy-3.7.19.old/policy/modules/kernel/kernel.if serefpolicy-3.7.19.new/policy/modules/kernel/kernel.if ---- serefpolicy-3.7.19.old/policy/modules/kernel/kernel.if 2011-01-18 12:23:50.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/modules/kernel/kernel.if 2011-01-18 12:42:15.000000000 +0900 -@@ -2842,16 +2842,24 @@ interface(`kernel_relabelfrom_unlabeled_ - gen_require(` - type unlabeled_t; - class db_database { setattr relabelfrom }; -+ class db_schema { setattr relabelfrom }; - class db_table { setattr relabelfrom }; -+ class db_sequence { setattr relabelfrom }; -+ class db_view { setattr relabelfrom }; - class db_procedure { setattr relabelfrom }; -+ class db_language { setattr relabelfrom }; - class db_column { setattr relabelfrom }; - class db_tuple { update relabelfrom }; - class db_blob { setattr relabelfrom }; - ') - - allow $1 unlabeled_t:db_database { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_schema { setattr relabelfrom }; - allow $1 unlabeled_t:db_table { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_view { setattr relabelfrom }; - allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_language { setattr relabelfrom }; - allow $1 unlabeled_t:db_column { setattr relabelfrom }; - allow $1 unlabeled_t:db_tuple { update relabelfrom }; - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; -diff -rupN serefpolicy-3.7.19.old/policy/modules/kernel/kernel.te serefpolicy-3.7.19.new/policy/modules/kernel/kernel.te ---- serefpolicy-3.7.19.old/policy/modules/kernel/kernel.te 2011-01-18 12:23:50.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/modules/kernel/kernel.te 2011-01-18 12:42:48.000000000 +0900 -@@ -1,5 +1,5 @@ - --policy_module(kernel, 1.11.3) -+policy_module(kernel, 1.11.4) - - ######################################## - # -diff -rupN serefpolicy-3.7.19.old/policy/modules/services/postgresql.if serefpolicy-3.7.19.new/policy/modules/services/postgresql.if ---- serefpolicy-3.7.19.old/policy/modules/services/postgresql.if 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/modules/services/postgresql.if 2011-01-18 12:42:15.000000000 +0900 -@@ -18,18 +18,24 @@ - interface(`postgresql_role',` - gen_require(` - class db_database all_db_database_perms; -+ class db_schema all_db_schema_perms; - class db_table all_db_table_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; -+ class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type, sepgsql_database_type; -- attribute sepgsql_sysobj_table_type; -+ attribute sepgsql_schema_type, sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; - type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; -+ type user_sepgsql_schema_t, user_sepgsql_seq_t; - type user_sepgsql_sysobj_t, user_sepgsql_table_t; -+ type user_sepgsql_view_t; - ') - - ######################################## -@@ -46,23 +52,36 @@ interface(`postgresql_role',` - # - - tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; -- - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -+ allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - -+ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; -+ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; -+ - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; -- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; -+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated -+ type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; - - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - -+ allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; -+ type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; -+ -+ allow $2 user_sepgsql_view_t:db_view { getattr expand }; -+ type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; -+ - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; -+ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated -+ type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; - - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; -@@ -109,6 +128,24 @@ interface(`postgresql_database_object',` - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL schema object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a schema object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_schema_object',` -+ gen_require(` -+ attribute sepgsql_schema_type; -+ ') -+ -+ typeattribute $1 sepgsql_schema_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL table/column/tuple object type - ## </summary> - ## <param name="type"> -@@ -146,6 +183,42 @@ interface(`postgresql_system_table_objec - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL sequence type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a sequence type. -+## </summary> -+## </param> -+# -+interface(`postgresql_sequence_object',` -+ gen_require(` -+ attribute sepgsql_sequence_type; -+ ') -+ -+ typeattribute $1 sepgsql_sequence_type; -+') -+ -+######################################## -+## <summary> -+## Marks as a SE-PostgreSQL view object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a view object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_view_object',` -+ gen_require(` -+ attribute sepgsql_view_type; -+ ') -+ -+ typeattribute $1 sepgsql_view_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL procedure object type - ## </summary> - ## <param name="type"> -@@ -164,6 +237,24 @@ interface(`postgresql_procedure_object', - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL procedural language object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a procedural language object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_language_object',` -+ gen_require(` -+ attribute sepgsql_language_type; -+ ') -+ -+ typeattribute $1 sepgsql_language_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL binary large object type - ## </summary> - ## <param name="type"> -@@ -332,18 +423,25 @@ interface(`postgresql_stream_connect',` - interface(`postgresql_unpriv_client',` - gen_require(` - class db_database all_db_database_perms; -+ class db_schema all_db_schema_perms; - class db_table all_db_table_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; -+ class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; -- attribute sepgsql_database_type, sepgsql_sysobj_table_type; -+ attribute sepgsql_database_type, sepgsql_schema_type; -+ attribute sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; - type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; -+ type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; -+ type unpriv_sepgsql_view_t; - ') - - ######################################## -@@ -362,22 +460,35 @@ interface(`postgresql_unpriv_client',` - allow $1 sepgsql_trusted_proc_t:process transition; - - tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; -+ allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') -+ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; -+ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; - - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; -- type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; -+ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated -+ type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; -+ -+ allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; -+ type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; -+ -+ allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; -+ type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; - - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; -+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated -+ type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; - - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; -diff -rupN serefpolicy-3.7.19.old/policy/modules/services/postgresql.te serefpolicy-3.7.19.new/policy/modules/services/postgresql.te ---- serefpolicy-3.7.19.old/policy/modules/services/postgresql.te 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/policy/modules/services/postgresql.te 2011-01-18 12:43:04.000000000 +0900 -@@ -1,5 +1,5 @@ - --policy_module(postgresql, 1.10.2) -+policy_module(postgresql, 1.10.3) - - gen_require(` - class db_database all_db_database_perms; -@@ -8,6 +8,10 @@ gen_require(` - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; -+ class db_schema all_db_schema_perms; -+ class db_view all_db_view_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_language all_db_language_perms; - ') - - ################################# -@@ -61,9 +65,13 @@ attribute sepgsql_unconfined_type; - - # database objects attribute - attribute sepgsql_database_type; -+attribute sepgsql_schema_type; - attribute sepgsql_table_type; - attribute sepgsql_sysobj_table_type; -+attribute sepgsql_sequence_type; -+attribute sepgsql_view_type; - attribute sepgsql_procedure_type; -+attribute sepgsql_language_type; - attribute sepgsql_blob_type; - attribute sepgsql_module_type; - -@@ -77,6 +85,12 @@ postgresql_database_object(sepgsql_db_t) - type sepgsql_fixed_table_t; - postgresql_table_object(sepgsql_fixed_table_t) - -+type sepgsql_lang_t; -+postgresql_language_object(sepgsql_lang_t) -+ -+type sepgsql_priv_lang_t; -+postgresql_language_object(sepgsql_priv_lang_t) -+ - type sepgsql_proc_exec_t; - typealias sepgsql_proc_exec_t alias sepgsql_proc_t; - postgresql_procedure_object(sepgsql_proc_exec_t) -@@ -87,12 +101,21 @@ postgresql_blob_object(sepgsql_ro_blob_t - type sepgsql_ro_table_t; - postgresql_table_object(sepgsql_ro_table_t) - -+type sepgsql_safe_lang_t; -+postgresql_language_object(sepgsql_safe_lang_t) -+ -+type sepgsql_schema_t; -+postgresql_schema_object(sepgsql_schema_t) -+ - type sepgsql_secret_blob_t; - postgresql_blob_object(sepgsql_secret_blob_t) - - type sepgsql_secret_table_t; - postgresql_table_object(sepgsql_secret_table_t) - -+type sepgsql_seq_t; -+postgresql_sequence_object(sepgsql_seq_t) -+ - type sepgsql_sysobj_t; - postgresql_system_table_object(sepgsql_sysobj_t) - -@@ -102,6 +125,9 @@ postgresql_table_object(sepgsql_table_t) - type sepgsql_trusted_proc_exec_t; - postgresql_procedure_object(sepgsql_trusted_proc_exec_t) - -+type sepgsql_view_t; -+postgresql_view_object(sepgsql_view_t) -+ - # Trusted Procedure Domain - type sepgsql_trusted_proc_t; - domain_type(sepgsql_trusted_proc_t) -@@ -115,12 +141,21 @@ postgresql_blob_object(unpriv_sepgsql_bl - type unpriv_sepgsql_proc_exec_t; - postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) - -+type unpriv_sepgsql_schema_t; -+postgresql_schema_object(unpriv_sepgsql_schema_t); -+ -+type unpriv_sepgsql_seq_t; -+postgresql_sequence_object(unpriv_sepgsql_seq_t) -+ - type unpriv_sepgsql_sysobj_t; - postgresql_system_table_object(unpriv_sepgsql_sysobj_t) - - type unpriv_sepgsql_table_t; - postgresql_table_object(unpriv_sepgsql_table_t) - -+type unpriv_sepgsql_view_t; -+postgresql_view_object(unpriv_sepgsql_view_t) -+ - # Types for UBAC - type user_sepgsql_blob_t; - typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; -@@ -132,6 +167,16 @@ typealias user_sepgsql_proc_exec_t alias - typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; - postgresql_procedure_object(user_sepgsql_proc_exec_t) - -+type user_sepgsql_schema_t; -+typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t }; -+typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t }; -+postgresql_schema_object(user_sepgsql_schema_t) -+ -+type user_sepgsql_seq_t; -+typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t }; -+typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t }; -+postgresql_sequence_object(user_sepgsql_seq_t) -+ - type user_sepgsql_sysobj_t; - typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; - typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; -@@ -142,6 +187,11 @@ typealias user_sepgsql_table_t alias { s - typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; - postgresql_table_object(user_sepgsql_table_t) - -+type user_sepgsql_view_t; -+typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t }; -+typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t }; -+postgresql_view_object(user_sepgsql_view_t) -+ - ######################################## - # - # postgresql Local policy -@@ -166,9 +216,15 @@ allow postgresql_t sepgsql_module_type:d - # Database/Loadable module - allow sepgsql_database_type sepgsql_module_type:db_database load_module; - -+allow postgresql_t sepgsql_schema_type:db_schema *; -+ - allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; - type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; - -+allow postgresql_t sepgsql_sequence_type:db_sequence *; -+ -+allow postgresql_t sepgsql_view_type:db_view *; -+ - allow postgresql_t sepgsql_procedure_type:db_procedure *; - type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; - -@@ -314,6 +370,8 @@ optional_policy(` - allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; - type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; - -+allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -+ - allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; - allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; - allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; -@@ -333,9 +391,22 @@ allow sepgsql_client_type sepgsql_sysobj - allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; - allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; - -+allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; -+ -+allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; -+ - allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; - allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; - -+allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; -+allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; -+ -+# Only DBA can implement SQL procedures using `unsafe' procedural languages. -+# The `unsafe' one provides a capability to access internal data structure, -+# so we don't allow user-defined function being implemented using `unsafe' one. -+allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement }; -+allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement }; -+ - allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; - allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; - allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; -@@ -354,6 +425,13 @@ allow sepgsql_client_type sepgsql_secret - dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; - - -+# Note that permission of creation/deletion are eventually controlled by -+# create or drop permission of individual objects within shared schemas. -+# So, it just allows to create/drop user specific types. -+tunable_policy(`sepgsql_enable_users_ddl',` -+ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; -+') -+ - ######################################## - # - # Rules common to administrator clients -@@ -362,16 +440,33 @@ dontaudit { postgresql_t sepgsql_admin_t - allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; - type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; - -+allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; -+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; -+ - allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; - allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; - allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; - --type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; -+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -+type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; -+ -+allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; -+ -+type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t; -+ -+allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; -+ -+type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t; - - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; - --type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; -+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated -+type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -+ -+allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; -+ -+type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t; - - allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; - -@@ -384,12 +479,18 @@ kernel_relabelfrom_unlabeled_database(se - tunable_policy(`sepgsql_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; - -+ allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -+ - allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; -+ allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *; -+ allow sepgsql_admin_type sepgsql_view_type:db_view *; - - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; - -+ allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; -+ - allow sepgsql_admin_type sepgsql_blob_type:db_blob *; - ') - -@@ -401,11 +502,21 @@ tunable_policy(`sepgsql_unconfined_dbadm - allow sepgsql_unconfined_type sepgsql_database_type:db_database *; - type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; - --type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; --type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; -+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; -+ -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t; - type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; - - allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; -+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *; -+allow sepgsql_unconfined_type sepgsql_view_type:db_view *; - - # unconfined domain is not allowed to invoke user defined procedure directly. - # They have to confirm and relabel it at first. -@@ -413,6 +524,8 @@ allow sepgsql_unconfined_type sepgsql_pr - allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; - allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; - -+allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; -+ - allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; - - allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; -diff -rupN serefpolicy-3.7.19.old/support/selinux-policy-refpolicy.spec serefpolicy-3.7.19.new/support/selinux-policy-refpolicy.spec ---- serefpolicy-3.7.19.old/support/selinux-policy-refpolicy.spec 2010-04-14 03:44:37.000000000 +0900 -+++ serefpolicy-3.7.19.new/support/selinux-policy-refpolicy.spec 2011-01-18 12:35:31.000000000 +0900 -@@ -74,6 +74,7 @@ make NAME=%{polname2} TYPE=%{type2} DIST - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts - %dir %{_sysconfdir}/selinux/*/contexts/files - #%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts -@@ -118,6 +119,7 @@ SELinux Reference policy targeted base m - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts - %dir %{_sysconfdir}/selinux/%{polname1}/contexts/files - #%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts -@@ -164,6 +166,7 @@ SELinux Reference policy strict base mod - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts - %dir %{_sysconfdir}/selinux/%{polname2}/contexts/files - #%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index ddac87f..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,5 +0,0 @@ -Content-Type: application/octect-stream; - name="selinux-policy-sepgsql.rhel6.patch" -Content-Transfer-Encoding: base64 -Content-Disposition: attachment; - filename="selinux-policy-sepgsql.rhel6.patch" diff --git a/a/3.bin b/a/3.bin deleted file mode 100644 index cd5a94b..0000000 --- a/a/3.bin +++ /dev/null @@ -1,937 +0,0 @@ -diff -rpuN serefpolicy-3.9.12.old/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-mcs/sepgsql_contexts ---- serefpolicy-3.9.12.old/config/appconfig-mcs/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.9.12.new/config/appconfig-mcs/sepgsql_contexts 2011-01-18 12:56:32.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (MCS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t:s0 -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t:s0 -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_table *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t:s0 -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.* system_u:object_r:sepgsql_lang_t:s0 -diff -rpuN serefpolicy-3.9.12.old/config/appconfig-mls/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-mls/sepgsql_contexts ---- serefpolicy-3.9.12.old/config/appconfig-mls/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.9.12.new/config/appconfig-mls/sepgsql_contexts 2011-01-18 12:56:32.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (MLS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t:s0 -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t:s0 -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_table *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t:s0 -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t:s0 -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t:s0 -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 -+db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t:s0 -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t:s0 -+db_language *.* system_u:object_r:sepgsql_lang_t:s0 -diff -rpuN serefpolicy-3.9.12.old/config/appconfig-standard/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-standard/sepgsql_contexts ---- serefpolicy-3.9.12.old/config/appconfig-standard/sepgsql_contexts 1970-01-01 09:00:00.000000000 +0900 -+++ serefpolicy-3.9.12.new/config/appconfig-standard/sepgsql_contexts 2011-01-18 12:56:32.000000000 +0900 -@@ -0,0 +1,40 @@ -+# -+# Initial security label for SE-PostgreSQL (none-MLS) -+# -+ -+# <databases> -+db_database * system_u:object_r:sepgsql_db_t -+ -+# <schemas> -+db_schema *.* system_u:object_r:sepgsql_schema_t -+ -+# <tables> -+db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t -+db_table *.*.* system_u:object_r:sepgsql_table_t -+ -+# <column> -+db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t -+db_column *.*.*.* system_u:object_r:sepgsql_table_t -+ -+# <sequences> -+db_sequence *.*.* system_u:object_r:sepgsql_seq_t -+ -+# <views> -+db_view *.*.* system_u:object_r:sepgsql_view_t -+ -+# <procedures> -+db_procedure *.*.* system_u:object_r:sepgsql_proc_exec_t -+ -+# <tuples> -+db_tuple *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t -+db_tuple *.*.* system_u:object_r:sepgsql_table_t -+ -+# <blobs> -+db_blobs *.* system_u:object_r:sepgsql_blob_t -+ -+# <language> -+db_language *.sql system_u:object_r:sepgsql_safe_lang_t -+db_language *.plpgsql system_u:object_r:sepgsql_safe_lang_t -+db_language *.pltcl system_u:object_r:sepgsql_safe_lang_t -+db_language *.plperl system_u:object_r:sepgsql_safe_lang_t -+db_language *.* system_u:object_r:sepgsql_lang_t -diff -rpuN serefpolicy-3.9.12.old/Makefile serefpolicy-3.9.12.new/Makefile ---- serefpolicy-3.9.12.old/Makefile 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/Makefile 2011-01-18 12:56:32.000000000 +0900 -@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers - appdir := $(contextpath) - user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts) - user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts)))) --appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) -+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names) - net_contexts := $(builddir)net_contexts - - all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d) -diff -rpuN serefpolicy-3.9.12.old/policy/flask/access_vectors serefpolicy-3.9.12.new/policy/flask/access_vectors ---- serefpolicy-3.9.12.old/policy/flask/access_vectors 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/flask/access_vectors 2011-01-18 12:56:32.000000000 +0900 -@@ -831,3 +831,32 @@ inherits x_device - - class x_keyboard - inherits x_device -+ -+class db_schema -+inherits database -+{ -+ search -+ add_name -+ remove_name -+} -+ -+class db_view -+inherits database -+{ -+ expand -+} -+ -+class db_sequence -+inherits database -+{ -+ get_value -+ next_value -+ set_value -+} -+ -+class db_language -+inherits database -+{ -+ implement -+ execute -+} -diff -rpuN serefpolicy-3.9.12.old/policy/flask/security_classes serefpolicy-3.9.12.new/policy/flask/security_classes ---- serefpolicy-3.9.12.old/policy/flask/security_classes 2010-12-21 02:06:00.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/flask/security_classes 2011-01-18 12:56:32.000000000 +0900 -@@ -125,4 +125,10 @@ class tun_socket - class x_pointer # userspace - class x_keyboard # userspace - -+# More Database stuff -+class db_schema # userspace -+class db_view # userspace -+class db_sequence # userspace -+class db_language # userspace -+ - # FLASK -diff -rpuN serefpolicy-3.9.12.old/policy/mcs serefpolicy-3.9.12.new/policy/mcs ---- serefpolicy-3.9.12.old/policy/mcs 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/mcs 2011-01-18 12:56:32.000000000 +0900 -@@ -110,7 +110,7 @@ mlsconstrain process { signal } - - # Any database object must be dominated by the relabeling subject - # clearance, also the objects are single-level. --mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } - (( h1 dom h2 ) and ( l2 eq h2 )); - - mlsconstrain { db_tuple } { insert relabelto } -@@ -120,6 +120,9 @@ mlsconstrain { db_tuple } { insert relab - mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } - ( h1 dom h2 ); - -+mlsconstrain db_language { drop getattr setattr relabelfrom execute } -+ ( h1 dom h2 ); -+ - mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } - ( h1 dom h2 ); - -@@ -129,7 +132,16 @@ mlsconstrain db_column { drop getattr se - mlsconstrain db_tuple { relabelfrom select update delete use } - ( h1 dom h2 ); - --mlsconstrain db_procedure { drop getattr setattr execute install } -+mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_view { drop getattr setattr relabelfrom expand } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } -+ ( h1 dom h2 ); -+ -+mlsconstrain db_language { drop getattr setattr relabelfrom execute } - ( h1 dom h2 ); - - mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export } -diff -rpuN serefpolicy-3.9.12.old/policy/mls serefpolicy-3.9.12.new/policy/mls ---- serefpolicy-3.9.12.old/policy/mls 2010-12-21 02:06:02.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/mls 2011-01-18 12:56:32.000000000 +0900 -@@ -727,13 +727,13 @@ mlsconstrain context contains - # - - # make sure these database classes are "single level" --mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto } - ( l2 eq h2 ); - mlsconstrain { db_tuple } { insert relabelto } - ( l2 eq h2 ); - - # new database labels must be dominated by the relabeling subjects clearance --mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto } -+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto } - ( h1 dom h2 ); - - # the database "read" ops (note the check is dominance of the low level) -@@ -743,6 +743,12 @@ mlsconstrain { db_database } { getattr a - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_schema } { getattr search } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_table } { getattr use select lock } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -@@ -755,12 +761,30 @@ mlsconstrain { db_column } { getattr use - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_sequence } { getattr get_value next_value } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ -+mlsconstrain { db_view } { getattr expand } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_procedure } { getattr execute install } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or - ( t1 == mlsdbread ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_language } { getattr execute } -+ (( l1 dom l2 ) or -+ (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -+ ( t1 == mlsdbread ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_blob } { getattr read export } - (( l1 dom l2 ) or - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or -@@ -781,6 +805,13 @@ mlsconstrain { db_database } { create dr - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -795,6 +826,20 @@ mlsconstrain { db_column } { create drop - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ -+mlsconstrain { db_view } { create drop setattr relabelfrom } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_procedure } { create drop setattr relabelfrom } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -802,6 +847,13 @@ mlsconstrain { db_procedure } { create d - ( t1 == mlsdbwrite ) or - ( t2 == mlstrustedobject )); - -+mlsconstrain { db_language } { create drop setattr relabelfrom } -+ (( l1 eq l2 ) or -+ (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -+ (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or -+ ( t1 == mlsdbwrite ) or -+ ( t2 == mlstrustedobject )); -+ - mlsconstrain { db_blob } { create drop setattr relabelfrom write import } - (( l1 eq l2 ) or - (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or -@@ -817,7 +869,7 @@ mlsconstrain { db_tuple } { relabelfrom - ( t2 == mlstrustedobject )); - - # the database upgrade/downgrade rule --mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob } -+mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } - ((( l1 eq l2 ) or - (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or - (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or -diff -rpuN serefpolicy-3.9.12.old/policy/modules/kernel/kernel.if serefpolicy-3.9.12.new/policy/modules/kernel/kernel.if ---- serefpolicy-3.9.12.old/policy/modules/kernel/kernel.if 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/modules/kernel/kernel.if 2011-01-18 12:56:32.000000000 +0900 -@@ -2903,16 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_ - gen_require(` - type unlabeled_t; - class db_database { setattr relabelfrom }; -+ class db_schema { setattr relabelfrom }; - class db_table { setattr relabelfrom }; -+ class db_sequence { setattr relabelfrom }; -+ class db_view { setattr relabelfrom }; - class db_procedure { setattr relabelfrom }; -+ class db_language { setattr relabelfrom }; - class db_column { setattr relabelfrom }; - class db_tuple { update relabelfrom }; - class db_blob { setattr relabelfrom }; - ') - - allow $1 unlabeled_t:db_database { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_schema { setattr relabelfrom }; - allow $1 unlabeled_t:db_table { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_sequence { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_view { setattr relabelfrom }; - allow $1 unlabeled_t:db_procedure { setattr relabelfrom }; -+ allow $1 unlabeled_t:db_language { setattr relabelfrom }; - allow $1 unlabeled_t:db_column { setattr relabelfrom }; - allow $1 unlabeled_t:db_tuple { update relabelfrom }; - allow $1 unlabeled_t:db_blob { setattr relabelfrom }; -diff -rpuN serefpolicy-3.9.12.old/policy/modules/kernel/kernel.te serefpolicy-3.9.12.new/policy/modules/kernel/kernel.te ---- serefpolicy-3.9.12.old/policy/modules/kernel/kernel.te 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/modules/kernel/kernel.te 2011-01-18 12:56:52.000000000 +0900 -@@ -1,4 +1,4 @@ --policy_module(kernel, 1.13.0) -+policy_module(kernel, 1.13.1) - - ######################################## - # -diff -rpuN serefpolicy-3.9.12.old/policy/modules/services/postgresql.if serefpolicy-3.9.12.new/policy/modules/services/postgresql.if ---- serefpolicy-3.9.12.old/policy/modules/services/postgresql.if 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/modules/services/postgresql.if 2011-01-18 13:05:11.000000000 +0900 -@@ -18,18 +18,24 @@ - interface(`postgresql_role',` - gen_require(` - class db_database all_db_database_perms; -+ class db_schema all_db_schema_perms; - class db_table all_db_table_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; -+ class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type, sepgsql_database_type; -- attribute sepgsql_sysobj_table_type; -+ attribute sepgsql_schema_type, sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; - type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; -+ type user_sepgsql_schema_t, user_sepgsql_seq_t; - type user_sepgsql_sysobj_t, user_sepgsql_table_t; -+ type user_sepgsql_view_t; - ') - - ######################################## -@@ -44,17 +50,27 @@ interface(`postgresql_role',` - # - # Client local policy - # -+ allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; -+ type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; - - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; -- type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; -+ type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated -+ type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; - - allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - -+ allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value }; -+ type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t; -+ -+ allow $2 user_sepgsql_view_t:db_view { getattr expand }; -+ type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; -+ - allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; -+ type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated -+ type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; - - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t; -@@ -63,10 +79,12 @@ interface(`postgresql_role',` - type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - - tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $2 user_sepgsql_schema_t:db_schema { create drop setattr }; - allow $2 user_sepgsql_table_t:db_table { create drop setattr }; - allow $2 user_sepgsql_table_t:db_column { create drop setattr }; -- - allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value }; -+ allow $2 user_sepgsql_view_t:db_view { create drop setattr }; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - ') -@@ -109,6 +127,24 @@ interface(`postgresql_database_object',` - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL schema object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a schema object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_schema_object',` -+ gen_require(` -+ attribute sepgsql_schema_type; -+ ') -+ -+ typeattribute $1 sepgsql_schema_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL table/column/tuple object type - ## </summary> - ## <param name="type"> -@@ -146,6 +182,42 @@ interface(`postgresql_system_table_objec - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL sequence type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a sequence type. -+## </summary> -+## </param> -+# -+interface(`postgresql_sequence_object',` -+ gen_require(` -+ attribute sepgsql_sequence_type; -+ ') -+ -+ typeattribute $1 sepgsql_sequence_type; -+') -+ -+######################################## -+## <summary> -+## Marks as a SE-PostgreSQL view object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a view object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_view_object',` -+ gen_require(` -+ attribute sepgsql_view_type; -+ ') -+ -+ typeattribute $1 sepgsql_view_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL procedure object type - ## </summary> - ## <param name="type"> -@@ -164,6 +236,24 @@ interface(`postgresql_procedure_object', - - ######################################## - ## <summary> -+## Marks as a SE-PostgreSQL procedural language object type -+## </summary> -+## <param name="type"> -+## <summary> -+## Type marked as a procedural language object type. -+## </summary> -+## </param> -+# -+interface(`postgresql_language_object',` -+ gen_require(` -+ attribute sepgsql_language_type; -+ ') -+ -+ typeattribute $1 sepgsql_language_type; -+') -+ -+######################################## -+## <summary> - ## Marks as a SE-PostgreSQL binary large object type - ## </summary> - ## <param name="type"> -@@ -330,18 +420,25 @@ interface(`postgresql_stream_connect',` - interface(`postgresql_unpriv_client',` - gen_require(` - class db_database all_db_database_perms; -+ class db_schema all_db_schema_perms; - class db_table all_db_table_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_view all_db_view_perms; - class db_procedure all_db_procedure_perms; -+ class db_language all_db_language_perms; - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; - - attribute sepgsql_client_type; -- attribute sepgsql_database_type, sepgsql_sysobj_table_type; -+ attribute sepgsql_database_type, sepgsql_schema_type; -+ attribute sepgsql_sysobj_table_type; - - type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; - type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; -+ type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; - type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; -+ type unpriv_sepgsql_view_t; - ') - - ######################################## -@@ -355,28 +452,41 @@ interface(`postgresql_unpriv_client',` - # - # Client local policy - # -- - type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; - allow $1 sepgsql_trusted_proc_t:process transition; - -+ allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; -+ type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; -+ - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; -- type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; -+ type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated -+ type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; -+ -+ allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; -+ type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t; -+ -+ allow $1 unpriv_sepgsql_view_t:db_view { getattr expand }; -+ type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t; - - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; - type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; -- type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; -+ type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated -+ type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; - - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; - type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t; - - tunable_policy(`sepgsql_enable_users_ddl',` -+ allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; - allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; - allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; -+ allow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr }; -+ allow $1 unpriv_sepgsql_view_t:db_view { create drop setattr }; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; - ') - ') -diff -rpuN serefpolicy-3.9.12.old/policy/modules/services/postgresql.te serefpolicy-3.9.12.new/policy/modules/services/postgresql.te ---- serefpolicy-3.9.12.old/policy/modules/services/postgresql.te 2011-01-18 12:54:14.000000000 +0900 -+++ serefpolicy-3.9.12.new/policy/modules/services/postgresql.te 2011-01-18 13:05:39.000000000 +0900 -@@ -1,4 +1,4 @@ --policy_module(postgresql, 1.12.0) -+policy_module(postgresql, 1.12.1) - - gen_require(` - class db_database all_db_database_perms; -@@ -7,6 +7,10 @@ gen_require(` - class db_column all_db_column_perms; - class db_tuple all_db_tuple_perms; - class db_blob all_db_blob_perms; -+ class db_schema all_db_schema_perms; -+ class db_view all_db_view_perms; -+ class db_sequence all_db_sequence_perms; -+ class db_language all_db_language_perms; - ') - - ################################# -@@ -60,9 +64,13 @@ attribute sepgsql_unconfined_type; - - # database objects attribute - attribute sepgsql_database_type; -+attribute sepgsql_schema_type; - attribute sepgsql_table_type; - attribute sepgsql_sysobj_table_type; -+attribute sepgsql_sequence_type; -+attribute sepgsql_view_type; - attribute sepgsql_procedure_type; -+attribute sepgsql_language_type; - attribute sepgsql_blob_type; - attribute sepgsql_module_type; - -@@ -76,6 +84,12 @@ postgresql_database_object(sepgsql_db_t) - type sepgsql_fixed_table_t; - postgresql_table_object(sepgsql_fixed_table_t) - -+type sepgsql_lang_t; -+postgresql_language_object(sepgsql_lang_t) -+ -+type sepgsql_priv_lang_t; -+postgresql_language_object(sepgsql_priv_lang_t) -+ - type sepgsql_proc_exec_t; - typealias sepgsql_proc_exec_t alias sepgsql_proc_t; - postgresql_procedure_object(sepgsql_proc_exec_t) -@@ -86,12 +100,21 @@ postgresql_blob_object(sepgsql_ro_blob_t - type sepgsql_ro_table_t; - postgresql_table_object(sepgsql_ro_table_t) - -+type sepgsql_safe_lang_t; -+postgresql_language_object(sepgsql_safe_lang_t) -+ -+type sepgsql_schema_t; -+postgresql_schema_object(sepgsql_schema_t) -+ - type sepgsql_secret_blob_t; - postgresql_blob_object(sepgsql_secret_blob_t) - - type sepgsql_secret_table_t; - postgresql_table_object(sepgsql_secret_table_t) - -+type sepgsql_seq_t; -+postgresql_sequence_object(sepgsql_seq_t) -+ - type sepgsql_sysobj_t; - postgresql_system_table_object(sepgsql_sysobj_t) - -@@ -101,6 +124,9 @@ postgresql_table_object(sepgsql_table_t) - type sepgsql_trusted_proc_exec_t; - postgresql_procedure_object(sepgsql_trusted_proc_exec_t) - -+type sepgsql_view_t; -+postgresql_view_object(sepgsql_view_t) -+ - # Trusted Procedure Domain - type sepgsql_trusted_proc_t; - domain_type(sepgsql_trusted_proc_t) -@@ -114,12 +140,21 @@ postgresql_blob_object(unpriv_sepgsql_bl - type unpriv_sepgsql_proc_exec_t; - postgresql_procedure_object(unpriv_sepgsql_proc_exec_t) - -+type unpriv_sepgsql_schema_t; -+postgresql_schema_object(unpriv_sepgsql_schema_t); -+ -+type unpriv_sepgsql_seq_t; -+postgresql_sequence_object(unpriv_sepgsql_seq_t) -+ - type unpriv_sepgsql_sysobj_t; - postgresql_system_table_object(unpriv_sepgsql_sysobj_t) - - type unpriv_sepgsql_table_t; - postgresql_table_object(unpriv_sepgsql_table_t) - -+type unpriv_sepgsql_view_t; -+postgresql_view_object(unpriv_sepgsql_view_t) -+ - # Types for UBAC - type user_sepgsql_blob_t; - typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t }; -@@ -131,6 +166,16 @@ typealias user_sepgsql_proc_exec_t alias - typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t }; - postgresql_procedure_object(user_sepgsql_proc_exec_t) - -+type user_sepgsql_schema_t; -+typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t }; -+typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t }; -+postgresql_schema_object(user_sepgsql_schema_t) -+ -+type user_sepgsql_seq_t; -+typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t }; -+typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t }; -+postgresql_sequence_object(user_sepgsql_seq_t) -+ - type user_sepgsql_sysobj_t; - typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t }; - typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t }; -@@ -141,6 +186,11 @@ typealias user_sepgsql_table_t alias { s - typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t }; - postgresql_table_object(user_sepgsql_table_t) - -+type user_sepgsql_view_t; -+typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t }; -+typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t }; -+postgresql_view_object(user_sepgsql_view_t) -+ - ######################################## - # - # postgresql Local policy -@@ -165,9 +215,15 @@ allow postgresql_t sepgsql_module_type:d - # Database/Loadable module - allow sepgsql_database_type sepgsql_module_type:db_database load_module; - -+allow postgresql_t sepgsql_schema_type:db_schema *; -+ - allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; - type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; - -+allow postgresql_t sepgsql_sequence_type:db_sequence *; -+ -+allow postgresql_t sepgsql_view_type:db_view *; -+ - allow postgresql_t sepgsql_procedure_type:db_procedure *; - type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; - -@@ -313,6 +369,8 @@ optional_policy(` - allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param }; - type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t; - -+allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -+ - allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; - allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; - allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; -@@ -332,9 +390,22 @@ allow sepgsql_client_type sepgsql_sysobj - allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; - allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; - -+allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; -+ -+allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; -+ - allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; - allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; - -+allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; -+allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; -+ -+# Only DBA can implement SQL procedures using `unsafe' procedural languages. -+# The `unsafe' one provides a capability to access internal data structure, -+# so we don't allow user-defined function being implemented using `unsafe' one. -+allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement }; -+allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement }; -+ - allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write }; - allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read }; - allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; -@@ -352,6 +423,13 @@ allow sepgsql_client_type sepgsql_secret - # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. - dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; - -+# Note that permission of creation/deletion are eventually controlled by -+# create or drop permission of individual objects within shared schemas. -+# So, it just allows to create/drop user specific types. -+tunable_policy(`sepgsql_enable_users_ddl',` -+ allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name }; -+') -+ - ######################################## - # - # Rules common to administrator clients -@@ -360,16 +438,33 @@ dontaudit { postgresql_t sepgsql_admin_t - allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; - type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; - -+allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; -+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; -+ - allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; - allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; - allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; - --type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; -+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -+type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; -+ -+allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; -+ -+type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t; -+ -+allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand }; -+ -+type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t; - - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; - --type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; -+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated -+type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -+ -+allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; -+ -+type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t; - - allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; - -@@ -382,12 +477,18 @@ kernel_relabelfrom_unlabeled_database(se - tunable_policy(`sepgsql_unconfined_dbadm',` - allow sepgsql_admin_type sepgsql_database_type:db_database *; - -+ allow sepgsql_admin_type sepgsql_schema_type:db_schema *; -+ - allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; -+ allow sepgsql_admin_type sepgsql_sequence_type:db_sequence *; -+ allow sepgsql_admin_type sepgsql_view_type:db_view *; - - allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; - allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; - -+ allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; -+ - allow sepgsql_admin_type sepgsql_blob_type:db_blob *; - ') - -@@ -399,11 +500,21 @@ tunable_policy(`sepgsql_unconfined_dbadm - allow sepgsql_unconfined_type sepgsql_database_type:db_database *; - type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; - --type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; --type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; -+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; -+ -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; -+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; -+type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t; - type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t; - - allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *; -+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *; -+allow sepgsql_unconfined_type sepgsql_view_type:db_view *; - - # unconfined domain is not allowed to invoke user defined procedure directly. - # They have to confirm and relabel it at first. -@@ -411,6 +522,8 @@ allow sepgsql_unconfined_type sepgsql_pr - allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; - allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; - -+allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; -+ - allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *; - - allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module; -diff -rpuN serefpolicy-3.9.12.old/support/selinux-policy-refpolicy.spec serefpolicy-3.9.12.new/support/selinux-policy-refpolicy.spec ---- serefpolicy-3.9.12.old/support/selinux-policy-refpolicy.spec 2010-12-21 02:05:22.000000000 +0900 -+++ serefpolicy-3.9.12.new/support/selinux-policy-refpolicy.spec 2011-01-18 12:56:32.000000000 +0900 -@@ -74,6 +74,7 @@ make NAME=%{polname2} TYPE=%{type2} DIST - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts - %dir %{_sysconfdir}/selinux/*/contexts/files - #%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts -@@ -118,6 +119,7 @@ SELinux Reference policy targeted base m - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts - %dir %{_sysconfdir}/selinux/%{polname1}/contexts/files - #%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts -@@ -164,6 +166,7 @@ SELinux Reference policy strict base mod - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context -+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/sepgsql_contexts - %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts - %dir %{_sysconfdir}/selinux/%{polname2}/contexts/files - #%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts diff --git a/a/3.hdr b/a/3.hdr deleted file mode 100644 index 62c7fb9..0000000 --- a/a/3.hdr +++ /dev/null @@ -1,5 +0,0 @@ -Content-Type: application/octect-stream; - name="selinux-policy-sepgsql.fedora.patch" -Content-Transfer-Encoding: base64 -Content-Disposition: attachment; - filename="selinux-policy-sepgsql.fedora.patch" diff --git a/a/content_digest b/N1/content_digest index 6684126..f91c251 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -3,14 +3,11 @@ "ref\04D3057AC.3040903@redhat.com\0" "ref\0AANLkTi=vHcJBGpUKQa0VZDtnFJGQ8Ozgmt4mhihYH-r+@mail.gmail.com\0" "ref\04D345E39.1070905@redhat.com\0" - "From\0KaiGai Kohei <kaigai@ak.jp.nec.com>\0" - "Subject\0Re: [refpolicy] [PATCH] New database object classes\0" + "From\0kaigai@ak.jp.nec.com (KaiGai Kohei)\0" + "Subject\0[refpolicy] [PATCH] New database object classes\0" "Date\0Tue, 18 Jan 2011 15:03:39 +0900\0" - "To\0Daniel J Walsh <dwalsh@redhat.com>\0" - "Cc\0Kohei KaiGai <kaigai@kaigai.gr.jp>" - refpolicy@oss1.tresys.com - " selinux@tycho.nsa.gov\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" "(2011/01/18 0:20), Daniel J Walsh wrote:\n" "> -----BEGIN PGP SIGNED MESSAGE-----\n" @@ -43,1877 +40,20 @@ "\n" "Thanks,\n" "-- \n" - KaiGai Kohei <kaigai@ak.jp.nec.com> - "\01:2\0" - "fn\0selinux-policy-sepgsql.rhel6.patch\0" - "b\0" - "diff -rupN serefpolicy-3.7.19.old/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-mcs/sepgsql_contexts\n" - "--- serefpolicy-3.7.19.old/config/appconfig-mcs/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/config/appconfig-mcs/sepgsql_contexts\t2011-01-18 12:35:31.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (MCS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t:s0\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t:s0\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t:s0\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t:s0\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t:s0\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t:s0\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t:s0\n" - "diff -rupN serefpolicy-3.7.19.old/config/appconfig-mls/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-mls/sepgsql_contexts\n" - "--- serefpolicy-3.7.19.old/config/appconfig-mls/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/config/appconfig-mls/sepgsql_contexts\t2011-01-18 12:35:31.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (MLS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t:s0\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t:s0\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t:s0\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t:s0\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t:s0\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t:s0\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t:s0\n" - "diff -rupN serefpolicy-3.7.19.old/config/appconfig-standard/sepgsql_contexts serefpolicy-3.7.19.new/config/appconfig-standard/sepgsql_contexts\n" - "--- serefpolicy-3.7.19.old/config/appconfig-standard/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/config/appconfig-standard/sepgsql_contexts\t2011-01-18 12:35:31.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (none-MLS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t\n" - "diff -rupN serefpolicy-3.7.19.old/Makefile serefpolicy-3.7.19.new/Makefile\n" - "--- serefpolicy-3.7.19.old/Makefile\t2011-01-18 12:23:49.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/Makefile\t2011-01-18 12:36:28.000000000 +0900\n" - "@@ -244,7 +244,7 @@ seusers := $(appconf)/seusers\n" - " appdir := $(contextpath)\n" - " user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)\n" - " user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))\n" - "-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)\n" - "+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)\n" - " net_contexts := $(builddir)net_contexts\n" - " \n" - " all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)\n" - "diff -rupN serefpolicy-3.7.19.old/policy/flask/access_vectors serefpolicy-3.7.19.new/policy/flask/access_vectors\n" - "--- serefpolicy-3.7.19.old/policy/flask/access_vectors\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/flask/access_vectors\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -816,3 +816,32 @@ inherits x_device\n" - " \n" - " class x_keyboard\n" - " inherits x_device\n" - "+\n" - "+class db_schema\n" - "+inherits database\n" - "+{\n" - "+\tsearch\n" - "+\tadd_name\n" - "+\tremove_name\n" - "+}\n" - "+\n" - "+class db_view\n" - "+inherits database\n" - "+{\n" - "+\texpand\n" - "+}\n" - "+\n" - "+class db_sequence\n" - "+inherits database\n" - "+{\n" - "+\tget_value\n" - "+\tnext_value\n" - "+\tset_value\n" - "+}\n" - "+\n" - "+class db_language\n" - "+inherits database\n" - "+{\n" - "+\timplement\n" - "+\texecute\n" - "+}\n" - "diff -rupN serefpolicy-3.7.19.old/policy/flask/security_classes serefpolicy-3.7.19.new/policy/flask/security_classes\n" - "--- serefpolicy-3.7.19.old/policy/flask/security_classes\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/flask/security_classes\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -125,4 +125,10 @@ class tun_socket\n" - " class x_pointer\t\t\t# userspace\n" - " class x_keyboard\t\t# userspace\n" - " \n" - "+# More Database stuff\n" - "+class db_schema\t\t\t# userspace\n" - "+class db_view\t\t\t# userspace\n" - "+class db_sequence\t\t# userspace\n" - "+class db_language\t\t# userspace\n" - "+\n" - " # FLASK\n" - "diff -rupN serefpolicy-3.7.19.old/policy/mcs serefpolicy-3.7.19.new/policy/mcs\n" - "--- serefpolicy-3.7.19.old/policy/mcs\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/mcs\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -107,7 +107,7 @@ mlsconstrain process { sigkill sigstop }\n" - " \n" - " # Any database object must be dominated by the relabeling subject\n" - " # clearance, also the objects are single-level.\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }\n" - " \t(( h1 dom h2 ) and ( l2 eq h2 ));\n" - " \n" - " mlsconstrain { db_tuple } { insert relabelto }\n" - "@@ -117,6 +117,9 @@ mlsconstrain { db_tuple } { insert relab\n" - " mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }\n" - " \t( h1 dom h2 );\n" - " \n" - "+mlsconstrain db_language { drop getattr setattr relabelfrom execute }\n" - "+\t( h1 dom h2 );\n" - "+\n" - " mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }\n" - " \t( h1 dom h2 );\n" - " \n" - "@@ -126,7 +129,16 @@ mlsconstrain db_column { drop getattr se\n" - " mlsconstrain db_tuple { relabelfrom select update delete use }\n" - " \t( h1 dom h2 );\n" - " \n" - "-mlsconstrain db_procedure { drop getattr setattr execute install }\n" - "+mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_view { drop getattr setattr relabelfrom expand }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_language { drop getattr setattr relabelfrom execute }\n" - " \t( h1 dom h2 );\n" - " \n" - " mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }\n" - "diff -rupN serefpolicy-3.7.19.old/policy/mls serefpolicy-3.7.19.new/policy/mls\n" - "--- serefpolicy-3.7.19.old/policy/mls\t2011-01-18 12:23:49.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/mls\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -727,13 +727,13 @@ mlsconstrain context contains\n" - " #\n" - " \n" - " # make sure these database classes are \"single level\"\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }\n" - " \t( l2 eq h2 );\n" - " mlsconstrain { db_tuple } { insert relabelto }\n" - " \t( l2 eq h2 );\n" - " \n" - " # new database labels must be dominated by the relabeling subjects clearance\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }\n" - " \t( h1 dom h2 );\n" - " \n" - " # the database \"read\" ops (note the check is dominance of the low level)\n" - "@@ -743,6 +743,12 @@ mlsconstrain { db_database } { getattr a\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_schema } { getattr search }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_table } { getattr use select lock }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "@@ -755,12 +761,30 @@ mlsconstrain { db_column } { getattr use\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_sequence } { getattr get_value next_value }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+mlsconstrain { db_view } { getattr expand }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_procedure } { getattr execute install }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_language } { getattr execute }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_blob } { getattr read export }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "@@ -781,6 +805,13 @@ mlsconstrain { db_database } { create dr\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -795,6 +826,20 @@ mlsconstrain { db_column } { create drop\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+mlsconstrain { db_view } { create drop setattr relabelfrom }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_procedure } { create drop setattr relabelfrom }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -802,6 +847,13 @@ mlsconstrain { db_procedure } { create d\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_language } { create drop setattr relabelfrom }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_blob } { create drop setattr relabelfrom write import }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -817,7 +869,7 @@ mlsconstrain { db_tuple } { relabelfrom \n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - " # the database upgrade/downgrade rule\n" - "-mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }\n" - "+mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }\n" - " \t((( l1 eq l2 ) or\n" - " \t (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or\n" - " \t (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or\n" - "diff -rupN serefpolicy-3.7.19.old/policy/modules/kernel/kernel.if serefpolicy-3.7.19.new/policy/modules/kernel/kernel.if\n" - "--- serefpolicy-3.7.19.old/policy/modules/kernel/kernel.if\t2011-01-18 12:23:50.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/modules/kernel/kernel.if\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -2842,16 +2842,24 @@ interface(`kernel_relabelfrom_unlabeled_\n" - " \tgen_require(`\n" - " \t\ttype unlabeled_t;\n" - " \t\tclass db_database { setattr relabelfrom };\n" - "+\t\tclass db_schema { setattr relabelfrom };\n" - " \t\tclass db_table { setattr relabelfrom };\n" - "+\t\tclass db_sequence { setattr relabelfrom };\n" - "+\t\tclass db_view { setattr relabelfrom };\n" - " \t\tclass db_procedure { setattr relabelfrom };\n" - "+\t\tclass db_language { setattr relabelfrom };\n" - " \t\tclass db_column { setattr relabelfrom };\n" - " \t\tclass db_tuple { update relabelfrom };\n" - " \t\tclass db_blob { setattr relabelfrom };\n" - " \t')\n" - " \n" - " \tallow $1 unlabeled_t:db_database { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_schema { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_table { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_sequence { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_view { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_procedure { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_language { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_column { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_tuple { update relabelfrom };\n" - " \tallow $1 unlabeled_t:db_blob { setattr relabelfrom };\n" - "diff -rupN serefpolicy-3.7.19.old/policy/modules/kernel/kernel.te serefpolicy-3.7.19.new/policy/modules/kernel/kernel.te\n" - "--- serefpolicy-3.7.19.old/policy/modules/kernel/kernel.te\t2011-01-18 12:23:50.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/modules/kernel/kernel.te\t2011-01-18 12:42:48.000000000 +0900\n" - "@@ -1,5 +1,5 @@\n" - " \n" - "-policy_module(kernel, 1.11.3)\n" - "+policy_module(kernel, 1.11.4)\n" - " \n" - " ########################################\n" - " #\n" - "diff -rupN serefpolicy-3.7.19.old/policy/modules/services/postgresql.if serefpolicy-3.7.19.new/policy/modules/services/postgresql.if\n" - "--- serefpolicy-3.7.19.old/policy/modules/services/postgresql.if\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/modules/services/postgresql.if\t2011-01-18 12:42:15.000000000 +0900\n" - "@@ -18,18 +18,24 @@\n" - " interface(`postgresql_role',`\n" - " \tgen_require(`\n" - " \t\tclass db_database all_db_database_perms;\n" - "+\t\tclass db_schema all_db_schema_perms;\n" - " \t\tclass db_table all_db_table_perms;\n" - "+\t\tclass db_sequence all_db_sequence_perms;\n" - "+\t\tclass db_view all_db_view_perms;\n" - " \t\tclass db_procedure all_db_procedure_perms;\n" - "+\t\tclass db_language all_db_language_perms;\n" - " \t\tclass db_column all_db_column_perms;\n" - " \t\tclass db_tuple all_db_tuple_perms;\n" - " \t\tclass db_blob all_db_blob_perms;\n" - " \n" - " \t\tattribute sepgsql_client_type, sepgsql_database_type;\n" - "-\t\tattribute sepgsql_sysobj_table_type;\n" - "+\t\tattribute sepgsql_schema_type, sepgsql_sysobj_table_type;\n" - " \n" - " \t\ttype sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;\n" - " \t\ttype user_sepgsql_blob_t, user_sepgsql_proc_exec_t;\n" - "+\t\ttype user_sepgsql_schema_t, user_sepgsql_seq_t;\n" - " \t\ttype user_sepgsql_sysobj_t, user_sepgsql_table_t;\n" - "+\t\ttype user_sepgsql_view_t;\n" - " \t')\n" - " \n" - " \t########################################\n" - "@@ -46,23 +52,36 @@ interface(`postgresql_role',`\n" - " \t#\n" - " \n" - " \ttunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\t\tallow $2 user_sepgsql_schema_t:db_schema { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_table_t:db_table { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_table_t:db_column { create drop setattr };\n" - "-\n" - " \t\tallow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "+\t\tallow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };\n" - "+\t\tallow $2 user_sepgsql_view_t:db_view { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };\n" - " \t')\n" - " \n" - "+\tallow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };\n" - "+\ttype_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;\n" - "+\n" - " \tallow $2 user_sepgsql_table_t:db_table\t{ getattr use select update insert delete lock };\n" - " \tallow $2 user_sepgsql_table_t:db_column { getattr use select update insert };\n" - " \tallow $2 user_sepgsql_table_t:db_tuple\t{ use select update insert delete };\n" - "-\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\n" - "+\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\t\t# deprecated\n" - "+\ttype_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;\n" - " \n" - " \tallow $2 user_sepgsql_sysobj_t:db_tuple\t{ use select };\n" - " \ttype_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;\n" - " \n" - "+\tallow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };\n" - "+\ttype_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;\n" - "+\n" - "+\tallow $2 user_sepgsql_view_t:db_view { getattr expand };\n" - "+\ttype_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;\n" - "+\n" - " \tallow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };\n" - "-\ttype_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;\n" - "+\ttype_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;\t# deprecated\n" - "+\ttype_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;\n" - " \n" - " \tallow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };\n" - " \ttype_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;\n" - "@@ -109,6 +128,24 @@ interface(`postgresql_database_object',`\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL schema object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a schema object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_schema_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_schema_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_schema_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL table/column/tuple object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -146,6 +183,42 @@ interface(`postgresql_system_table_objec\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL sequence type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a sequence type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_sequence_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_sequence_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_sequence_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tMarks as a SE-PostgreSQL view object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a view object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_view_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_view_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_view_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL procedure object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -164,6 +237,24 @@ interface(`postgresql_procedure_object',\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL procedural language object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a procedural language object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_language_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_language_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_language_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL binary large object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -332,18 +423,25 @@ interface(`postgresql_stream_connect',`\n" - " interface(`postgresql_unpriv_client',`\n" - " \tgen_require(`\n" - " \t\tclass db_database all_db_database_perms;\n" - "+\t\tclass db_schema all_db_schema_perms;\n" - " \t\tclass db_table all_db_table_perms;\n" - "+\t\tclass db_sequence all_db_sequence_perms;\n" - "+\t\tclass db_view all_db_view_perms;\n" - " \t\tclass db_procedure all_db_procedure_perms;\n" - "+\t\tclass db_language all_db_language_perms;\n" - " \t\tclass db_column all_db_column_perms;\n" - " \t\tclass db_tuple all_db_tuple_perms;\n" - " \t\tclass db_blob all_db_blob_perms;\n" - " \n" - " \t\tattribute sepgsql_client_type;\n" - "-\t\tattribute sepgsql_database_type, sepgsql_sysobj_table_type;\n" - "+\t\tattribute sepgsql_database_type, sepgsql_schema_type;\n" - "+\t\tattribute sepgsql_sysobj_table_type;\n" - " \n" - " \t\ttype sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;\n" - " \t\ttype unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;\n" - "+\t\ttype unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;\n" - " \t\ttype unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;\n" - "+\t\ttype unpriv_sepgsql_view_t;\n" - " \t')\n" - " \n" - " \t########################################\n" - "@@ -362,22 +460,35 @@ interface(`postgresql_unpriv_client',`\n" - " \tallow $1 sepgsql_trusted_proc_t:process transition;\n" - " \n" - " \ttunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\t\tallow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "+\t\tallow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };\n" - "+\t\tallow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };\n" - " \t')\n" - "+\tallow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };\n" - "+\ttype_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };\n" - " \tallow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };\n" - " \tallow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };\n" - "-\ttype_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;\n" - "+\ttype_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;\t# deprecated\n" - "+\ttype_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };\n" - "+\ttype_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_view_t:db_view { getattr expand };\n" - "+\ttype_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };\n" - " \ttype_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };\n" - "-\ttype_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;\n" - "+\ttype_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated\n" - "+\ttype_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };\n" - " \ttype_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;\n" - "diff -rupN serefpolicy-3.7.19.old/policy/modules/services/postgresql.te serefpolicy-3.7.19.new/policy/modules/services/postgresql.te\n" - "--- serefpolicy-3.7.19.old/policy/modules/services/postgresql.te\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/policy/modules/services/postgresql.te\t2011-01-18 12:43:04.000000000 +0900\n" - "@@ -1,5 +1,5 @@\n" - " \n" - "-policy_module(postgresql, 1.10.2)\n" - "+policy_module(postgresql, 1.10.3)\n" - " \n" - " gen_require(`\n" - " \tclass db_database all_db_database_perms;\n" - "@@ -8,6 +8,10 @@ gen_require(`\n" - " \tclass db_column all_db_column_perms;\n" - " \tclass db_tuple all_db_tuple_perms;\n" - " \tclass db_blob all_db_blob_perms;\n" - "+\tclass db_schema all_db_schema_perms;\n" - "+\tclass db_view all_db_view_perms;\n" - "+\tclass db_sequence all_db_sequence_perms;\n" - "+\tclass db_language all_db_language_perms;\n" - " ')\n" - " \n" - " #################################\n" - "@@ -61,9 +65,13 @@ attribute sepgsql_unconfined_type;\n" - " \n" - " # database objects attribute\n" - " attribute sepgsql_database_type;\n" - "+attribute sepgsql_schema_type;\n" - " attribute sepgsql_table_type;\n" - " attribute sepgsql_sysobj_table_type;\n" - "+attribute sepgsql_sequence_type;\n" - "+attribute sepgsql_view_type;\n" - " attribute sepgsql_procedure_type;\n" - "+attribute sepgsql_language_type;\n" - " attribute sepgsql_blob_type;\n" - " attribute sepgsql_module_type;\n" - " \n" - "@@ -77,6 +85,12 @@ postgresql_database_object(sepgsql_db_t)\n" - " type sepgsql_fixed_table_t;\n" - " postgresql_table_object(sepgsql_fixed_table_t)\n" - " \n" - "+type sepgsql_lang_t;\n" - "+postgresql_language_object(sepgsql_lang_t)\n" - "+\n" - "+type sepgsql_priv_lang_t;\n" - "+postgresql_language_object(sepgsql_priv_lang_t)\n" - "+\n" - " type sepgsql_proc_exec_t;\n" - " typealias sepgsql_proc_exec_t alias sepgsql_proc_t;\n" - " postgresql_procedure_object(sepgsql_proc_exec_t)\n" - "@@ -87,12 +101,21 @@ postgresql_blob_object(sepgsql_ro_blob_t\n" - " type sepgsql_ro_table_t;\n" - " postgresql_table_object(sepgsql_ro_table_t)\n" - " \n" - "+type sepgsql_safe_lang_t;\n" - "+postgresql_language_object(sepgsql_safe_lang_t)\n" - "+\n" - "+type sepgsql_schema_t;\n" - "+postgresql_schema_object(sepgsql_schema_t)\n" - "+\n" - " type sepgsql_secret_blob_t;\n" - " postgresql_blob_object(sepgsql_secret_blob_t)\n" - " \n" - " type sepgsql_secret_table_t;\n" - " postgresql_table_object(sepgsql_secret_table_t)\n" - " \n" - "+type sepgsql_seq_t;\n" - "+postgresql_sequence_object(sepgsql_seq_t)\n" - "+\n" - " type sepgsql_sysobj_t;\n" - " postgresql_system_table_object(sepgsql_sysobj_t)\n" - " \n" - "@@ -102,6 +125,9 @@ postgresql_table_object(sepgsql_table_t)\n" - " type sepgsql_trusted_proc_exec_t;\n" - " postgresql_procedure_object(sepgsql_trusted_proc_exec_t)\n" - " \n" - "+type sepgsql_view_t;\n" - "+postgresql_view_object(sepgsql_view_t)\n" - "+\n" - " # Trusted Procedure Domain\n" - " type sepgsql_trusted_proc_t;\n" - " domain_type(sepgsql_trusted_proc_t)\n" - "@@ -115,12 +141,21 @@ postgresql_blob_object(unpriv_sepgsql_bl\n" - " type unpriv_sepgsql_proc_exec_t;\n" - " postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)\n" - " \n" - "+type unpriv_sepgsql_schema_t;\n" - "+postgresql_schema_object(unpriv_sepgsql_schema_t);\n" - "+\n" - "+type unpriv_sepgsql_seq_t;\n" - "+postgresql_sequence_object(unpriv_sepgsql_seq_t)\n" - "+\n" - " type unpriv_sepgsql_sysobj_t;\n" - " postgresql_system_table_object(unpriv_sepgsql_sysobj_t)\n" - " \n" - " type unpriv_sepgsql_table_t;\n" - " postgresql_table_object(unpriv_sepgsql_table_t)\n" - " \n" - "+type unpriv_sepgsql_view_t;\n" - "+postgresql_view_object(unpriv_sepgsql_view_t)\n" - "+\n" - " # Types for UBAC\n" - " type user_sepgsql_blob_t;\n" - " typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };\n" - "@@ -132,6 +167,16 @@ typealias user_sepgsql_proc_exec_t alias\n" - " typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };\n" - " postgresql_procedure_object(user_sepgsql_proc_exec_t)\n" - " \n" - "+type user_sepgsql_schema_t;\n" - "+typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t };\n" - "+typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t };\n" - "+postgresql_schema_object(user_sepgsql_schema_t)\n" - "+\n" - "+type user_sepgsql_seq_t;\n" - "+typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t };\n" - "+typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t };\n" - "+postgresql_sequence_object(user_sepgsql_seq_t)\n" - "+\n" - " type user_sepgsql_sysobj_t;\n" - " typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };\n" - " typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };\n" - "@@ -142,6 +187,11 @@ typealias user_sepgsql_table_t alias { s\n" - " typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };\n" - " postgresql_table_object(user_sepgsql_table_t)\n" - " \n" - "+type user_sepgsql_view_t;\n" - "+typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t };\n" - "+typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t };\n" - "+postgresql_view_object(user_sepgsql_view_t)\n" - "+\n" - " ########################################\n" - " #\n" - " # postgresql Local policy\n" - "@@ -166,9 +216,15 @@ allow postgresql_t sepgsql_module_type:d\n" - " # Database/Loadable module\n" - " allow sepgsql_database_type sepgsql_module_type:db_database load_module;\n" - " \n" - "+allow postgresql_t sepgsql_schema_type:db_schema *;\n" - "+\n" - " allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - " type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;\n" - " \n" - "+allow postgresql_t sepgsql_sequence_type:db_sequence *;\n" - "+\n" - "+allow postgresql_t sepgsql_view_type:db_view *;\n" - "+\n" - " allow postgresql_t sepgsql_procedure_type:db_procedure *;\n" - " type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - " \n" - "@@ -314,6 +370,8 @@ optional_policy(`\n" - " allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };\n" - " type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;\n" - " \n" - "+allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };\n" - "+\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };\n" - "@@ -333,9 +391,22 @@ allow sepgsql_client_type sepgsql_sysobj\n" - " allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };\n" - " allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };\n" - " \n" - "+allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value };\n" - "+\n" - "+allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };\n" - "+\n" - " allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };\n" - " allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };\n" - " \n" - "+allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };\n" - "+allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };\n" - "+\n" - "+# Only DBA can implement SQL procedures using `unsafe' procedural languages.\n" - "+# The `unsafe' one provides a capability to access internal data structure,\n" - "+# so we don't allow user-defined function being implemented using `unsafe' one.\n" - "+allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement };\n" - "+allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement };\n" - "+\n" - " allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };\n" - " allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };\n" - " allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;\n" - "@@ -354,6 +425,13 @@ allow sepgsql_client_type sepgsql_secret\n" - " dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };\n" - " \n" - " \n" - "+# Note that permission of creation/deletion are eventually controlled by\n" - "+# create or drop permission of individual objects within shared schemas.\n" - "+# So, it just allows to create/drop user specific types.\n" - "+tunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\tallow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };\n" - "+')\n" - "+\n" - " ########################################\n" - " #\n" - " # Rules common to administrator clients\n" - "@@ -362,16 +440,33 @@ dontaudit { postgresql_t sepgsql_admin_t\n" - " allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };\n" - " type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;\n" - " \n" - "+allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;\n" - "+\n" - " allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };\n" - " allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };\n" - " allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };\n" - " \n" - "-type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;\t# deprecated\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t;\n" - " \n" - " allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };\n" - " allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;\n" - " \n" - "-type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\t# deprecated\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t;\n" - " \n" - " allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };\n" - " \n" - "@@ -384,12 +479,18 @@ kernel_relabelfrom_unlabeled_database(se\n" - " tunable_policy(`sepgsql_unconfined_dbadm',`\n" - " \tallow sepgsql_admin_type sepgsql_database_type:db_database *;\n" - " \n" - "+\tallow sepgsql_admin_type sepgsql_schema_type:db_schema *;\n" - "+\n" - " \tallow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - "+\tallow sepgsql_admin_type sepgsql_sequence_type:db_sequence *;\n" - "+\tallow sepgsql_admin_type sepgsql_view_type:db_view *;\n" - " \n" - " \tallow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;\n" - " \tallow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;\n" - " \tallow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };\n" - " \n" - "+\tallow sepgsql_admin_type sepgsql_language_type:db_language ~implement;\n" - "+\n" - " \tallow sepgsql_admin_type sepgsql_blob_type:db_blob *;\n" - " ')\n" - " \n" - "@@ -401,11 +502,21 @@ tunable_policy(`sepgsql_unconfined_dbadm\n" - " allow sepgsql_unconfined_type sepgsql_database_type:db_database *;\n" - " type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;\n" - " \n" - "-type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;\n" - "-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - "+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;\n" - "+\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;\t\t# deprecated\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\t# deprecated\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;\n" - " type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;\n" - " \n" - " allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - "+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;\n" - "+allow sepgsql_unconfined_type sepgsql_view_type:db_view *;\n" - " \n" - " # unconfined domain is not allowed to invoke user defined procedure directly.\n" - " # They have to confirm and relabel it at first.\n" - "@@ -413,6 +524,8 @@ allow sepgsql_unconfined_type sepgsql_pr\n" - " allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;\n" - " allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };\n" - " \n" - "+allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;\n" - "+\n" - " allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;\n" - " \n" - " allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;\n" - "diff -rupN serefpolicy-3.7.19.old/support/selinux-policy-refpolicy.spec serefpolicy-3.7.19.new/support/selinux-policy-refpolicy.spec\n" - "--- serefpolicy-3.7.19.old/support/selinux-policy-refpolicy.spec\t2010-04-14 03:44:37.000000000 +0900\n" - "+++ serefpolicy-3.7.19.new/support/selinux-policy-refpolicy.spec\t2011-01-18 12:35:31.000000000 +0900\n" - "@@ -74,6 +74,7 @@ make NAME=%{polname2} TYPE=%{type2} DIST\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/*/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts\n" - "@@ -118,6 +119,7 @@ SELinux Reference policy targeted base m\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/%{polname1}/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts\n" - "@@ -164,6 +166,7 @@ SELinux Reference policy strict base mod\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/%{polname2}/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts\n" - "\01:3\0" - "fn\0selinux-policy-sepgsql.fedora.patch\0" - "b\0" - "diff -rpuN serefpolicy-3.9.12.old/config/appconfig-mcs/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-mcs/sepgsql_contexts\n" - "--- serefpolicy-3.9.12.old/config/appconfig-mcs/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/config/appconfig-mcs/sepgsql_contexts\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (MCS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t:s0\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t:s0\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t:s0\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t:s0\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t:s0\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t:s0\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t:s0\n" - "diff -rpuN serefpolicy-3.9.12.old/config/appconfig-mls/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-mls/sepgsql_contexts\n" - "--- serefpolicy-3.9.12.old/config/appconfig-mls/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/config/appconfig-mls/sepgsql_contexts\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (MLS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t:s0\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t:s0\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t:s0\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t:s0\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t:s0\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t:s0\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t:s0\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t:s0\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t:s0\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t:s0\n" - "diff -rpuN serefpolicy-3.9.12.old/config/appconfig-standard/sepgsql_contexts serefpolicy-3.9.12.new/config/appconfig-standard/sepgsql_contexts\n" - "--- serefpolicy-3.9.12.old/config/appconfig-standard/sepgsql_contexts\t1970-01-01 09:00:00.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/config/appconfig-standard/sepgsql_contexts\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -0,0 +1,40 @@\n" - "+#\n" - "+# Initial security label for SE-PostgreSQL (none-MLS)\n" - "+#\n" - "+\n" - "+# <databases>\n" - "+db_database\t*\t\t\tsystem_u:object_r:sepgsql_db_t\n" - "+\n" - "+# <schemas>\n" - "+db_schema\t*.*\t\t\tsystem_u:object_r:sepgsql_schema_t\n" - "+\n" - "+# <tables>\n" - "+db_table\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_table\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <column>\n" - "+db_column\t*.pg_catalog.*.*\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_column\t*.*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <sequences>\n" - "+db_sequence\t*.*.*\t\t\tsystem_u:object_r:sepgsql_seq_t\n" - "+\n" - "+# <views>\n" - "+db_view\t\t*.*.*\t\t\tsystem_u:object_r:sepgsql_view_t\n" - "+\n" - "+# <procedures>\n" - "+db_procedure\t*.*.*\t\t\tsystem_u:object_r:sepgsql_proc_exec_t\n" - "+\n" - "+# <tuples>\n" - "+db_tuple\t*.pg_catalog.*\t\tsystem_u:object_r:sepgsql_sysobj_t\n" - "+db_tuple\t*.*.*\t\t\tsystem_u:object_r:sepgsql_table_t\n" - "+\n" - "+# <blobs>\n" - "+db_blobs\t*.*\t\t\tsystem_u:object_r:sepgsql_blob_t\n" - "+\n" - "+# <language>\n" - "+db_language\t*.sql\t\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.plpgsql\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.pltcl\t\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.plperl\t\tsystem_u:object_r:sepgsql_safe_lang_t\n" - "+db_language\t*.*\t\t\tsystem_u:object_r:sepgsql_lang_t\n" - "diff -rpuN serefpolicy-3.9.12.old/Makefile serefpolicy-3.9.12.new/Makefile\n" - "--- serefpolicy-3.9.12.old/Makefile\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/Makefile\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -248,7 +248,7 @@ seusers := $(appconf)/seusers\n" - " appdir := $(contextpath)\n" - " user_default_contexts := $(wildcard config/appconfig-$(TYPE)/*_default_contexts)\n" - " user_default_contexts_names := $(addprefix $(contextpath)/users/,$(subst _default_contexts,,$(notdir $(user_default_contexts))))\n" - "-appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)\n" - "+appfiles := $(addprefix $(appdir)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts sepgsql_contexts x_contexts customizable_types securetty_types virtual_image_context virtual_domain_context) $(contextpath)/files/media $(user_default_contexts_names)\n" - " net_contexts := $(builddir)net_contexts\n" - " \n" - " all_layers := $(shell find $(wildcard $(moddir)/*) -maxdepth 0 -type d)\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/flask/access_vectors serefpolicy-3.9.12.new/policy/flask/access_vectors\n" - "--- serefpolicy-3.9.12.old/policy/flask/access_vectors\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/flask/access_vectors\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -831,3 +831,32 @@ inherits x_device\n" - " \n" - " class x_keyboard\n" - " inherits x_device\n" - "+\n" - "+class db_schema\n" - "+inherits database\n" - "+{\n" - "+\tsearch\n" - "+\tadd_name\n" - "+\tremove_name\n" - "+}\n" - "+\n" - "+class db_view\n" - "+inherits database\n" - "+{\n" - "+\texpand\n" - "+}\n" - "+\n" - "+class db_sequence\n" - "+inherits database\n" - "+{\n" - "+\tget_value\n" - "+\tnext_value\n" - "+\tset_value\n" - "+}\n" - "+\n" - "+class db_language\n" - "+inherits database\n" - "+{\n" - "+\timplement\n" - "+\texecute\n" - "+}\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/flask/security_classes serefpolicy-3.9.12.new/policy/flask/security_classes\n" - "--- serefpolicy-3.9.12.old/policy/flask/security_classes\t2010-12-21 02:06:00.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/flask/security_classes\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -125,4 +125,10 @@ class tun_socket\n" - " class x_pointer\t\t\t# userspace\n" - " class x_keyboard\t\t# userspace\n" - " \n" - "+# More Database stuff\n" - "+class db_schema\t\t\t# userspace\n" - "+class db_view\t\t\t# userspace\n" - "+class db_sequence\t\t# userspace\n" - "+class db_language\t\t# userspace\n" - "+\n" - " # FLASK\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/mcs serefpolicy-3.9.12.new/policy/mcs\n" - "--- serefpolicy-3.9.12.old/policy/mcs\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/mcs\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -110,7 +110,7 @@ mlsconstrain process { signal }\n" - " \n" - " # Any database object must be dominated by the relabeling subject\n" - " # clearance, also the objects are single-level.\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }\n" - " \t(( h1 dom h2 ) and ( l2 eq h2 ));\n" - " \n" - " mlsconstrain { db_tuple } { insert relabelto }\n" - "@@ -120,6 +120,9 @@ mlsconstrain { db_tuple } { insert relab\n" - " mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param }\n" - " \t( h1 dom h2 );\n" - " \n" - "+mlsconstrain db_language { drop getattr setattr relabelfrom execute }\n" - "+\t( h1 dom h2 );\n" - "+\n" - " mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock }\n" - " \t( h1 dom h2 );\n" - " \n" - "@@ -129,7 +132,16 @@ mlsconstrain db_column { drop getattr se\n" - " mlsconstrain db_tuple { relabelfrom select update delete use }\n" - " \t( h1 dom h2 );\n" - " \n" - "-mlsconstrain db_procedure { drop getattr setattr execute install }\n" - "+mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value set_value }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_view { drop getattr setattr relabelfrom expand }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install }\n" - "+\t( h1 dom h2 );\n" - "+\n" - "+mlsconstrain db_language { drop getattr setattr relabelfrom execute }\n" - " \t( h1 dom h2 );\n" - " \n" - " mlsconstrain db_blob { drop getattr setattr relabelfrom read write import export }\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/mls serefpolicy-3.9.12.new/policy/mls\n" - "--- serefpolicy-3.9.12.old/policy/mls\t2010-12-21 02:06:02.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/mls\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -727,13 +727,13 @@ mlsconstrain context contains\n" - " #\n" - " \n" - " # make sure these database classes are \"single level\"\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_blob } { create relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_blob } { create relabelto }\n" - " \t( l2 eq h2 );\n" - " mlsconstrain { db_tuple } { insert relabelto }\n" - " \t( l2 eq h2 );\n" - " \n" - " # new database labels must be dominated by the relabeling subjects clearance\n" - "-mlsconstrain { db_database db_table db_procedure db_column db_tuple db_blob } { relabelto }\n" - "+mlsconstrain { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob } { relabelto }\n" - " \t( h1 dom h2 );\n" - " \n" - " # the database \"read\" ops (note the check is dominance of the low level)\n" - "@@ -743,6 +743,12 @@ mlsconstrain { db_database } { getattr a\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_schema } { getattr search }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_table } { getattr use select lock }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "@@ -755,12 +761,30 @@ mlsconstrain { db_column } { getattr use\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_sequence } { getattr get_value next_value }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+mlsconstrain { db_view } { getattr expand }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_procedure } { getattr execute install }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - " \t ( t1 == mlsdbread ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_language } { getattr execute }\n" - "+\t(( l1 dom l2 ) or\n" - "+\t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "+\t ( t1 == mlsdbread ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_blob } { getattr read export }\n" - " \t(( l1 dom l2 ) or\n" - " \t (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or\n" - "@@ -781,6 +805,13 @@ mlsconstrain { db_database } { create dr\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_schema } { create drop setattr relabelfrom add_name remove_name }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_table } { create drop setattr relabelfrom update insert delete }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -795,6 +826,20 @@ mlsconstrain { db_column } { create drop\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_sequence } { create drop setattr relabelfrom set_value }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - "+mlsconstrain { db_view } { create drop setattr relabelfrom }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_procedure } { create drop setattr relabelfrom }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -802,6 +847,13 @@ mlsconstrain { db_procedure } { create d\n" - " \t ( t1 == mlsdbwrite ) or\n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - "+mlsconstrain { db_language } { create drop setattr relabelfrom }\n" - "+\t(( l1 eq l2 ) or\n" - "+\t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "+\t (( t2 == mlsdbwriteinrange ) and ( l1 dom l2 ) and ( h1 domby h2 )) or\n" - "+\t ( t1 == mlsdbwrite ) or\n" - "+\t ( t2 == mlstrustedobject ));\n" - "+\n" - " mlsconstrain { db_blob } { create drop setattr relabelfrom write import }\n" - " \t(( l1 eq l2 ) or\n" - " \t (( t1 == mlsdbwritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or\n" - "@@ -817,7 +869,7 @@ mlsconstrain { db_tuple } { relabelfrom \n" - " \t ( t2 == mlstrustedobject ));\n" - " \n" - " # the database upgrade/downgrade rule\n" - "-mlsvalidatetrans { db_database db_table db_procedure db_column db_tuple db_blob }\n" - "+mlsvalidatetrans { db_database db_schema db_table db_sequence db_view db_procedure db_language db_column db_tuple db_blob }\n" - " \t((( l1 eq l2 ) or\n" - " \t (( t3 == mlsdbupgrade ) and ( l1 domby l2 )) or\n" - " \t (( t3 == mlsdbdowngrade ) and ( l1 dom l2 )) or\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/modules/kernel/kernel.if serefpolicy-3.9.12.new/policy/modules/kernel/kernel.if\n" - "--- serefpolicy-3.9.12.old/policy/modules/kernel/kernel.if\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/modules/kernel/kernel.if\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -2903,16 +2903,24 @@ interface(`kernel_relabelfrom_unlabeled_\n" - " \tgen_require(`\n" - " \t\ttype unlabeled_t;\n" - " \t\tclass db_database { setattr relabelfrom };\n" - "+\t\tclass db_schema { setattr relabelfrom };\n" - " \t\tclass db_table { setattr relabelfrom };\n" - "+\t\tclass db_sequence { setattr relabelfrom };\n" - "+\t\tclass db_view { setattr relabelfrom };\n" - " \t\tclass db_procedure { setattr relabelfrom };\n" - "+\t\tclass db_language { setattr relabelfrom };\n" - " \t\tclass db_column { setattr relabelfrom };\n" - " \t\tclass db_tuple { update relabelfrom };\n" - " \t\tclass db_blob { setattr relabelfrom };\n" - " \t')\n" - " \n" - " \tallow $1 unlabeled_t:db_database { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_schema { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_table { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_sequence { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_view { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_procedure { setattr relabelfrom };\n" - "+\tallow $1 unlabeled_t:db_language { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_column { setattr relabelfrom };\n" - " \tallow $1 unlabeled_t:db_tuple { update relabelfrom };\n" - " \tallow $1 unlabeled_t:db_blob { setattr relabelfrom };\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/modules/kernel/kernel.te serefpolicy-3.9.12.new/policy/modules/kernel/kernel.te\n" - "--- serefpolicy-3.9.12.old/policy/modules/kernel/kernel.te\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/modules/kernel/kernel.te\t2011-01-18 12:56:52.000000000 +0900\n" - "@@ -1,4 +1,4 @@\n" - "-policy_module(kernel, 1.13.0)\n" - "+policy_module(kernel, 1.13.1)\n" - " \n" - " ########################################\n" - " #\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/modules/services/postgresql.if serefpolicy-3.9.12.new/policy/modules/services/postgresql.if\n" - "--- serefpolicy-3.9.12.old/policy/modules/services/postgresql.if\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/modules/services/postgresql.if\t2011-01-18 13:05:11.000000000 +0900\n" - "@@ -18,18 +18,24 @@\n" - " interface(`postgresql_role',`\n" - " \tgen_require(`\n" - " \t\tclass db_database all_db_database_perms;\n" - "+\t\tclass db_schema all_db_schema_perms;\n" - " \t\tclass db_table all_db_table_perms;\n" - "+\t\tclass db_sequence all_db_sequence_perms;\n" - "+\t\tclass db_view all_db_view_perms;\n" - " \t\tclass db_procedure all_db_procedure_perms;\n" - "+\t\tclass db_language all_db_language_perms;\n" - " \t\tclass db_column all_db_column_perms;\n" - " \t\tclass db_tuple all_db_tuple_perms;\n" - " \t\tclass db_blob all_db_blob_perms;\n" - " \n" - " \t\tattribute sepgsql_client_type, sepgsql_database_type;\n" - "-\t\tattribute sepgsql_sysobj_table_type;\n" - "+\t\tattribute sepgsql_schema_type, sepgsql_sysobj_table_type;\n" - " \n" - " \t\ttype sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t;\n" - " \t\ttype user_sepgsql_blob_t, user_sepgsql_proc_exec_t;\n" - "+\t\ttype user_sepgsql_schema_t, user_sepgsql_seq_t;\n" - " \t\ttype user_sepgsql_sysobj_t, user_sepgsql_table_t;\n" - "+\t\ttype user_sepgsql_view_t;\n" - " \t')\n" - " \n" - " \t########################################\n" - "@@ -44,17 +50,27 @@ interface(`postgresql_role',`\n" - " \t#\n" - " \t# Client local policy\n" - " \t#\n" - "+\tallow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };\n" - "+\ttype_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;\n" - " \n" - " \tallow $2 user_sepgsql_table_t:db_table\t{ getattr use select update insert delete lock };\n" - " \tallow $2 user_sepgsql_table_t:db_column { getattr use select update insert };\n" - " \tallow $2 user_sepgsql_table_t:db_tuple\t{ use select update insert delete };\n" - "-\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\n" - "+\ttype_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;\t\t# deprecated\n" - "+\ttype_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;\n" - " \n" - " \tallow $2 user_sepgsql_sysobj_t:db_tuple\t{ use select };\n" - " \ttype_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;\n" - " \n" - "+\tallow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };\n" - "+\ttype_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;\n" - "+\n" - "+\tallow $2 user_sepgsql_view_t:db_view { getattr expand };\n" - "+\ttype_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;\n" - "+\n" - " \tallow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };\n" - "-\ttype_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;\n" - "+\ttype_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;\t# deprecated\n" - "+\ttype_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;\n" - " \n" - " \tallow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };\n" - " \ttype_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;\n" - "@@ -63,10 +79,12 @@ interface(`postgresql_role',`\n" - " \ttype_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;\n" - " \n" - " \ttunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\t\tallow $2 user_sepgsql_schema_t:db_schema { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_table_t:db_table { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_table_t:db_column { create drop setattr };\n" - "-\n" - " \t\tallow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "+\t\tallow $2 user_sepgsql_seq_t:db_sequence { create drop setattr set_value };\n" - "+\t\tallow $2 user_sepgsql_view_t:db_view { create drop setattr };\n" - " \t\tallow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr };\n" - " \t')\n" - " ')\n" - "@@ -109,6 +127,24 @@ interface(`postgresql_database_object',`\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL schema object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a schema object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_schema_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_schema_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_schema_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL table/column/tuple object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -146,6 +182,42 @@ interface(`postgresql_system_table_objec\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL sequence type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a sequence type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_sequence_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_sequence_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_sequence_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - "+##\tMarks as a SE-PostgreSQL view object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a view object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_view_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_view_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_view_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL procedure object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -164,6 +236,24 @@ interface(`postgresql_procedure_object',\n" - " \n" - " ########################################\n" - " ## <summary>\n" - "+##\tMarks as a SE-PostgreSQL procedural language object type\n" - "+## </summary>\n" - "+## <param name=\"type\">\n" - "+##\t<summary>\n" - "+##\tType marked as a procedural language object type.\n" - "+##\t</summary>\n" - "+## </param>\n" - "+#\n" - "+interface(`postgresql_language_object',`\n" - "+\tgen_require(`\n" - "+\t\tattribute sepgsql_language_type;\n" - "+\t')\n" - "+\n" - "+\ttypeattribute $1 sepgsql_language_type;\n" - "+')\n" - "+\n" - "+########################################\n" - "+## <summary>\n" - " ##\tMarks as a SE-PostgreSQL binary large object type\n" - " ## </summary>\n" - " ## <param name=\"type\">\n" - "@@ -330,18 +420,25 @@ interface(`postgresql_stream_connect',`\n" - " interface(`postgresql_unpriv_client',`\n" - " \tgen_require(`\n" - " \t\tclass db_database all_db_database_perms;\n" - "+\t\tclass db_schema all_db_schema_perms;\n" - " \t\tclass db_table all_db_table_perms;\n" - "+\t\tclass db_sequence all_db_sequence_perms;\n" - "+\t\tclass db_view all_db_view_perms;\n" - " \t\tclass db_procedure all_db_procedure_perms;\n" - "+\t\tclass db_language all_db_language_perms;\n" - " \t\tclass db_column all_db_column_perms;\n" - " \t\tclass db_tuple all_db_tuple_perms;\n" - " \t\tclass db_blob all_db_blob_perms;\n" - " \n" - " \t\tattribute sepgsql_client_type;\n" - "-\t\tattribute sepgsql_database_type, sepgsql_sysobj_table_type;\n" - "+\t\tattribute sepgsql_database_type, sepgsql_schema_type;\n" - "+\t\tattribute sepgsql_sysobj_table_type;\n" - " \n" - " \t\ttype sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;\n" - " \t\ttype unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;\n" - "+\t\ttype unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;\n" - " \t\ttype unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;\n" - "+\t\ttype unpriv_sepgsql_view_t;\n" - " \t')\n" - " \n" - " \t########################################\n" - "@@ -355,28 +452,41 @@ interface(`postgresql_unpriv_client',`\n" - " \t#\n" - " \t# Client local policy\n" - " \t#\n" - "-\n" - " \ttype_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;\n" - " \tallow $1 sepgsql_trusted_proc_t:process transition;\n" - " \n" - "+\tallow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };\n" - "+\ttype_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;\n" - "+\n" - " \tallow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };\n" - " \tallow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };\n" - " \tallow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };\n" - "-\ttype_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;\n" - "+\ttype_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;\t\t# deprecated\n" - "+\ttype_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value };\n" - "+\ttype_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;\n" - "+\n" - "+\tallow $1 unpriv_sepgsql_view_t:db_view { getattr expand };\n" - "+\ttype_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };\n" - " \ttype_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };\n" - "-\ttype_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;\n" - "+\ttype_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;\t# deprecated\n" - "+\ttype_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t;\n" - " \n" - " \tallow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };\n" - " \ttype_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;\n" - " \n" - " \ttunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\t\tallow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };\n" - "+\t\tallow $1 unpriv_sepgsql_seq_t:db_sequence { create drop setattr };\n" - "+\t\tallow $1 unpriv_sepgsql_view_t:db_view { create drop setattr };\n" - " \t\tallow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr };\n" - " \t')\n" - " ')\n" - "diff -rpuN serefpolicy-3.9.12.old/policy/modules/services/postgresql.te serefpolicy-3.9.12.new/policy/modules/services/postgresql.te\n" - "--- serefpolicy-3.9.12.old/policy/modules/services/postgresql.te\t2011-01-18 12:54:14.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/policy/modules/services/postgresql.te\t2011-01-18 13:05:39.000000000 +0900\n" - "@@ -1,4 +1,4 @@\n" - "-policy_module(postgresql, 1.12.0)\n" - "+policy_module(postgresql, 1.12.1)\n" - " \n" - " gen_require(`\n" - " \tclass db_database all_db_database_perms;\n" - "@@ -7,6 +7,10 @@ gen_require(`\n" - " \tclass db_column all_db_column_perms;\n" - " \tclass db_tuple all_db_tuple_perms;\n" - " \tclass db_blob all_db_blob_perms;\n" - "+\tclass db_schema all_db_schema_perms;\n" - "+\tclass db_view all_db_view_perms;\n" - "+\tclass db_sequence all_db_sequence_perms;\n" - "+\tclass db_language all_db_language_perms;\n" - " ')\n" - " \n" - " #################################\n" - "@@ -60,9 +64,13 @@ attribute sepgsql_unconfined_type;\n" - " \n" - " # database objects attribute\n" - " attribute sepgsql_database_type;\n" - "+attribute sepgsql_schema_type;\n" - " attribute sepgsql_table_type;\n" - " attribute sepgsql_sysobj_table_type;\n" - "+attribute sepgsql_sequence_type;\n" - "+attribute sepgsql_view_type;\n" - " attribute sepgsql_procedure_type;\n" - "+attribute sepgsql_language_type;\n" - " attribute sepgsql_blob_type;\n" - " attribute sepgsql_module_type;\n" - " \n" - "@@ -76,6 +84,12 @@ postgresql_database_object(sepgsql_db_t)\n" - " type sepgsql_fixed_table_t;\n" - " postgresql_table_object(sepgsql_fixed_table_t)\n" - " \n" - "+type sepgsql_lang_t;\n" - "+postgresql_language_object(sepgsql_lang_t)\n" - "+\n" - "+type sepgsql_priv_lang_t;\n" - "+postgresql_language_object(sepgsql_priv_lang_t)\n" - "+\n" - " type sepgsql_proc_exec_t;\n" - " typealias sepgsql_proc_exec_t alias sepgsql_proc_t;\n" - " postgresql_procedure_object(sepgsql_proc_exec_t)\n" - "@@ -86,12 +100,21 @@ postgresql_blob_object(sepgsql_ro_blob_t\n" - " type sepgsql_ro_table_t;\n" - " postgresql_table_object(sepgsql_ro_table_t)\n" - " \n" - "+type sepgsql_safe_lang_t;\n" - "+postgresql_language_object(sepgsql_safe_lang_t)\n" - "+\n" - "+type sepgsql_schema_t;\n" - "+postgresql_schema_object(sepgsql_schema_t)\n" - "+\n" - " type sepgsql_secret_blob_t;\n" - " postgresql_blob_object(sepgsql_secret_blob_t)\n" - " \n" - " type sepgsql_secret_table_t;\n" - " postgresql_table_object(sepgsql_secret_table_t)\n" - " \n" - "+type sepgsql_seq_t;\n" - "+postgresql_sequence_object(sepgsql_seq_t)\n" - "+\n" - " type sepgsql_sysobj_t;\n" - " postgresql_system_table_object(sepgsql_sysobj_t)\n" - " \n" - "@@ -101,6 +124,9 @@ postgresql_table_object(sepgsql_table_t)\n" - " type sepgsql_trusted_proc_exec_t;\n" - " postgresql_procedure_object(sepgsql_trusted_proc_exec_t)\n" - " \n" - "+type sepgsql_view_t;\n" - "+postgresql_view_object(sepgsql_view_t)\n" - "+\n" - " # Trusted Procedure Domain\n" - " type sepgsql_trusted_proc_t;\n" - " domain_type(sepgsql_trusted_proc_t)\n" - "@@ -114,12 +140,21 @@ postgresql_blob_object(unpriv_sepgsql_bl\n" - " type unpriv_sepgsql_proc_exec_t;\n" - " postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)\n" - " \n" - "+type unpriv_sepgsql_schema_t;\n" - "+postgresql_schema_object(unpriv_sepgsql_schema_t);\n" - "+\n" - "+type unpriv_sepgsql_seq_t;\n" - "+postgresql_sequence_object(unpriv_sepgsql_seq_t)\n" - "+\n" - " type unpriv_sepgsql_sysobj_t;\n" - " postgresql_system_table_object(unpriv_sepgsql_sysobj_t)\n" - " \n" - " type unpriv_sepgsql_table_t;\n" - " postgresql_table_object(unpriv_sepgsql_table_t)\n" - " \n" - "+type unpriv_sepgsql_view_t;\n" - "+postgresql_view_object(unpriv_sepgsql_view_t)\n" - "+\n" - " # Types for UBAC\n" - " type user_sepgsql_blob_t;\n" - " typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };\n" - "@@ -131,6 +166,16 @@ typealias user_sepgsql_proc_exec_t alias\n" - " typealias user_sepgsql_proc_exec_t alias { auditadm_sepgsql_proc_exec_t secadm_sepgsql_proc_exec_t };\n" - " postgresql_procedure_object(user_sepgsql_proc_exec_t)\n" - " \n" - "+type user_sepgsql_schema_t;\n" - "+typealias user_sepgsql_schema_t alias { staff_sepgsql_schema_t sysadm_sepgsql_schema_t };\n" - "+typealias user_sepgsql_schema_t alias { auditadm_sepgsql_schema_t secadm_sepgsql_schema_t };\n" - "+postgresql_schema_object(user_sepgsql_schema_t)\n" - "+\n" - "+type user_sepgsql_seq_t;\n" - "+typealias user_sepgsql_seq_t alias { staff_sepgsql_seq_t sysadm_sepgsql_seq_t };\n" - "+typealias user_sepgsql_seq_t alias { auditadm_sepgsql_seq_t secadm_sepgsql_seq_t };\n" - "+postgresql_sequence_object(user_sepgsql_seq_t)\n" - "+\n" - " type user_sepgsql_sysobj_t;\n" - " typealias user_sepgsql_sysobj_t alias { staff_sepgsql_sysobj_t sysadm_sepgsql_sysobj_t };\n" - " typealias user_sepgsql_sysobj_t alias { auditadm_sepgsql_sysobj_t secadm_sepgsql_sysobj_t };\n" - "@@ -141,6 +186,11 @@ typealias user_sepgsql_table_t alias { s\n" - " typealias user_sepgsql_table_t alias { auditadm_sepgsql_table_t secadm_sepgsql_table_t };\n" - " postgresql_table_object(user_sepgsql_table_t)\n" - " \n" - "+type user_sepgsql_view_t;\n" - "+typealias user_sepgsql_view_t alias { staff_sepgsql_view_t sysadm_sepgsql_view_t };\n" - "+typealias user_sepgsql_view_t alias { auditadm_sepgsql_view_t secadm_sepgsql_view_t };\n" - "+postgresql_view_object(user_sepgsql_view_t)\n" - "+\n" - " ########################################\n" - " #\n" - " # postgresql Local policy\n" - "@@ -165,9 +215,15 @@ allow postgresql_t sepgsql_module_type:d\n" - " # Database/Loadable module\n" - " allow sepgsql_database_type sepgsql_module_type:db_database load_module;\n" - " \n" - "+allow postgresql_t sepgsql_schema_type:db_schema *;\n" - "+\n" - " allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - " type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t;\n" - " \n" - "+allow postgresql_t sepgsql_sequence_type:db_sequence *;\n" - "+\n" - "+allow postgresql_t sepgsql_view_type:db_view *;\n" - "+\n" - " allow postgresql_t sepgsql_procedure_type:db_procedure *;\n" - " type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - " \n" - "@@ -313,6 +369,8 @@ optional_policy(`\n" - " allow sepgsql_client_type sepgsql_db_t:db_database { getattr access get_param set_param };\n" - " type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;\n" - " \n" - "+allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };\n" - "+\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock };\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert };\n" - " allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };\n" - "@@ -332,9 +390,22 @@ allow sepgsql_client_type sepgsql_sysobj\n" - " allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };\n" - " allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };\n" - " \n" - "+allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value };\n" - "+\n" - "+allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };\n" - "+\n" - " allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install };\n" - " allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };\n" - " \n" - "+allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };\n" - "+allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute };\n" - "+\n" - "+# Only DBA can implement SQL procedures using `unsafe' procedural languages.\n" - "+# The `unsafe' one provides a capability to access internal data structure,\n" - "+# so we don't allow user-defined function being implemented using `unsafe' one.\n" - "+allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement };\n" - "+allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement };\n" - "+\n" - " allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };\n" - " allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };\n" - " allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;\n" - "@@ -352,6 +423,13 @@ allow sepgsql_client_type sepgsql_secret\n" - " # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.\n" - " dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };\n" - " \n" - "+# Note that permission of creation/deletion are eventually controlled by\n" - "+# create or drop permission of individual objects within shared schemas.\n" - "+# So, it just allows to create/drop user specific types.\n" - "+tunable_policy(`sepgsql_enable_users_ddl',`\n" - "+\tallow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };\n" - "+')\n" - "+\n" - " ########################################\n" - " #\n" - " # Rules common to administrator clients\n" - "@@ -360,16 +438,33 @@ dontaudit { postgresql_t sepgsql_admin_t\n" - " allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };\n" - " type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;\n" - " \n" - "+allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;\n" - "+\n" - " allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };\n" - " allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };\n" - " allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };\n" - " \n" - "-type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;\t# deprecated\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_schema sepgsql_seq_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_view_type:db_view { create drop getattr setattr relabelfrom relabelto expand };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_view_type:db_view sepgsql_view_t;\n" - " \n" - " allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };\n" - " allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;\n" - " \n" - "-type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\t# deprecated\n" - "+type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;\n" - "+\n" - "+allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute };\n" - "+\n" - "+type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t;\n" - " \n" - " allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };\n" - " \n" - "@@ -382,12 +477,18 @@ kernel_relabelfrom_unlabeled_database(se\n" - " tunable_policy(`sepgsql_unconfined_dbadm',`\n" - " \tallow sepgsql_admin_type sepgsql_database_type:db_database *;\n" - " \n" - "+\tallow sepgsql_admin_type sepgsql_schema_type:db_schema *;\n" - "+\n" - " \tallow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - "+\tallow sepgsql_admin_type sepgsql_sequence_type:db_sequence *;\n" - "+\tallow sepgsql_admin_type sepgsql_view_type:db_view *;\n" - " \n" - " \tallow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;\n" - " \tallow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;\n" - " \tallow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };\n" - " \n" - "+\tallow sepgsql_admin_type sepgsql_language_type:db_language ~implement;\n" - "+\n" - " \tallow sepgsql_admin_type sepgsql_blob_type:db_blob *;\n" - " ')\n" - " \n" - "@@ -399,11 +500,21 @@ tunable_policy(`sepgsql_unconfined_dbadm\n" - " allow sepgsql_unconfined_type sepgsql_database_type:db_database *;\n" - " type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t;\n" - " \n" - "-type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;\n" - "-type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\n" - "+allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;\n" - "+\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t;\t\t# deprecated\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;\t# deprecated\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;\n" - "+type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;\n" - " type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;\n" - " \n" - " allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;\n" - "+allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence *;\n" - "+allow sepgsql_unconfined_type sepgsql_view_type:db_view *;\n" - " \n" - " # unconfined domain is not allowed to invoke user defined procedure directly.\n" - " # They have to confirm and relabel it at first.\n" - "@@ -411,6 +522,8 @@ allow sepgsql_unconfined_type sepgsql_pr\n" - " allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install;\n" - " allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install };\n" - " \n" - "+allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement;\n" - "+\n" - " allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;\n" - " \n" - " allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;\n" - "diff -rpuN serefpolicy-3.9.12.old/support/selinux-policy-refpolicy.spec serefpolicy-3.9.12.new/support/selinux-policy-refpolicy.spec\n" - "--- serefpolicy-3.9.12.old/support/selinux-policy-refpolicy.spec\t2010-12-21 02:05:22.000000000 +0900\n" - "+++ serefpolicy-3.9.12.new/support/selinux-policy-refpolicy.spec\t2011-01-18 12:56:32.000000000 +0900\n" - "@@ -74,6 +74,7 @@ make NAME=%{polname2} TYPE=%{type2} DIST\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/*/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/*/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/*/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/*/contexts/files/file_contexts\n" - "@@ -118,6 +119,7 @@ SELinux Reference policy targeted base m\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname1}/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/%{polname1}/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/%{polname1}/contexts/files/file_contexts\n" - "@@ -164,6 +166,7 @@ SELinux Reference policy strict base mod\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/initrc_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/removable_context\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/userhelper_context\n" - "+%config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/sepgsql_contexts\n" - " %config(noreplace) %{_sysconfdir}/selinux/%{polname2}/contexts/x_contexts\n" - " %dir %{_sysconfdir}/selinux/%{polname2}/contexts/files\n" - " #%ghost %config %{_sysconfdir}/selinux/%{polname2}/contexts/files/file_contexts\n" + "KaiGai Kohei <kaigai@ak.jp.nec.com>\n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: selinux-policy-sepgsql.rhel6.patch\n" + "Type: application/octect-stream\n" + "Size: 39879 bytes\n" + "Desc: not available\n" + "Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110118/362c949e/attachment-0002.bin \n" + "-------------- next part --------------\n" + "A non-text attachment was scrubbed...\n" + "Name: selinux-policy-sepgsql.fedora.patch\n" + "Type: application/octect-stream\n" + "Size: 40240 bytes\n" + "Desc: not available\n" + Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110118/362c949e/attachment-0003.bin -b5ce8828b2d4ed47e9d2c4ef7fc658915bef07da91aee57a17153a520b86bc2e +b5a07924ad22e4e13a5ec87dfca9111f59efbb0405b94915fba333ebd0218f10
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.