* [3/4] sepgsql - Add temporary objects support
@ 2012-03-25 21:15 ` Kohei KaiGai
0 siblings, 0 replies; 6+ messages in thread
From: Kohei KaiGai @ 2012-03-25 21:15 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA
This patch adds a special case handling on creation of temporary
schema; "pg_temp". The temporary schema shall be labeled as
"sepgsql_temp_schema" in the default, then underlying objects
also labeled as temporary objects; that allows confined users
to create, drop and so on, even if sepgsql_enable_users_ddl is off.
In PostgreSQL, all the temporary objects are deployed on "pg_temp"
schema, then they shall be removed at the session end.
Thus, it has no possibility to leak any other entities via references to
the shared database objects, and no need to prevent creation or
deletion of temporary objects by confined domains.
Thanks,
Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
--
policy/modules/services/postgresql.if | 32 ++++++++++++++++++++++++--------
policy/modules/services/postgresql.te | 26 ++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/policy/modules/services/postgresql.if
b/policy/modules/services/postgresql.if
index 24e9958..56fc5fa 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -37,6 +37,9 @@ interface(`postgresql_role',`
type user_sepgsql_schema_t, user_sepgsql_seq_t;
type user_sepgsql_sysobj_t, user_sepgsql_table_t;
type user_sepgsql_view_t;
+ type sepgsql_temp_schema_t, sepgsql_temp_table_t;
+ type sepgsql_temp_seq_t, sepgsql_temp_view_t;
+ type sepgsql_temp_proc_exec_t;
')
########################################
@@ -65,25 +68,30 @@ interface(`postgresql_role',`
allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name
remove_name };
type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+ type_transition $2 sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow $2 user_sepgsql_table_t:db_table { getattr use select update
insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $2 sepgsql_database_type:db_table
user_sepgsql_table_t; # deprecated
- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_table user_sepgsql_table_t;
+ type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_sequence user_sepgsql_seq_t;
+ type_transition $2 sepgsql_temp_schema_t:db_sequence sepgsql_temp_seq_t;
allow $2 user_sepgsql_view_t:db_view { getattr expand };
- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_view user_sepgsql_view_t;
+ type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $2 sepgsql_database_type:db_procedure
user_sepgsql_proc_exec_t; # deprecated
- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t;
+ type_transition $2 sepgsql_temp_schema_t:db_procedure
sepgsql_temp_proc_exec_t;
allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr
read write import export };
type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
@@ -468,6 +476,9 @@ interface(`postgresql_unpriv_client',`
type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
type unpriv_sepgsql_view_t;
+ type sepgsql_temp_schema_t, sepgsql_temp_table_t;
+ type sepgsql_temp_seq_t, sepgsql_temp_view_t;
+ type sepgsql_temp_proc_exec_t;
')
########################################
@@ -500,25 +511,30 @@ interface(`postgresql_unpriv_client',`
')
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+ type_transition $1 sepgsql_database_type:db_schema
unpriv_sepgsql_schema_t "pg_temp";
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update
insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select
update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $1 sepgsql_database_type:db_table
unpriv_sepgsql_table_t; # deprecated
- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t;
+ type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value
next_value set_value };
- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_sequence unpriv_sepgsql_seq_t;
+ type_transition $1 sepgsql_temp_schema_t:db_sequence sepgsql_temp_seq_t;
allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_view unpriv_sepgsql_view_t;
+ type_transition $1 sepgsql_temp_schema_t:db_view unpriv_sepgsql_view_t;
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $1 sepgsql_database_type:db_procedure
unpriv_sepgsql_proc_exec_t; # deprecated
- type_transition $1 sepgsql_schema_type:db_procedure
unpriv_sepgsql_proc_exec_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t;
+ type_transition $1 sepgsql_temp_schema_t:db_procedure
sepgsql_temp_proc_exec_t;
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr
read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index add0cd6..8a3c2bd 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -164,6 +164,22 @@ optional_policy(`
mls_process_set_level(sepgsql_ranged_proc_t)
')
+# Types for temporary objects
+type sepgsql_temp_schema_t;
+postgresql_schema_object(sepgsql_temp_schema_t)
+
+type sepgsql_temp_table_t;
+postgresql_table_object(sepgsql_temp_table_t)
+
+type sepgsql_temp_seq_t;
+postgresql_table_object(sepgsql_temp_seq_t)
+
+type sepgsql_temp_view_t;
+postgresql_view_object(sepgsql_temp_view_t)
+
+type sepgsql_temp_proc_exec_t;
+postgresql_procedure_object(sepgsql_temp_proc_exec_t)
+
# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)
@@ -251,6 +267,7 @@ allow sepgsql_database_type
sepgsql_module_type:db_database load_module;
allow postgresql_t sepgsql_schema_type:db_schema *;
type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition postgresql_t sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
type_transition postgresql_t sepgsql_database_type:db_table
sepgsql_sysobj_t; # deprecated
@@ -433,11 +450,18 @@ allow sepgsql_client_type
sepgsql_sysobj_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto
relabelfrom };
+allow sepgsql_client_type sepgsql_temp_table_t:db_column ~{ relabelto
relabelfrom };
+allow sepgsql_client_type sepgsql_temp_table_t:db_tuple ~{ relabelto
relabelfrom };
+
allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr
get_value next_value };
+allow sepgsql_client_type sepgsql_temp_seq_t:db_sequence ~{ relabelto
relabelfrom };
allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
+allow sepgsql_client_type sepgsql_temp_view_t:db_view ~{ relabelto
relabelfrom };
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr
execute install };
+allow sepgsql_client_type sepgsql_temp_proc_exec_t:db_procedure ~{
install entrypoint };
allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure
{ getattr execute entrypoint };
allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
@@ -483,6 +507,7 @@ type_transition sepgsql_admin_type
sepgsql_admin_type:db_database sepgsql_db_t;
allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop
getattr setattr relabelfrom relabelto search add_name remove_name };
type_transition sepgsql_admin_type sepgsql_database_type:db_schema
sepgsql_schema_t;
+type_transition sepgsql_admin_type sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop
getattr setattr relabelfrom relabelto lock };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop
getattr setattr relabelfrom relabelto };
@@ -545,6 +570,7 @@ type_transition sepgsql_unconfined_type
sepgsql_unconfined_type:db_database sepg
allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition sepgsql_unconfined_type
sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp";
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_table sepgsql_table_t; # deprecated
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [3/4] sepgsql - Add temporary objects support
@ 2012-03-25 21:15 ` Kohei KaiGai
0 siblings, 0 replies; 6+ messages in thread
From: Kohei KaiGai @ 2012-03-25 21:15 UTC (permalink / raw)
To: refpolicy
This patch adds a special case handling on creation of temporary
schema; "pg_temp". The temporary schema shall be labeled as
"sepgsql_temp_schema" in the default, then underlying objects
also labeled as temporary objects; that allows confined users
to create, drop and so on, even if sepgsql_enable_users_ddl is off.
In PostgreSQL, all the temporary objects are deployed on "pg_temp"
schema, then they shall be removed at the session end.
Thus, it has no possibility to leak any other entities via references to
the shared database objects, and no need to prevent creation or
deletion of temporary objects by confined domains.
Thanks,
Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com>
--
policy/modules/services/postgresql.if | 32 ++++++++++++++++++++++++--------
policy/modules/services/postgresql.te | 26 ++++++++++++++++++++++++++
2 files changed, 50 insertions(+), 8 deletions(-)
diff --git a/policy/modules/services/postgresql.if
b/policy/modules/services/postgresql.if
index 24e9958..56fc5fa 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -37,6 +37,9 @@ interface(`postgresql_role',`
type user_sepgsql_schema_t, user_sepgsql_seq_t;
type user_sepgsql_sysobj_t, user_sepgsql_table_t;
type user_sepgsql_view_t;
+ type sepgsql_temp_schema_t, sepgsql_temp_table_t;
+ type sepgsql_temp_seq_t, sepgsql_temp_view_t;
+ type sepgsql_temp_proc_exec_t;
')
########################################
@@ -65,25 +68,30 @@ interface(`postgresql_role',`
allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name
remove_name };
type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+ type_transition $2 sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow $2 user_sepgsql_table_t:db_table { getattr use select update
insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $2 sepgsql_database_type:db_table
user_sepgsql_table_t; # deprecated
- type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_table user_sepgsql_table_t;
+ type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
allow $2 user_sepgsql_seq_t:db_sequence { getattr get_value next_value };
- type_transition $2 sepgsql_schema_type:db_sequence user_sepgsql_seq_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_sequence user_sepgsql_seq_t;
+ type_transition $2 sepgsql_temp_schema_t:db_sequence sepgsql_temp_seq_t;
allow $2 user_sepgsql_view_t:db_view { getattr expand };
- type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_view user_sepgsql_view_t;
+ type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t;
allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $2 sepgsql_database_type:db_procedure
user_sepgsql_proc_exec_t; # deprecated
- type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t;
+ type_transition $2 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t;
+ type_transition $2 sepgsql_temp_schema_t:db_procedure
sepgsql_temp_proc_exec_t;
allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr
read write import export };
type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
@@ -468,6 +476,9 @@ interface(`postgresql_unpriv_client',`
type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
type unpriv_sepgsql_view_t;
+ type sepgsql_temp_schema_t, sepgsql_temp_table_t;
+ type sepgsql_temp_seq_t, sepgsql_temp_view_t;
+ type sepgsql_temp_proc_exec_t;
')
########################################
@@ -500,25 +511,30 @@ interface(`postgresql_unpriv_client',`
')
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+ type_transition $1 sepgsql_database_type:db_schema
unpriv_sepgsql_schema_t "pg_temp";
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update
insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select
update insert };
allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
type_transition $1 sepgsql_database_type:db_table
unpriv_sepgsql_table_t; # deprecated
- type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t;
+ type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value
next_value set_value };
- type_transition $1 sepgsql_schema_type:db_sequence unpriv_sepgsql_seq_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_sequence unpriv_sepgsql_seq_t;
+ type_transition $1 sepgsql_temp_schema_t:db_sequence sepgsql_temp_seq_t;
allow $1 unpriv_sepgsql_view_t:db_view { getattr expand };
- type_transition $1 sepgsql_schema_type:db_view unpriv_sepgsql_view_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_view unpriv_sepgsql_view_t;
+ type_transition $1 sepgsql_temp_schema_t:db_view unpriv_sepgsql_view_t;
allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
type_transition $1 sepgsql_database_type:db_procedure
unpriv_sepgsql_proc_exec_t; # deprecated
- type_transition $1 sepgsql_schema_type:db_procedure
unpriv_sepgsql_proc_exec_t;
+ type_transition $1 {sepgsql_schema_type -
sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t;
+ type_transition $1 sepgsql_temp_schema_t:db_procedure
sepgsql_temp_proc_exec_t;
allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr
read write import export };
type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index add0cd6..8a3c2bd 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -164,6 +164,22 @@ optional_policy(`
mls_process_set_level(sepgsql_ranged_proc_t)
')
+# Types for temporary objects
+type sepgsql_temp_schema_t;
+postgresql_schema_object(sepgsql_temp_schema_t)
+
+type sepgsql_temp_table_t;
+postgresql_table_object(sepgsql_temp_table_t)
+
+type sepgsql_temp_seq_t;
+postgresql_table_object(sepgsql_temp_seq_t)
+
+type sepgsql_temp_view_t;
+postgresql_view_object(sepgsql_temp_view_t)
+
+type sepgsql_temp_proc_exec_t;
+postgresql_procedure_object(sepgsql_temp_proc_exec_t)
+
# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)
@@ -251,6 +267,7 @@ allow sepgsql_database_type
sepgsql_module_type:db_database load_module;
allow postgresql_t sepgsql_schema_type:db_schema *;
type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition postgresql_t sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
type_transition postgresql_t sepgsql_database_type:db_table
sepgsql_sysobj_t; # deprecated
@@ -433,11 +450,18 @@ allow sepgsql_client_type
sepgsql_sysobj_t:db_table { getattr use select lock };
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
+allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto
relabelfrom };
+allow sepgsql_client_type sepgsql_temp_table_t:db_column ~{ relabelto
relabelfrom };
+allow sepgsql_client_type sepgsql_temp_table_t:db_tuple ~{ relabelto
relabelfrom };
+
allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr
get_value next_value };
+allow sepgsql_client_type sepgsql_temp_seq_t:db_sequence ~{ relabelto
relabelfrom };
allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand };
+allow sepgsql_client_type sepgsql_temp_view_t:db_view ~{ relabelto
relabelfrom };
allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr
execute install };
+allow sepgsql_client_type sepgsql_temp_proc_exec_t:db_procedure ~{
install entrypoint };
allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure
{ getattr execute entrypoint };
allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
@@ -483,6 +507,7 @@ type_transition sepgsql_admin_type
sepgsql_admin_type:db_database sepgsql_db_t;
allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop
getattr setattr relabelfrom relabelto search add_name remove_name };
type_transition sepgsql_admin_type sepgsql_database_type:db_schema
sepgsql_schema_t;
+type_transition sepgsql_admin_type sepgsql_database_type:db_schema
sepgsql_temp_schema_t "pg_temp";
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop
getattr setattr relabelfrom relabelto lock };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop
getattr setattr relabelfrom relabelto };
@@ -545,6 +570,7 @@ type_transition sepgsql_unconfined_type
sepgsql_unconfined_type:db_database sepg
allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition sepgsql_unconfined_type
sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp";
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_table sepgsql_table_t; # deprecated
type_transition sepgsql_unconfined_type
sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [3/4] sepgsql - Add temporary objects support
2012-03-25 21:15 ` [refpolicy] " Kohei KaiGai
@ 2012-05-01 18:53 ` Christopher J. PeBenito
-1 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2012-05-01 18:53 UTC (permalink / raw)
To: Kohei KaiGai; +Cc: refpolicy, SELinux-NSA
On 03/25/12 17:15, Kohei KaiGai wrote:
> This patch adds a special case handling on creation of temporary
> schema; "pg_temp". The temporary schema shall be labeled as
> "sepgsql_temp_schema" in the default, then underlying objects
> also labeled as temporary objects; that allows confined users
> to create, drop and so on, even if sepgsql_enable_users_ddl is off.
>
> In PostgreSQL, all the temporary objects are deployed on "pg_temp"
> schema, then they shall be removed at the session end.
> Thus, it has no possibility to leak any other entities via references to
> the shared database objects, and no need to prevent creation or
> deletion of temporary objects by confined domains.
[...]
> diff --git a/policy/modules/services/postgresql.te
> b/policy/modules/services/postgresql.te
> index add0cd6..8a3c2bd 100644
> --- a/policy/modules/services/postgresql.te
> +++ b/policy/modules/services/postgresql.te
> @@ -164,6 +164,22 @@ optional_policy(`
> mls_process_set_level(sepgsql_ranged_proc_t)
> ')
>
> +# Types for temporary objects
> +type sepgsql_temp_schema_t;
> +postgresql_schema_object(sepgsql_temp_schema_t)
> +
> +type sepgsql_temp_table_t;
> +postgresql_table_object(sepgsql_temp_table_t)
> +
> +type sepgsql_temp_seq_t;
> +postgresql_table_object(sepgsql_temp_seq_t)
> +
> +type sepgsql_temp_view_t;
> +postgresql_view_object(sepgsql_temp_view_t)
> +
> +type sepgsql_temp_proc_exec_t;
> +postgresql_procedure_object(sepgsql_temp_proc_exec_t)
Why do you have a temp type for each of the object classes? I don't see it gaining anything in the policy and it would be simpler to have a single type.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [3/4] sepgsql - Add temporary objects support
@ 2012-05-01 18:53 ` Christopher J. PeBenito
0 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2012-05-01 18:53 UTC (permalink / raw)
To: refpolicy
On 03/25/12 17:15, Kohei KaiGai wrote:
> This patch adds a special case handling on creation of temporary
> schema; "pg_temp". The temporary schema shall be labeled as
> "sepgsql_temp_schema" in the default, then underlying objects
> also labeled as temporary objects; that allows confined users
> to create, drop and so on, even if sepgsql_enable_users_ddl is off.
>
> In PostgreSQL, all the temporary objects are deployed on "pg_temp"
> schema, then they shall be removed at the session end.
> Thus, it has no possibility to leak any other entities via references to
> the shared database objects, and no need to prevent creation or
> deletion of temporary objects by confined domains.
[...]
> diff --git a/policy/modules/services/postgresql.te
> b/policy/modules/services/postgresql.te
> index add0cd6..8a3c2bd 100644
> --- a/policy/modules/services/postgresql.te
> +++ b/policy/modules/services/postgresql.te
> @@ -164,6 +164,22 @@ optional_policy(`
> mls_process_set_level(sepgsql_ranged_proc_t)
> ')
>
> +# Types for temporary objects
> +type sepgsql_temp_schema_t;
> +postgresql_schema_object(sepgsql_temp_schema_t)
> +
> +type sepgsql_temp_table_t;
> +postgresql_table_object(sepgsql_temp_table_t)
> +
> +type sepgsql_temp_seq_t;
> +postgresql_table_object(sepgsql_temp_seq_t)
> +
> +type sepgsql_temp_view_t;
> +postgresql_view_object(sepgsql_temp_view_t)
> +
> +type sepgsql_temp_proc_exec_t;
> +postgresql_procedure_object(sepgsql_temp_proc_exec_t)
Why do you have a temp type for each of the object classes? I don't see it gaining anything in the policy and it would be simpler to have a single type.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [3/4] sepgsql - Add temporary objects support
2012-05-01 18:53 ` [refpolicy] " Christopher J. PeBenito
@ 2012-05-04 13:14 ` Kohei KaiGai
-1 siblings, 0 replies; 6+ messages in thread
From: Kohei KaiGai @ 2012-05-04 13:14 UTC (permalink / raw)
To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA
[-- Attachment #1: Type: text/plain, Size: 2152 bytes --]
2012/5/1 Christopher J. PeBenito <cpebenito@tresys.com>:
> On 03/25/12 17:15, Kohei KaiGai wrote:
>> This patch adds a special case handling on creation of temporary
>> schema; "pg_temp". The temporary schema shall be labeled as
>> "sepgsql_temp_schema" in the default, then underlying objects
>> also labeled as temporary objects; that allows confined users
>> to create, drop and so on, even if sepgsql_enable_users_ddl is off.
>>
>> In PostgreSQL, all the temporary objects are deployed on "pg_temp"
>> schema, then they shall be removed at the session end.
>> Thus, it has no possibility to leak any other entities via references to
>> the shared database objects, and no need to prevent creation or
>> deletion of temporary objects by confined domains.
> [...]
>
>> diff --git a/policy/modules/services/postgresql.te
>> b/policy/modules/services/postgresql.te
>> index add0cd6..8a3c2bd 100644
>> --- a/policy/modules/services/postgresql.te
>> +++ b/policy/modules/services/postgresql.te
>> @@ -164,6 +164,22 @@ optional_policy(`
>> mls_process_set_level(sepgsql_ranged_proc_t)
>> ')
>>
>> +# Types for temporary objects
>> +type sepgsql_temp_schema_t;
>> +postgresql_schema_object(sepgsql_temp_schema_t)
>> +
>> +type sepgsql_temp_table_t;
>> +postgresql_table_object(sepgsql_temp_table_t)
>> +
>> +type sepgsql_temp_seq_t;
>> +postgresql_table_object(sepgsql_temp_seq_t)
>> +
>> +type sepgsql_temp_view_t;
>> +postgresql_view_object(sepgsql_temp_view_t)
>> +
>> +type sepgsql_temp_proc_exec_t;
>> +postgresql_procedure_object(sepgsql_temp_proc_exec_t)
>
> Why do you have a temp type for each of the object classes?
> I don't see it gaining anything in the policy and it would be simpler to have a single type.
>
I agree with your opinion. See the attached patch.
It defines sepgsql_temp_object_t for all the temporary objects being
constructed on "pg_temp" schema. The temporary schema itself shall
be also labeled as "sepgsql_temp_object_t" to avoid increasing of
unnecessary type_transition rules for each underlying object classes.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
[-- Attachment #2: refpolicy-sepgsql-3of4-temp-database-objects.20120502.patch --]
[-- Type: application/octet-stream, Size: 6462 bytes --]
policy/modules/contrib | 2 +-
policy/modules/services/postgresql.if | 4 ++++
policy/modules/services/postgresql.te | 25 +++++++++++++++++++++++--
3 files changed, 28 insertions(+), 3 deletions(-)
diff --git a/policy/modules/contrib b/policy/modules/contrib
index 17217b3..6c192c7 160000
--- a/policy/modules/contrib
+++ b/policy/modules/contrib
@@ -1 +1 @@
-Subproject commit 17217b3a7ab6c1f2f78b2f87c4773083cc5e0610
+Subproject commit 6c192c747802a866038f470f8f60d5d664507a4f
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 5946b6a..6f30b1a 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -37,6 +37,7 @@ interface(`postgresql_role',`
type user_sepgsql_schema_t, user_sepgsql_seq_t;
type user_sepgsql_sysobj_t, user_sepgsql_table_t;
type user_sepgsql_view_t;
+ type sepgsql_temp_object_t;
')
########################################
@@ -65,6 +66,7 @@ interface(`postgresql_role',`
allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name };
type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
+ type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
@@ -469,6 +471,7 @@ interface(`postgresql_unpriv_client',`
type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t;
type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
type unpriv_sepgsql_view_t;
+ type sepgsql_temp_object_t;
')
########################################
@@ -501,6 +504,7 @@ interface(`postgresql_unpriv_client',`
')
allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name };
type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
+ type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index add0cd6..57193e5 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -164,6 +164,19 @@ optional_policy(`
mls_process_set_level(sepgsql_ranged_proc_t)
')
+# Types for temporary objects
+#
+# XXX - All the temporary objects are eliminated at end of database session
+# and invisible from other sessions, so it is unnecessary to restrict users
+# operations on temporary object. For policy simplification, only one type
+# is defined for temporary objects under the "pg_temp" schema.
+type sepgsql_temp_object_t;
+
+postgresql_table_object(sepgsql_temp_object_t)
+postgresql_sequence_object(sepgsql_temp_object_t)
+postgresql_view_object(sepgsql_temp_object_t)
+postgresql_procedure_object(sepgsql_temp_object_t)
+
# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)
@@ -249,8 +262,9 @@ allow postgresql_t sepgsql_module_type:db_database install_module;
# Database/Loadable module
allow sepgsql_database_type sepgsql_module_type:db_database load_module;
-allow postgresql_t sepgsql_schema_type:db_schema *;
+allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *;
type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated
@@ -466,6 +480,9 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+# It is always allowed to operate temporary objects for any database client.
+allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+
# Note that permission of creation/deletion are eventually controlled by
# create or drop permission of individual objects within shared schemas.
# So, it just allows to create/drop user specific types.
@@ -483,6 +500,7 @@ type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name };
type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
@@ -535,6 +553,8 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
')
+allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom };
+
########################################
#
# Unconfined access to this module
@@ -543,8 +563,9 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated
-allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
+allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
+type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";
type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated
type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [3/4] sepgsql - Add temporary objects support
@ 2012-05-04 13:14 ` Kohei KaiGai
0 siblings, 0 replies; 6+ messages in thread
From: Kohei KaiGai @ 2012-05-04 13:14 UTC (permalink / raw)
To: refpolicy
2012/5/1 Christopher J. PeBenito <cpebenito@tresys.com>:
> On 03/25/12 17:15, Kohei KaiGai wrote:
>> This patch adds a special case handling on creation of temporary
>> schema; "pg_temp". The temporary schema shall be labeled as
>> "sepgsql_temp_schema" in the default, then underlying objects
>> also labeled as temporary objects; that allows confined users
>> to create, drop and so on, even if sepgsql_enable_users_ddl is off.
>>
>> In PostgreSQL, all the temporary objects are deployed on "pg_temp"
>> schema, then they shall be removed at the session end.
>> Thus, it has no possibility to leak any other entities via references to
>> the shared database objects, and no need to prevent creation or
>> deletion of temporary objects by confined domains.
> [...]
>
>> diff --git a/policy/modules/services/postgresql.te
>> b/policy/modules/services/postgresql.te
>> index add0cd6..8a3c2bd 100644
>> --- a/policy/modules/services/postgresql.te
>> +++ b/policy/modules/services/postgresql.te
>> @@ -164,6 +164,22 @@ optional_policy(`
>> ? ? ? mls_process_set_level(sepgsql_ranged_proc_t)
>> ?')
>>
>> +# Types for temporary objects
>> +type sepgsql_temp_schema_t;
>> +postgresql_schema_object(sepgsql_temp_schema_t)
>> +
>> +type sepgsql_temp_table_t;
>> +postgresql_table_object(sepgsql_temp_table_t)
>> +
>> +type sepgsql_temp_seq_t;
>> +postgresql_table_object(sepgsql_temp_seq_t)
>> +
>> +type sepgsql_temp_view_t;
>> +postgresql_view_object(sepgsql_temp_view_t)
>> +
>> +type sepgsql_temp_proc_exec_t;
>> +postgresql_procedure_object(sepgsql_temp_proc_exec_t)
>
> Why do you have a temp type for each of the object classes?
> ?I don't see it gaining anything in the policy and it would be simpler to have a single type.
>
I agree with your opinion. See the attached patch.
It defines sepgsql_temp_object_t for all the temporary objects being
constructed on "pg_temp" schema. The temporary schema itself shall
be also labeled as "sepgsql_temp_object_t" to avoid increasing of
unnecessary type_transition rules for each underlying object classes.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-sepgsql-3of4-temp-database-objects.20120502.patch
Type: application/octet-stream
Size: 6461 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120504/ffedac9c/attachment.obj
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-05-04 13:14 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-03-25 21:15 [3/4] sepgsql - Add temporary objects support Kohei KaiGai
2012-03-25 21:15 ` [refpolicy] " Kohei KaiGai
2012-05-01 18:53 ` Christopher J. PeBenito
2012-05-01 18:53 ` [refpolicy] " Christopher J. PeBenito
2012-05-04 13:14 ` Kohei KaiGai
2012-05-04 13:14 ` [refpolicy] " Kohei KaiGai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.