* [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-03-25 21:16 ` Kohei KaiGai 0 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-03-25 21:16 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA This patch might be arguable. It redefines the "use" permission on db_tuple class that has marked deprecated for a few years, to control usage of system objects but without individual object classes. We didn't try to port all the supported database object types in PostgreSQL into SELinux policy model, because its variation is too large to port and less priority in comparison with "major" object classes such as tables. So, we handle permissions to create, drop and alter these objects as permissions to insert, delete or update of system catalogs; labeled as sepgsql_sysobj_t, and so on. On the other hand, some of system objects requires to check permission when user "use" these objects, such as data types, tablespaces, operators and so on. I don't think it is reasonable approach to define individual object classes for each object types reflects to PostgreSQL. However, it is preferable to have double checks by selinux on strategic points. So, I try to redefine "use" permission on db_tuple class; that means permission to "use" this object when the tuple is an entry of system catalog corresponding to a particular database object but don't have a particular object class like tables. The deprecated permissions and rules are not in use for a few years, so, it is a time to be utilized or eliminated. Thanks, Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> -- policy/flask/access_vectors | 4 +--- policy/modules/services/postgresql.if | 16 ++++++---------- policy/modules/services/postgresql.te | 31 +++++++++++-------------------- 3 files changed, 18 insertions(+), 33 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index bf24160..f462e95 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -761,7 +761,6 @@ inherits database class db_table inherits database { - use # deprecated select update insert @@ -780,7 +779,6 @@ inherits database class db_column inherits database { - use # deprecated select update insert @@ -790,7 +788,7 @@ class db_tuple { relabelfrom relabelto - use # deprecated + use select update insert diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 56fc5fa..71f2572 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -70,10 +70,9 @@ interface(`postgresql_role',` type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_schema_t "pg_temp"; - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated + allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $2 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; @@ -89,7 +88,6 @@ interface(`postgresql_role',` type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated type_transition $2 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; type_transition $2 sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t; @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t "pg_temp"; - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $1 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated type_transition $1 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; type_transition $1 sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 8a3c2bd..92d6e66 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` ') allow postgresql_t sepgsql_database_type:db_database *; -type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module @@ -270,7 +269,6 @@ type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_schema_t "pg_temp"; allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; -type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; allow postgresql_t sepgsql_sequence_type:db_sequence *; @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; allow postgresql_t sepgsql_procedure_type:db_procedure *; -type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow postgresql_t sepgsql_blob_type:db_blob *; @@ -431,23 +428,23 @@ type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert }; +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete }; -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto relabelfrom }; @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` # allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; -type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; # deprecated allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; @@ -513,7 +509,6 @@ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setat allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; -type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` # allow sepgsql_unconfined_type sepgsql_database_type:db_database *; -type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; -- KaiGai Kohei <kaigai@kaigai.gr.jp> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-03-25 21:16 ` Kohei KaiGai 0 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-03-25 21:16 UTC (permalink / raw) To: refpolicy This patch might be arguable. It redefines the "use" permission on db_tuple class that has marked deprecated for a few years, to control usage of system objects but without individual object classes. We didn't try to port all the supported database object types in PostgreSQL into SELinux policy model, because its variation is too large to port and less priority in comparison with "major" object classes such as tables. So, we handle permissions to create, drop and alter these objects as permissions to insert, delete or update of system catalogs; labeled as sepgsql_sysobj_t, and so on. On the other hand, some of system objects requires to check permission when user "use" these objects, such as data types, tablespaces, operators and so on. I don't think it is reasonable approach to define individual object classes for each object types reflects to PostgreSQL. However, it is preferable to have double checks by selinux on strategic points. So, I try to redefine "use" permission on db_tuple class; that means permission to "use" this object when the tuple is an entry of system catalog corresponding to a particular database object but don't have a particular object class like tables. The deprecated permissions and rules are not in use for a few years, so, it is a time to be utilized or eliminated. Thanks, Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> -- policy/flask/access_vectors | 4 +--- policy/modules/services/postgresql.if | 16 ++++++---------- policy/modules/services/postgresql.te | 31 +++++++++++-------------------- 3 files changed, 18 insertions(+), 33 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index bf24160..f462e95 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -761,7 +761,6 @@ inherits database class db_table inherits database { - use # deprecated select update insert @@ -780,7 +779,6 @@ inherits database class db_column inherits database { - use # deprecated select update insert @@ -790,7 +788,7 @@ class db_tuple { relabelfrom relabelto - use # deprecated + use select update insert diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 56fc5fa..71f2572 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -70,10 +70,9 @@ interface(`postgresql_role',` type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_schema_t "pg_temp"; - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated + allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $2 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; @@ -89,7 +88,6 @@ interface(`postgresql_role',` type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated type_transition $2 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; type_transition $2 sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t; @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t "pg_temp"; - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $1 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated type_transition $1 {sepgsql_schema_type - sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; type_transition $1 sepgsql_temp_schema_t:db_procedure sepgsql_temp_proc_exec_t; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 8a3c2bd..92d6e66 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` ') allow postgresql_t sepgsql_database_type:db_database *; -type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module @@ -270,7 +269,6 @@ type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_schema_t "pg_temp"; allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; -type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; allow postgresql_t sepgsql_sequence_type:db_sequence *; @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; allow postgresql_t sepgsql_procedure_type:db_procedure *; -type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow postgresql_t sepgsql_blob_type:db_blob *; @@ -431,23 +428,23 @@ type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert }; +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete }; -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto relabelfrom }; @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` # allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; -type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; # deprecated allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; @@ -513,7 +509,6 @@ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setat allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; -type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` # allow sepgsql_unconfined_type sepgsql_database_type:db_database *; -type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; -- KaiGai Kohei <kaigai@kaigai.gr.jp> ^ permalink raw reply related [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-03-25 21:16 ` [refpolicy] " Kohei KaiGai @ 2012-05-04 13:33 ` Kohei KaiGai -1 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-04 13:33 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. In addition, I forgot to allow sepgsql_admin_type to allow to "use" system objects. Please check the newer version. Thanks, 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: > This patch might be arguable. It redefines the "use" permission on db_tuple > class that has marked deprecated for a few years, to control usage of system > objects but without individual object classes. > > We didn't try to port all the supported database object types in PostgreSQL > into SELinux policy model, because its variation is too large to port and > less priority in comparison with "major" object classes such as tables. > > So, we handle permissions to create, drop and alter these objects as > permissions to insert, delete or update of system catalogs; labeled as > sepgsql_sysobj_t, and so on. > > On the other hand, some of system objects requires to check permission > when user "use" these objects, such as data types, tablespaces, > operators and so on. > I don't think it is reasonable approach to define individual object classes > for each object types reflects to PostgreSQL. However, it is preferable > to have double checks by selinux on strategic points. > > So, I try to redefine "use" permission on db_tuple class; that means > permission to "use" this object when the tuple is an entry of system > catalog corresponding to a particular database object but don't have > a particular object class like tables. > > The deprecated permissions and rules are not in use for a few years, > so, it is a time to be utilized or eliminated. > > Thanks, > > Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> > -- > policy/flask/access_vectors | 4 +--- > policy/modules/services/postgresql.if | 16 ++++++---------- > policy/modules/services/postgresql.te | 31 +++++++++++-------------------- > 3 files changed, 18 insertions(+), 33 deletions(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index bf24160..f462e95 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -761,7 +761,6 @@ inherits database > class db_table > inherits database > { > - use # deprecated > select > update > insert > @@ -780,7 +779,6 @@ inherits database > class db_column > inherits database > { > - use # deprecated > select > update > insert > @@ -790,7 +788,7 @@ class db_tuple > { > relabelfrom > relabelto > - use # deprecated > + use > select > update > insert > diff --git a/policy/modules/services/postgresql.if > b/policy/modules/services/postgresql.if > index 56fc5fa..71f2572 100644 > --- a/policy/modules/services/postgresql.if > +++ b/policy/modules/services/postgresql.if > @@ -70,10 +70,9 @@ interface(`postgresql_role',` > type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; > type_transition $2 sepgsql_database_type:db_schema > sepgsql_temp_schema_t "pg_temp"; > > - allow $2 user_sepgsql_table_t:db_table { getattr use select update > insert delete lock }; > - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; > - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; > - type_transition $2 sepgsql_database_type:db_table > user_sepgsql_table_t; # deprecated > + allow $2 user_sepgsql_table_t:db_table { getattr select update > insert delete lock }; > + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; > + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; > type_transition $2 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; > type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; > > @@ -89,7 +88,6 @@ interface(`postgresql_role',` > type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; > > allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; > - type_transition $2 sepgsql_database_type:db_procedure > user_sepgsql_proc_exec_t; # deprecated > type_transition $2 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; > type_transition $2 sepgsql_temp_schema_t:db_procedure > sepgsql_temp_proc_exec_t; > > @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` > type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; > type_transition $1 sepgsql_database_type:db_schema > unpriv_sepgsql_schema_t "pg_temp"; > > - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update > insert delete lock }; > - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select > update insert }; > - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; > - type_transition $1 sepgsql_database_type:db_table > unpriv_sepgsql_table_t; # deprecated > + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update > insert delete lock }; > + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; > + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; > type_transition $1 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; > type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; > > @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` > type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; > > allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; > - type_transition $1 sepgsql_database_type:db_procedure > unpriv_sepgsql_proc_exec_t; # deprecated > type_transition $1 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; > type_transition $1 sepgsql_temp_schema_t:db_procedure > sepgsql_temp_proc_exec_t; > > diff --git a/policy/modules/services/postgresql.te > b/policy/modules/services/postgresql.te > index 8a3c2bd..92d6e66 100644 > --- a/policy/modules/services/postgresql.te > +++ b/policy/modules/services/postgresql.te > @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` > ') > > allow postgresql_t sepgsql_database_type:db_database *; > -type_transition postgresql_t postgresql_t:db_database > sepgsql_db_t; # deprecated > > allow postgresql_t sepgsql_module_type:db_database install_module; > # Database/Loadable module > @@ -270,7 +269,6 @@ type_transition postgresql_t > sepgsql_database_type:db_schema sepgsql_schema_t; > type_transition postgresql_t sepgsql_database_type:db_schema > sepgsql_temp_schema_t "pg_temp"; > > allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; > -type_transition postgresql_t sepgsql_database_type:db_table > sepgsql_sysobj_t; # deprecated > type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; > > allow postgresql_t sepgsql_sequence_type:db_sequence *; > @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; > type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; > > allow postgresql_t sepgsql_procedure_type:db_procedure *; > -type_transition postgresql_t sepgsql_database_type:db_procedure > sepgsql_proc_exec_t; # deprecated > type_transition postgresql_t sepgsql_schema_type:db_procedure > sepgsql_proc_exec_t; > > allow postgresql_t sepgsql_blob_type:db_blob *; > @@ -431,23 +428,23 @@ type_transition sepgsql_client_type > sepgsql_client_type:db_database sepgsql_db_t > > allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; > > -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr > use select insert lock }; > -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr > use select insert }; > -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr > select insert lock }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr > select insert }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; > > -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use > select update insert delete lock }; > -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use > select update insert }; > -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select > update insert delete }; > +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select > update insert delete lock }; > +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select > update insert }; > +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update > insert delete }; > > -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use > select lock }; > -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; > -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; > > allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; > allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; > > -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use > select lock }; > -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; > +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; > +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; > allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; > > allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto > relabelfrom }; > @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` > # > > allow sepgsql_admin_type sepgsql_database_type:db_database { create > drop getattr setattr relabelfrom relabelto access }; > -type_transition sepgsql_admin_type sepgsql_admin_type:db_database > sepgsql_db_t; # deprecated > > allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop > getattr setattr relabelfrom relabelto search add_name remove_name }; > type_transition sepgsql_admin_type sepgsql_database_type:db_schema > sepgsql_schema_t; > @@ -513,7 +509,6 @@ allow sepgsql_admin_type > sepgsql_table_type:db_table { create drop getattr setat > allow sepgsql_admin_type sepgsql_table_type:db_column { create drop > getattr setattr relabelfrom relabelto }; > allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { > relabelfrom relabelto select update insert delete }; > > -type_transition sepgsql_admin_type sepgsql_database_type:db_table > sepgsql_table_t; # deprecated > type_transition sepgsql_admin_type sepgsql_schema_type:db_table > sepgsql_table_t; > > allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create > drop getattr setattr relabelfrom relabelto get_value next_value > set_value }; > @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type > sepgsql_schema_type:db_view sepgsql_view_t; > allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create > drop getattr relabelfrom relabelto }; > allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; > > -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure > sepgsql_proc_exec_t; # deprecated > type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure > sepgsql_proc_exec_t; > > allow sepgsql_admin_type sepgsql_language_type:db_language { create > drop getattr setattr relabelfrom relabelto execute }; > @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` > # > > allow sepgsql_unconfined_type sepgsql_database_type:db_database *; > -type_transition sepgsql_unconfined_type > sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated > > allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; > type_transition sepgsql_unconfined_type > sepgsql_database_type:db_schema sepgsql_schema_t; > type_transition sepgsql_unconfined_type > sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; > > -type_transition sepgsql_unconfined_type > sepgsql_database_type:db_table sepgsql_table_t; # deprecated > -type_transition sepgsql_unconfined_type > sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated > type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table > sepgsql_table_t; > type_transition sepgsql_unconfined_type > sepgsql_schema_type:db_sequence sepgsql_seq_t; > type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view > sepgsql_view_t; > > -- > KaiGai Kohei <kaigai@kaigai.gr.jp> -- KaiGai Kohei <kaigai@kaigai.gr.jp> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-04 13:33 ` Kohei KaiGai 0 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-04 13:33 UTC (permalink / raw) To: refpolicy The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. In addition, I forgot to allow sepgsql_admin_type to allow to "use" system objects. Please check the newer version. Thanks, 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: > This patch might be arguable. It redefines the "use" permission on db_tuple > class that has marked deprecated for a few years, to control usage of system > objects but without individual object classes. > > We didn't try to port all the supported database object types in PostgreSQL > into SELinux policy model, because its variation is too large to port and > less priority in comparison with "major" object classes such as tables. > > So, we handle permissions to create, drop and alter these objects as > permissions to insert, delete or update of system catalogs; labeled as > sepgsql_sysobj_t, and so on. > > On the other hand, some of system objects requires to check permission > when user "use" these objects, such as data types, tablespaces, > operators and so on. > I don't think it is reasonable approach to define individual object classes > for each object types reflects to PostgreSQL. However, it is preferable > to have double checks by selinux on strategic points. > > So, I try to redefine "use" permission on db_tuple class; that means > permission to "use" this object when the tuple is an entry of system > catalog corresponding to a particular database object but don't have > a particular object class like tables. > > The deprecated permissions and rules are not in use for a few years, > so, it is a time to be utilized or eliminated. > > Thanks, > > ?Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> > -- > ?policy/flask/access_vectors ? ? ? ? ? | ? ?4 +--- > ?policy/modules/services/postgresql.if | ? 16 ++++++---------- > ?policy/modules/services/postgresql.te | ? 31 +++++++++++-------------------- > ?3 files changed, 18 insertions(+), 33 deletions(-) > > diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors > index bf24160..f462e95 100644 > --- a/policy/flask/access_vectors > +++ b/policy/flask/access_vectors > @@ -761,7 +761,6 @@ inherits database > ?class db_table > ?inherits database > ?{ > - ? ? ? use ? ? ? ? ? ? # deprecated > ? ? ? ?select > ? ? ? ?update > ? ? ? ?insert > @@ -780,7 +779,6 @@ inherits database > ?class db_column > ?inherits database > ?{ > - ? ? ? use ? ? ? ? ? ? # deprecated > ? ? ? ?select > ? ? ? ?update > ? ? ? ?insert > @@ -790,7 +788,7 @@ class db_tuple > ?{ > ? ? ? ?relabelfrom > ? ? ? ?relabelto > - ? ? ? use ? ? ? ? ? ? # deprecated > + ? ? ? use > ? ? ? ?select > ? ? ? ?update > ? ? ? ?insert > diff --git a/policy/modules/services/postgresql.if > b/policy/modules/services/postgresql.if > index 56fc5fa..71f2572 100644 > --- a/policy/modules/services/postgresql.if > +++ b/policy/modules/services/postgresql.if > @@ -70,10 +70,9 @@ interface(`postgresql_role',` > ? ? ? ?type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; > ? ? ? ?type_transition $2 sepgsql_database_type:db_schema > sepgsql_temp_schema_t "pg_temp"; > > - ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr use select update > insert delete lock }; > - ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; > - ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ use select update insert delete }; > - ? ? ? type_transition $2 sepgsql_database_type:db_table > user_sepgsql_table_t; ? ? ? ? ? # deprecated > + ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr select update > insert delete lock }; > + ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; > + ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ select update insert delete }; > ? ? ? ?type_transition $2 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; > ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; > > @@ -89,7 +88,6 @@ interface(`postgresql_role',` > ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; > > ? ? ? ?allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; > - ? ? ? type_transition $2 sepgsql_database_type:db_procedure > user_sepgsql_proc_exec_t; ? ? ? # deprecated > ? ? ? ?type_transition $2 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; > ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_procedure > sepgsql_temp_proc_exec_t; > > @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` > ? ? ? ?type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; > ? ? ? ?type_transition $1 sepgsql_database_type:db_schema > unpriv_sepgsql_schema_t "pg_temp"; > > - ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update > insert delete lock }; > - ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr use select > update insert }; > - ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; > - ? ? ? type_transition $1 sepgsql_database_type:db_table > unpriv_sepgsql_table_t; # deprecated > + ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr select update > insert delete lock }; > + ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; > + ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; > ? ? ? ?type_transition $1 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; > ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; > > @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` > ? ? ? ?type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; > > ? ? ? ?allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; > - ? ? ? type_transition $1 sepgsql_database_type:db_procedure > unpriv_sepgsql_proc_exec_t; # deprecated > ? ? ? ?type_transition $1 {sepgsql_schema_type - > sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; > ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_procedure > sepgsql_temp_proc_exec_t; > > diff --git a/policy/modules/services/postgresql.te > b/policy/modules/services/postgresql.te > index 8a3c2bd..92d6e66 100644 > --- a/policy/modules/services/postgresql.te > +++ b/policy/modules/services/postgresql.te > @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` > ?') > > ?allow postgresql_t sepgsql_database_type:db_database *; > -type_transition postgresql_t postgresql_t:db_database > sepgsql_db_t; ? ? ? ? ? # deprecated > > ?allow postgresql_t sepgsql_module_type:db_database install_module; > ?# Database/Loadable module > @@ -270,7 +269,6 @@ type_transition postgresql_t > sepgsql_database_type:db_schema sepgsql_schema_t; > ?type_transition postgresql_t sepgsql_database_type:db_schema > sepgsql_temp_schema_t "pg_temp"; > > ?allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; > -type_transition postgresql_t sepgsql_database_type:db_table > sepgsql_sysobj_t; ? ? ? # deprecated > ?type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; > > ?allow postgresql_t sepgsql_sequence_type:db_sequence *; > @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; > ?type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; > > ?allow postgresql_t sepgsql_procedure_type:db_procedure *; > -type_transition postgresql_t sepgsql_database_type:db_procedure > sepgsql_proc_exec_t; ? ?# deprecated > ?type_transition postgresql_t sepgsql_schema_type:db_procedure > sepgsql_proc_exec_t; > > ?allow postgresql_t sepgsql_blob_type:db_blob *; > @@ -431,23 +428,23 @@ type_transition sepgsql_client_type > sepgsql_client_type:db_database sepgsql_db_t > > ?allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; > > -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr > use select insert lock }; > -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr > use select insert }; > -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr > select insert lock }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr > select insert }; > +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; > > -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use > select update insert delete lock }; > -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use > select update insert }; > -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select > update insert delete }; > +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select > update insert delete lock }; > +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select > update insert }; > +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update > insert delete }; > > -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use > select lock }; > -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; > -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; > +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; > > ?allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; > ?allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; > > -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use > select lock }; > -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; > +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; > +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; > ?allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; > > ?allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto > relabelfrom }; > @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` > ?# > > ?allow sepgsql_admin_type sepgsql_database_type:db_database { create > drop getattr setattr relabelfrom relabelto access }; > -type_transition sepgsql_admin_type sepgsql_admin_type:db_database > sepgsql_db_t; ? ? ? ? ? # deprecated > > ?allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop > getattr setattr relabelfrom relabelto search add_name remove_name }; > ?type_transition sepgsql_admin_type sepgsql_database_type:db_schema > sepgsql_schema_t; > @@ -513,7 +509,6 @@ allow sepgsql_admin_type > sepgsql_table_type:db_table { create drop getattr setat > ?allow sepgsql_admin_type sepgsql_table_type:db_column { create drop > getattr setattr relabelfrom relabelto }; > ?allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { > relabelfrom relabelto select update insert delete }; > > -type_transition sepgsql_admin_type sepgsql_database_type:db_table > sepgsql_table_t; ? ? ? ?# deprecated > ?type_transition sepgsql_admin_type sepgsql_schema_type:db_table > sepgsql_table_t; > > ?allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create > drop getattr setattr relabelfrom relabelto get_value next_value > set_value }; > @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type > sepgsql_schema_type:db_view sepgsql_view_t; > ?allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create > drop getattr relabelfrom relabelto }; > ?allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; > > -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure > sepgsql_proc_exec_t; ? ?# deprecated > ?type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure > sepgsql_proc_exec_t; > > ?allow sepgsql_admin_type sepgsql_language_type:db_language { create > drop getattr setattr relabelfrom relabelto execute }; > @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` > ?# > > ?allow sepgsql_unconfined_type sepgsql_database_type:db_database *; > -type_transition sepgsql_unconfined_type > sepgsql_unconfined_type:db_database sepgsql_db_t; ? ? ? # deprecated > > ?allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; > ?type_transition sepgsql_unconfined_type > sepgsql_database_type:db_schema sepgsql_schema_t; > ?type_transition sepgsql_unconfined_type > sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; > > -type_transition sepgsql_unconfined_type > sepgsql_database_type:db_table sepgsql_table_t; ? ? ? ? # deprecated > -type_transition sepgsql_unconfined_type > sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated > ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table > sepgsql_table_t; > ?type_transition sepgsql_unconfined_type > sepgsql_schema_type:db_sequence sepgsql_seq_t; > ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view > sepgsql_view_t; > > -- > KaiGai Kohei <kaigai@kaigai.gr.jp> -- KaiGai Kohei <kaigai@kaigai.gr.jp> ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-05-04 13:33 ` [refpolicy] " Kohei KaiGai @ 2012-05-04 15:51 ` Christopher J. PeBenito -1 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-04 15:51 UTC (permalink / raw) To: Kohei KaiGai; +Cc: refpolicy, SELinux-NSA On 05/04/12 09:33, Kohei KaiGai wrote: > The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. > In addition, I forgot to allow sepgsql_admin_type to allow to "use" system > objects. > > Please check the newer version. Thanks, Looks like the revised patch is missing. > 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >> This patch might be arguable. It redefines the "use" permission on db_tuple >> class that has marked deprecated for a few years, to control usage of system >> objects but without individual object classes. >> >> We didn't try to port all the supported database object types in PostgreSQL >> into SELinux policy model, because its variation is too large to port and >> less priority in comparison with "major" object classes such as tables. >> >> So, we handle permissions to create, drop and alter these objects as >> permissions to insert, delete or update of system catalogs; labeled as >> sepgsql_sysobj_t, and so on. >> >> On the other hand, some of system objects requires to check permission >> when user "use" these objects, such as data types, tablespaces, >> operators and so on. >> I don't think it is reasonable approach to define individual object classes >> for each object types reflects to PostgreSQL. However, it is preferable >> to have double checks by selinux on strategic points. >> >> So, I try to redefine "use" permission on db_tuple class; that means >> permission to "use" this object when the tuple is an entry of system >> catalog corresponding to a particular database object but don't have >> a particular object class like tables. >> >> The deprecated permissions and rules are not in use for a few years, >> so, it is a time to be utilized or eliminated. >> >> Thanks, >> >> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >> -- >> policy/flask/access_vectors | 4 +--- >> policy/modules/services/postgresql.if | 16 ++++++---------- >> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >> 3 files changed, 18 insertions(+), 33 deletions(-) >> >> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >> index bf24160..f462e95 100644 >> --- a/policy/flask/access_vectors >> +++ b/policy/flask/access_vectors >> @@ -761,7 +761,6 @@ inherits database >> class db_table >> inherits database >> { >> - use # deprecated >> select >> update >> insert >> @@ -780,7 +779,6 @@ inherits database >> class db_column >> inherits database >> { >> - use # deprecated >> select >> update >> insert >> @@ -790,7 +788,7 @@ class db_tuple >> { >> relabelfrom >> relabelto >> - use # deprecated >> + use >> select >> update >> insert >> diff --git a/policy/modules/services/postgresql.if >> b/policy/modules/services/postgresql.if >> index 56fc5fa..71f2572 100644 >> --- a/policy/modules/services/postgresql.if >> +++ b/policy/modules/services/postgresql.if >> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >> type_transition $2 sepgsql_database_type:db_schema >> sepgsql_temp_schema_t "pg_temp"; >> >> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >> insert delete lock }; >> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >> - type_transition $2 sepgsql_database_type:db_table >> user_sepgsql_table_t; # deprecated >> + allow $2 user_sepgsql_table_t:db_table { getattr select update >> insert delete lock }; >> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >> type_transition $2 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >> >> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >> >> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >> - type_transition $2 sepgsql_database_type:db_procedure >> user_sepgsql_proc_exec_t; # deprecated >> type_transition $2 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >> type_transition $2 sepgsql_temp_schema_t:db_procedure >> sepgsql_temp_proc_exec_t; >> >> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >> type_transition $1 sepgsql_database_type:db_schema >> unpriv_sepgsql_schema_t "pg_temp"; >> >> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >> insert delete lock }; >> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >> update insert }; >> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >> - type_transition $1 sepgsql_database_type:db_table >> unpriv_sepgsql_table_t; # deprecated >> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >> insert delete lock }; >> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >> type_transition $1 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >> >> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >> >> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >> - type_transition $1 sepgsql_database_type:db_procedure >> unpriv_sepgsql_proc_exec_t; # deprecated >> type_transition $1 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >> type_transition $1 sepgsql_temp_schema_t:db_procedure >> sepgsql_temp_proc_exec_t; >> >> diff --git a/policy/modules/services/postgresql.te >> b/policy/modules/services/postgresql.te >> index 8a3c2bd..92d6e66 100644 >> --- a/policy/modules/services/postgresql.te >> +++ b/policy/modules/services/postgresql.te >> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >> ') >> >> allow postgresql_t sepgsql_database_type:db_database *; >> -type_transition postgresql_t postgresql_t:db_database >> sepgsql_db_t; # deprecated >> >> allow postgresql_t sepgsql_module_type:db_database install_module; >> # Database/Loadable module >> @@ -270,7 +269,6 @@ type_transition postgresql_t >> sepgsql_database_type:db_schema sepgsql_schema_t; >> type_transition postgresql_t sepgsql_database_type:db_schema >> sepgsql_temp_schema_t "pg_temp"; >> >> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >> -type_transition postgresql_t sepgsql_database_type:db_table >> sepgsql_sysobj_t; # deprecated >> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >> >> allow postgresql_t sepgsql_sequence_type:db_sequence *; >> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >> >> allow postgresql_t sepgsql_procedure_type:db_procedure *; >> -type_transition postgresql_t sepgsql_database_type:db_procedure >> sepgsql_proc_exec_t; # deprecated >> type_transition postgresql_t sepgsql_schema_type:db_procedure >> sepgsql_proc_exec_t; >> >> allow postgresql_t sepgsql_blob_type:db_blob *; >> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >> sepgsql_client_type:db_database sepgsql_db_t >> >> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >> >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >> use select insert lock }; >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >> use select insert }; >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >> select insert lock }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >> select insert }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >> >> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >> select update insert delete lock }; >> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >> select update insert }; >> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >> update insert delete }; >> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >> update insert delete lock }; >> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >> update insert }; >> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >> insert delete }; >> >> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >> select lock }; >> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >> >> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >> >> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >> select lock }; >> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >> >> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >> relabelfrom }; >> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >> # >> >> allow sepgsql_admin_type sepgsql_database_type:db_database { create >> drop getattr setattr relabelfrom relabelto access }; >> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >> sepgsql_db_t; # deprecated >> >> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >> getattr setattr relabelfrom relabelto search add_name remove_name }; >> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >> sepgsql_schema_t; >> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >> sepgsql_table_type:db_table { create drop getattr setat >> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >> getattr setattr relabelfrom relabelto }; >> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >> relabelfrom relabelto select update insert delete }; >> >> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >> sepgsql_table_t; # deprecated >> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >> sepgsql_table_t; >> >> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >> drop getattr setattr relabelfrom relabelto get_value next_value >> set_value }; >> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >> sepgsql_schema_type:db_view sepgsql_view_t; >> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >> drop getattr relabelfrom relabelto }; >> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >> >> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >> sepgsql_proc_exec_t; # deprecated >> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >> sepgsql_proc_exec_t; >> >> allow sepgsql_admin_type sepgsql_language_type:db_language { create >> drop getattr setattr relabelfrom relabelto execute }; >> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >> # >> >> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >> -type_transition sepgsql_unconfined_type >> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >> >> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >> type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_schema sepgsql_schema_t; >> type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >> >> -type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >> -type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >> sepgsql_table_t; >> type_transition sepgsql_unconfined_type >> sepgsql_schema_type:db_sequence sepgsql_seq_t; >> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >> sepgsql_view_t; >> >> -- >> KaiGai Kohei <kaigai@kaigai.gr.jp> > > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-04 15:51 ` Christopher J. PeBenito 0 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-04 15:51 UTC (permalink / raw) To: refpolicy On 05/04/12 09:33, Kohei KaiGai wrote: > The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. > In addition, I forgot to allow sepgsql_admin_type to allow to "use" system > objects. > > Please check the newer version. Thanks, Looks like the revised patch is missing. > 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >> This patch might be arguable. It redefines the "use" permission on db_tuple >> class that has marked deprecated for a few years, to control usage of system >> objects but without individual object classes. >> >> We didn't try to port all the supported database object types in PostgreSQL >> into SELinux policy model, because its variation is too large to port and >> less priority in comparison with "major" object classes such as tables. >> >> So, we handle permissions to create, drop and alter these objects as >> permissions to insert, delete or update of system catalogs; labeled as >> sepgsql_sysobj_t, and so on. >> >> On the other hand, some of system objects requires to check permission >> when user "use" these objects, such as data types, tablespaces, >> operators and so on. >> I don't think it is reasonable approach to define individual object classes >> for each object types reflects to PostgreSQL. However, it is preferable >> to have double checks by selinux on strategic points. >> >> So, I try to redefine "use" permission on db_tuple class; that means >> permission to "use" this object when the tuple is an entry of system >> catalog corresponding to a particular database object but don't have >> a particular object class like tables. >> >> The deprecated permissions and rules are not in use for a few years, >> so, it is a time to be utilized or eliminated. >> >> Thanks, >> >> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >> -- >> policy/flask/access_vectors | 4 +--- >> policy/modules/services/postgresql.if | 16 ++++++---------- >> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >> 3 files changed, 18 insertions(+), 33 deletions(-) >> >> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >> index bf24160..f462e95 100644 >> --- a/policy/flask/access_vectors >> +++ b/policy/flask/access_vectors >> @@ -761,7 +761,6 @@ inherits database >> class db_table >> inherits database >> { >> - use # deprecated >> select >> update >> insert >> @@ -780,7 +779,6 @@ inherits database >> class db_column >> inherits database >> { >> - use # deprecated >> select >> update >> insert >> @@ -790,7 +788,7 @@ class db_tuple >> { >> relabelfrom >> relabelto >> - use # deprecated >> + use >> select >> update >> insert >> diff --git a/policy/modules/services/postgresql.if >> b/policy/modules/services/postgresql.if >> index 56fc5fa..71f2572 100644 >> --- a/policy/modules/services/postgresql.if >> +++ b/policy/modules/services/postgresql.if >> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >> type_transition $2 sepgsql_database_type:db_schema >> sepgsql_temp_schema_t "pg_temp"; >> >> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >> insert delete lock }; >> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >> - type_transition $2 sepgsql_database_type:db_table >> user_sepgsql_table_t; # deprecated >> + allow $2 user_sepgsql_table_t:db_table { getattr select update >> insert delete lock }; >> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >> type_transition $2 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >> >> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >> >> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >> - type_transition $2 sepgsql_database_type:db_procedure >> user_sepgsql_proc_exec_t; # deprecated >> type_transition $2 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >> type_transition $2 sepgsql_temp_schema_t:db_procedure >> sepgsql_temp_proc_exec_t; >> >> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >> type_transition $1 sepgsql_database_type:db_schema >> unpriv_sepgsql_schema_t "pg_temp"; >> >> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >> insert delete lock }; >> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >> update insert }; >> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >> - type_transition $1 sepgsql_database_type:db_table >> unpriv_sepgsql_table_t; # deprecated >> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >> insert delete lock }; >> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >> type_transition $1 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >> >> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >> >> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >> - type_transition $1 sepgsql_database_type:db_procedure >> unpriv_sepgsql_proc_exec_t; # deprecated >> type_transition $1 {sepgsql_schema_type - >> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >> type_transition $1 sepgsql_temp_schema_t:db_procedure >> sepgsql_temp_proc_exec_t; >> >> diff --git a/policy/modules/services/postgresql.te >> b/policy/modules/services/postgresql.te >> index 8a3c2bd..92d6e66 100644 >> --- a/policy/modules/services/postgresql.te >> +++ b/policy/modules/services/postgresql.te >> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >> ') >> >> allow postgresql_t sepgsql_database_type:db_database *; >> -type_transition postgresql_t postgresql_t:db_database >> sepgsql_db_t; # deprecated >> >> allow postgresql_t sepgsql_module_type:db_database install_module; >> # Database/Loadable module >> @@ -270,7 +269,6 @@ type_transition postgresql_t >> sepgsql_database_type:db_schema sepgsql_schema_t; >> type_transition postgresql_t sepgsql_database_type:db_schema >> sepgsql_temp_schema_t "pg_temp"; >> >> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >> -type_transition postgresql_t sepgsql_database_type:db_table >> sepgsql_sysobj_t; # deprecated >> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >> >> allow postgresql_t sepgsql_sequence_type:db_sequence *; >> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >> >> allow postgresql_t sepgsql_procedure_type:db_procedure *; >> -type_transition postgresql_t sepgsql_database_type:db_procedure >> sepgsql_proc_exec_t; # deprecated >> type_transition postgresql_t sepgsql_schema_type:db_procedure >> sepgsql_proc_exec_t; >> >> allow postgresql_t sepgsql_blob_type:db_blob *; >> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >> sepgsql_client_type:db_database sepgsql_db_t >> >> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >> >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >> use select insert lock }; >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >> use select insert }; >> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >> select insert lock }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >> select insert }; >> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >> >> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >> select update insert delete lock }; >> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >> select update insert }; >> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >> update insert delete }; >> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >> update insert delete lock }; >> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >> update insert }; >> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >> insert delete }; >> >> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >> select lock }; >> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >> >> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >> >> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >> select lock }; >> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >> >> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >> relabelfrom }; >> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >> # >> >> allow sepgsql_admin_type sepgsql_database_type:db_database { create >> drop getattr setattr relabelfrom relabelto access }; >> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >> sepgsql_db_t; # deprecated >> >> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >> getattr setattr relabelfrom relabelto search add_name remove_name }; >> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >> sepgsql_schema_t; >> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >> sepgsql_table_type:db_table { create drop getattr setat >> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >> getattr setattr relabelfrom relabelto }; >> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >> relabelfrom relabelto select update insert delete }; >> >> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >> sepgsql_table_t; # deprecated >> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >> sepgsql_table_t; >> >> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >> drop getattr setattr relabelfrom relabelto get_value next_value >> set_value }; >> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >> sepgsql_schema_type:db_view sepgsql_view_t; >> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >> drop getattr relabelfrom relabelto }; >> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >> >> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >> sepgsql_proc_exec_t; # deprecated >> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >> sepgsql_proc_exec_t; >> >> allow sepgsql_admin_type sepgsql_language_type:db_language { create >> drop getattr setattr relabelfrom relabelto execute }; >> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >> # >> >> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >> -type_transition sepgsql_unconfined_type >> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >> >> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >> type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_schema sepgsql_schema_t; >> type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >> >> -type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >> -type_transition sepgsql_unconfined_type >> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >> sepgsql_table_t; >> type_transition sepgsql_unconfined_type >> sepgsql_schema_type:db_sequence sepgsql_seq_t; >> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >> sepgsql_view_t; >> >> -- >> KaiGai Kohei <kaigai@kaigai.gr.jp> > > > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-05-04 15:51 ` [refpolicy] " Christopher J. PeBenito @ 2012-05-04 17:24 ` Kohei KaiGai -1 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-04 17:24 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA [-- Attachment #1: Type: text/plain, Size: 14176 bytes --] 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: > On 05/04/12 09:33, Kohei KaiGai wrote: >> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >> objects. >> >> Please check the newer version. Thanks, > > Looks like the revised patch is missing. > Sorry, it is the attached one. Thanks, >> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>> This patch might be arguable. It redefines the "use" permission on db_tuple >>> class that has marked deprecated for a few years, to control usage of system >>> objects but without individual object classes. >>> >>> We didn't try to port all the supported database object types in PostgreSQL >>> into SELinux policy model, because its variation is too large to port and >>> less priority in comparison with "major" object classes such as tables. >>> >>> So, we handle permissions to create, drop and alter these objects as >>> permissions to insert, delete or update of system catalogs; labeled as >>> sepgsql_sysobj_t, and so on. >>> >>> On the other hand, some of system objects requires to check permission >>> when user "use" these objects, such as data types, tablespaces, >>> operators and so on. >>> I don't think it is reasonable approach to define individual object classes >>> for each object types reflects to PostgreSQL. However, it is preferable >>> to have double checks by selinux on strategic points. >>> >>> So, I try to redefine "use" permission on db_tuple class; that means >>> permission to "use" this object when the tuple is an entry of system >>> catalog corresponding to a particular database object but don't have >>> a particular object class like tables. >>> >>> The deprecated permissions and rules are not in use for a few years, >>> so, it is a time to be utilized or eliminated. >>> >>> Thanks, >>> >>> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>> -- >>> policy/flask/access_vectors | 4 +--- >>> policy/modules/services/postgresql.if | 16 ++++++---------- >>> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >>> 3 files changed, 18 insertions(+), 33 deletions(-) >>> >>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>> index bf24160..f462e95 100644 >>> --- a/policy/flask/access_vectors >>> +++ b/policy/flask/access_vectors >>> @@ -761,7 +761,6 @@ inherits database >>> class db_table >>> inherits database >>> { >>> - use # deprecated >>> select >>> update >>> insert >>> @@ -780,7 +779,6 @@ inherits database >>> class db_column >>> inherits database >>> { >>> - use # deprecated >>> select >>> update >>> insert >>> @@ -790,7 +788,7 @@ class db_tuple >>> { >>> relabelfrom >>> relabelto >>> - use # deprecated >>> + use >>> select >>> update >>> insert >>> diff --git a/policy/modules/services/postgresql.if >>> b/policy/modules/services/postgresql.if >>> index 56fc5fa..71f2572 100644 >>> --- a/policy/modules/services/postgresql.if >>> +++ b/policy/modules/services/postgresql.if >>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>> type_transition $2 sepgsql_database_type:db_schema >>> sepgsql_temp_schema_t "pg_temp"; >>> >>> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >>> insert delete lock }; >>> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >>> - type_transition $2 sepgsql_database_type:db_table >>> user_sepgsql_table_t; # deprecated >>> + allow $2 user_sepgsql_table_t:db_table { getattr select update >>> insert delete lock }; >>> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >>> type_transition $2 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>> >>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>> >>> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>> - type_transition $2 sepgsql_database_type:db_procedure >>> user_sepgsql_proc_exec_t; # deprecated >>> type_transition $2 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>> type_transition $2 sepgsql_temp_schema_t:db_procedure >>> sepgsql_temp_proc_exec_t; >>> >>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>> type_transition $1 sepgsql_database_type:db_schema >>> unpriv_sepgsql_schema_t "pg_temp"; >>> >>> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>> insert delete lock }; >>> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>> update insert }; >>> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>> - type_transition $1 sepgsql_database_type:db_table >>> unpriv_sepgsql_table_t; # deprecated >>> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>> insert delete lock }; >>> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>> type_transition $1 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>> >>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>> >>> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>> - type_transition $1 sepgsql_database_type:db_procedure >>> unpriv_sepgsql_proc_exec_t; # deprecated >>> type_transition $1 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>> type_transition $1 sepgsql_temp_schema_t:db_procedure >>> sepgsql_temp_proc_exec_t; >>> >>> diff --git a/policy/modules/services/postgresql.te >>> b/policy/modules/services/postgresql.te >>> index 8a3c2bd..92d6e66 100644 >>> --- a/policy/modules/services/postgresql.te >>> +++ b/policy/modules/services/postgresql.te >>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>> ') >>> >>> allow postgresql_t sepgsql_database_type:db_database *; >>> -type_transition postgresql_t postgresql_t:db_database >>> sepgsql_db_t; # deprecated >>> >>> allow postgresql_t sepgsql_module_type:db_database install_module; >>> # Database/Loadable module >>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>> sepgsql_database_type:db_schema sepgsql_schema_t; >>> type_transition postgresql_t sepgsql_database_type:db_schema >>> sepgsql_temp_schema_t "pg_temp"; >>> >>> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>> -type_transition postgresql_t sepgsql_database_type:db_table >>> sepgsql_sysobj_t; # deprecated >>> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>> >>> allow postgresql_t sepgsql_sequence_type:db_sequence *; >>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>> >>> allow postgresql_t sepgsql_procedure_type:db_procedure *; >>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>> sepgsql_proc_exec_t; # deprecated >>> type_transition postgresql_t sepgsql_schema_type:db_procedure >>> sepgsql_proc_exec_t; >>> >>> allow postgresql_t sepgsql_blob_type:db_blob *; >>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>> sepgsql_client_type:db_database sepgsql_db_t >>> >>> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>> >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>> use select insert lock }; >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>> use select insert }; >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>> select insert lock }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>> select insert }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>> >>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>> select update insert delete lock }; >>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>> select update insert }; >>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>> update insert delete }; >>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>> update insert delete lock }; >>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>> update insert }; >>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>> insert delete }; >>> >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>> select lock }; >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>> >>> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>> >>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>> select lock }; >>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>> >>> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>> relabelfrom }; >>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>> # >>> >>> allow sepgsql_admin_type sepgsql_database_type:db_database { create >>> drop getattr setattr relabelfrom relabelto access }; >>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>> sepgsql_db_t; # deprecated >>> >>> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>> sepgsql_schema_t; >>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>> sepgsql_table_type:db_table { create drop getattr setat >>> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>> getattr setattr relabelfrom relabelto }; >>> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>> relabelfrom relabelto select update insert delete }; >>> >>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>> sepgsql_table_t; # deprecated >>> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>> sepgsql_table_t; >>> >>> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>> drop getattr setattr relabelfrom relabelto get_value next_value >>> set_value }; >>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>> sepgsql_schema_type:db_view sepgsql_view_t; >>> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>> drop getattr relabelfrom relabelto }; >>> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>> >>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>> sepgsql_proc_exec_t; # deprecated >>> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>> sepgsql_proc_exec_t; >>> >>> allow sepgsql_admin_type sepgsql_language_type:db_language { create >>> drop getattr setattr relabelfrom relabelto execute }; >>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>> # >>> >>> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>> -type_transition sepgsql_unconfined_type >>> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >>> >>> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>> type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_schema sepgsql_schema_t; >>> type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>> >>> -type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >>> -type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>> sepgsql_table_t; >>> type_transition sepgsql_unconfined_type >>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>> sepgsql_view_t; >>> >>> -- >>> KaiGai Kohei <kaigai@kaigai.gr.jp> >> >> >> > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -- KaiGai Kohei <kaigai@kaigai.gr.jp> [-- Attachment #2: refpolicy-sepgsql-4of4-redefine-use-permission.20120502.patch --] [-- Type: application/octet-stream, Size: 11837 bytes --] diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index bf24160..f462e95 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -761,7 +761,6 @@ inherits database class db_table inherits database { - use # deprecated select update insert @@ -780,7 +779,6 @@ inherits database class db_column inherits database { - use # deprecated select update insert @@ -790,7 +788,7 @@ class db_tuple { relabelfrom relabelto - use # deprecated + use select update insert diff --git a/policy/mcs b/policy/mcs index df8e0fa..62c989a 100644 --- a/policy/mcs +++ b/policy/mcs @@ -120,10 +120,10 @@ mlsconstrain db_database { drop getattr setattr relabelfrom access install_modul mlsconstrain db_language { drop getattr setattr relabelfrom execute } ( h1 dom h2 ); -mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } +mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock } ( h1 dom h2 ); -mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } +mlsconstrain db_column { drop getattr setattr relabelfrom select update insert } ( h1 dom h2 ); mlsconstrain db_tuple { relabelfrom select update delete use } diff --git a/policy/mls b/policy/mls index 0e8474b..ffb1b01 100644 --- a/policy/mls +++ b/policy/mls @@ -749,13 +749,13 @@ mlsconstrain { db_schema } { getattr search } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_table } { getattr use select lock } +mlsconstrain { db_table } { getattr select lock } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_column } { getattr use select } +mlsconstrain { db_column } { getattr select } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 6f30b1a..c9ff049 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -68,10 +68,9 @@ interface(`postgresql_role',` type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated + allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; @@ -84,7 +83,6 @@ interface(`postgresql_role',` type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; @@ -506,10 +504,9 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; @@ -522,7 +519,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 57193e5..5f75b83 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -256,7 +256,6 @@ tunable_policy(`sepgsql_transmit_client_label',` ') allow postgresql_t sepgsql_database_type:db_database *; -type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module @@ -267,7 +266,6 @@ type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; -type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; allow postgresql_t sepgsql_sequence_type:db_sequence *; @@ -277,7 +275,6 @@ allow postgresql_t sepgsql_view_type:db_view *; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; allow postgresql_t sepgsql_procedure_type:db_procedure *; -type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow postgresql_t sepgsql_blob_type:db_blob *; @@ -428,23 +425,23 @@ type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert }; +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete }; -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; @@ -496,7 +493,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` # allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; -type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; # deprecated allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; @@ -504,9 +500,8 @@ type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; -allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; +allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; -type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; @@ -520,7 +515,6 @@ type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; @@ -561,14 +555,11 @@ allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_ # allow sepgsql_unconfined_type sepgsql_database_type:db_database *; -type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-04 17:24 ` Kohei KaiGai 0 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-04 17:24 UTC (permalink / raw) To: refpolicy 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: > On 05/04/12 09:33, Kohei KaiGai wrote: >> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >> objects. >> >> Please check the newer version. Thanks, > > Looks like the revised patch is missing. > Sorry, it is the attached one. Thanks, >> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>> This patch might be arguable. It redefines the "use" permission on db_tuple >>> class that has marked deprecated for a few years, to control usage of system >>> objects but without individual object classes. >>> >>> We didn't try to port all the supported database object types in PostgreSQL >>> into SELinux policy model, because its variation is too large to port and >>> less priority in comparison with "major" object classes such as tables. >>> >>> So, we handle permissions to create, drop and alter these objects as >>> permissions to insert, delete or update of system catalogs; labeled as >>> sepgsql_sysobj_t, and so on. >>> >>> On the other hand, some of system objects requires to check permission >>> when user "use" these objects, such as data types, tablespaces, >>> operators and so on. >>> I don't think it is reasonable approach to define individual object classes >>> for each object types reflects to PostgreSQL. However, it is preferable >>> to have double checks by selinux on strategic points. >>> >>> So, I try to redefine "use" permission on db_tuple class; that means >>> permission to "use" this object when the tuple is an entry of system >>> catalog corresponding to a particular database object but don't have >>> a particular object class like tables. >>> >>> The deprecated permissions and rules are not in use for a few years, >>> so, it is a time to be utilized or eliminated. >>> >>> Thanks, >>> >>> ?Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>> -- >>> ?policy/flask/access_vectors ? ? ? ? ? | ? ?4 +--- >>> ?policy/modules/services/postgresql.if | ? 16 ++++++---------- >>> ?policy/modules/services/postgresql.te | ? 31 +++++++++++-------------------- >>> ?3 files changed, 18 insertions(+), 33 deletions(-) >>> >>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>> index bf24160..f462e95 100644 >>> --- a/policy/flask/access_vectors >>> +++ b/policy/flask/access_vectors >>> @@ -761,7 +761,6 @@ inherits database >>> ?class db_table >>> ?inherits database >>> ?{ >>> - ? ? ? use ? ? ? ? ? ? # deprecated >>> ? ? ? ?select >>> ? ? ? ?update >>> ? ? ? ?insert >>> @@ -780,7 +779,6 @@ inherits database >>> ?class db_column >>> ?inherits database >>> ?{ >>> - ? ? ? use ? ? ? ? ? ? # deprecated >>> ? ? ? ?select >>> ? ? ? ?update >>> ? ? ? ?insert >>> @@ -790,7 +788,7 @@ class db_tuple >>> ?{ >>> ? ? ? ?relabelfrom >>> ? ? ? ?relabelto >>> - ? ? ? use ? ? ? ? ? ? # deprecated >>> + ? ? ? use >>> ? ? ? ?select >>> ? ? ? ?update >>> ? ? ? ?insert >>> diff --git a/policy/modules/services/postgresql.if >>> b/policy/modules/services/postgresql.if >>> index 56fc5fa..71f2572 100644 >>> --- a/policy/modules/services/postgresql.if >>> +++ b/policy/modules/services/postgresql.if >>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema >>> sepgsql_temp_schema_t "pg_temp"; >>> >>> - ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr use select update >>> insert delete lock }; >>> - ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>> - ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ use select update insert delete }; >>> - ? ? ? type_transition $2 sepgsql_database_type:db_table >>> user_sepgsql_table_t; ? ? ? ? ? # deprecated >>> + ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr select update >>> insert delete lock }; >>> + ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>> + ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ select update insert delete }; >>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>> >>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>> >>> ? ? ? ?allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>> - ? ? ? type_transition $2 sepgsql_database_type:db_procedure >>> user_sepgsql_proc_exec_t; ? ? ? # deprecated >>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_procedure >>> sepgsql_temp_proc_exec_t; >>> >>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema >>> unpriv_sepgsql_schema_t "pg_temp"; >>> >>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>> insert delete lock }; >>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>> update insert }; >>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>> - ? ? ? type_transition $1 sepgsql_database_type:db_table >>> unpriv_sepgsql_table_t; # deprecated >>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>> insert delete lock }; >>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>> >>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>> ? ? ? ?type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>> >>> ? ? ? ?allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>> - ? ? ? type_transition $1 sepgsql_database_type:db_procedure >>> unpriv_sepgsql_proc_exec_t; # deprecated >>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_procedure >>> sepgsql_temp_proc_exec_t; >>> >>> diff --git a/policy/modules/services/postgresql.te >>> b/policy/modules/services/postgresql.te >>> index 8a3c2bd..92d6e66 100644 >>> --- a/policy/modules/services/postgresql.te >>> +++ b/policy/modules/services/postgresql.te >>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>> ?') >>> >>> ?allow postgresql_t sepgsql_database_type:db_database *; >>> -type_transition postgresql_t postgresql_t:db_database >>> sepgsql_db_t; ? ? ? ? ? # deprecated >>> >>> ?allow postgresql_t sepgsql_module_type:db_database install_module; >>> ?# Database/Loadable module >>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>> sepgsql_database_type:db_schema sepgsql_schema_t; >>> ?type_transition postgresql_t sepgsql_database_type:db_schema >>> sepgsql_temp_schema_t "pg_temp"; >>> >>> ?allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>> -type_transition postgresql_t sepgsql_database_type:db_table >>> sepgsql_sysobj_t; ? ? ? # deprecated >>> ?type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>> >>> ?allow postgresql_t sepgsql_sequence_type:db_sequence *; >>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>> ?type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>> >>> ?allow postgresql_t sepgsql_procedure_type:db_procedure *; >>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>> sepgsql_proc_exec_t; ? ?# deprecated >>> ?type_transition postgresql_t sepgsql_schema_type:db_procedure >>> sepgsql_proc_exec_t; >>> >>> ?allow postgresql_t sepgsql_blob_type:db_blob *; >>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>> sepgsql_client_type:db_database sepgsql_db_t >>> >>> ?allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>> >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>> use select insert lock }; >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>> use select insert }; >>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>> select insert lock }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>> select insert }; >>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>> >>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>> select update insert delete lock }; >>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>> select update insert }; >>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>> update insert delete }; >>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>> update insert delete lock }; >>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>> update insert }; >>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>> insert delete }; >>> >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>> select lock }; >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>> >>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>> >>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>> select lock }; >>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>> ?allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>> >>> ?allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>> relabelfrom }; >>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>> ?# >>> >>> ?allow sepgsql_admin_type sepgsql_database_type:db_database { create >>> drop getattr setattr relabelfrom relabelto access }; >>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>> sepgsql_db_t; ? ? ? ? ? # deprecated >>> >>> ?allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>> ?type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>> sepgsql_schema_t; >>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>> sepgsql_table_type:db_table { create drop getattr setat >>> ?allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>> getattr setattr relabelfrom relabelto }; >>> ?allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>> relabelfrom relabelto select update insert delete }; >>> >>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>> sepgsql_table_t; ? ? ? ?# deprecated >>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>> sepgsql_table_t; >>> >>> ?allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>> drop getattr setattr relabelfrom relabelto get_value next_value >>> set_value }; >>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>> sepgsql_schema_type:db_view sepgsql_view_t; >>> ?allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>> drop getattr relabelfrom relabelto }; >>> ?allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>> >>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>> sepgsql_proc_exec_t; ? ?# deprecated >>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>> sepgsql_proc_exec_t; >>> >>> ?allow sepgsql_admin_type sepgsql_language_type:db_language { create >>> drop getattr setattr relabelfrom relabelto execute }; >>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>> ?# >>> >>> ?allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>> -type_transition sepgsql_unconfined_type >>> sepgsql_unconfined_type:db_database sepgsql_db_t; ? ? ? # deprecated >>> >>> ?allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>> ?type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_schema sepgsql_schema_t; >>> ?type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>> >>> -type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_table sepgsql_table_t; ? ? ? ? # deprecated >>> -type_transition sepgsql_unconfined_type >>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>> sepgsql_table_t; >>> ?type_transition sepgsql_unconfined_type >>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>> sepgsql_view_t; >>> >>> -- >>> KaiGai Kohei <kaigai@kaigai.gr.jp> >> >> >> > > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -- KaiGai Kohei <kaigai@kaigai.gr.jp> -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-4of4-redefine-use-permission.20120502.patch Type: application/octet-stream Size: 11836 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120504/99ac6134/attachment-0001.obj ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-05-04 17:24 ` [refpolicy] " Kohei KaiGai @ 2012-05-10 12:46 ` Christopher J. PeBenito -1 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-10 12:46 UTC (permalink / raw) To: Kohei KaiGai; +Cc: refpolicy, SELinux-NSA On 05/04/12 13:24, Kohei KaiGai wrote: > 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >> On 05/04/12 09:33, Kohei KaiGai wrote: >>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>> objects. >>> >>> Please check the newer version. Thanks, >> >> Looks like the revised patch is missing. >> > Sorry, it is the attached one. > > Thanks, This one doesn't apply, the last hunk fails. I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. >>> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>>> This patch might be arguable. It redefines the "use" permission on db_tuple >>>> class that has marked deprecated for a few years, to control usage of system >>>> objects but without individual object classes. >>>> >>>> We didn't try to port all the supported database object types in PostgreSQL >>>> into SELinux policy model, because its variation is too large to port and >>>> less priority in comparison with "major" object classes such as tables. >>>> >>>> So, we handle permissions to create, drop and alter these objects as >>>> permissions to insert, delete or update of system catalogs; labeled as >>>> sepgsql_sysobj_t, and so on. >>>> >>>> On the other hand, some of system objects requires to check permission >>>> when user "use" these objects, such as data types, tablespaces, >>>> operators and so on. >>>> I don't think it is reasonable approach to define individual object classes >>>> for each object types reflects to PostgreSQL. However, it is preferable >>>> to have double checks by selinux on strategic points. >>>> >>>> So, I try to redefine "use" permission on db_tuple class; that means >>>> permission to "use" this object when the tuple is an entry of system >>>> catalog corresponding to a particular database object but don't have >>>> a particular object class like tables. >>>> >>>> The deprecated permissions and rules are not in use for a few years, >>>> so, it is a time to be utilized or eliminated. >>>> >>>> Thanks, >>>> >>>> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>>> -- >>>> policy/flask/access_vectors | 4 +--- >>>> policy/modules/services/postgresql.if | 16 ++++++---------- >>>> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >>>> 3 files changed, 18 insertions(+), 33 deletions(-) >>>> >>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>>> index bf24160..f462e95 100644 >>>> --- a/policy/flask/access_vectors >>>> +++ b/policy/flask/access_vectors >>>> @@ -761,7 +761,6 @@ inherits database >>>> class db_table >>>> inherits database >>>> { >>>> - use # deprecated >>>> select >>>> update >>>> insert >>>> @@ -780,7 +779,6 @@ inherits database >>>> class db_column >>>> inherits database >>>> { >>>> - use # deprecated >>>> select >>>> update >>>> insert >>>> @@ -790,7 +788,7 @@ class db_tuple >>>> { >>>> relabelfrom >>>> relabelto >>>> - use # deprecated >>>> + use >>>> select >>>> update >>>> insert >>>> diff --git a/policy/modules/services/postgresql.if >>>> b/policy/modules/services/postgresql.if >>>> index 56fc5fa..71f2572 100644 >>>> --- a/policy/modules/services/postgresql.if >>>> +++ b/policy/modules/services/postgresql.if >>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>>> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>>> type_transition $2 sepgsql_database_type:db_schema >>>> sepgsql_temp_schema_t "pg_temp"; >>>> >>>> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >>>> insert delete lock }; >>>> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>>> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >>>> - type_transition $2 sepgsql_database_type:db_table >>>> user_sepgsql_table_t; # deprecated >>>> + allow $2 user_sepgsql_table_t:db_table { getattr select update >>>> insert delete lock }; >>>> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>>> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >>>> type_transition $2 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>>> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>> >>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>>> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>>> >>>> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>> - type_transition $2 sepgsql_database_type:db_procedure >>>> user_sepgsql_proc_exec_t; # deprecated >>>> type_transition $2 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>>> type_transition $2 sepgsql_temp_schema_t:db_procedure >>>> sepgsql_temp_proc_exec_t; >>>> >>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>>> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>>> type_transition $1 sepgsql_database_type:db_schema >>>> unpriv_sepgsql_schema_t "pg_temp"; >>>> >>>> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>>> insert delete lock }; >>>> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>>> update insert }; >>>> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>>> - type_transition $1 sepgsql_database_type:db_table >>>> unpriv_sepgsql_table_t; # deprecated >>>> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>>> insert delete lock }; >>>> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>>> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>>> type_transition $1 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>>> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>> >>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>>> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>>> >>>> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>> - type_transition $1 sepgsql_database_type:db_procedure >>>> unpriv_sepgsql_proc_exec_t; # deprecated >>>> type_transition $1 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>>> type_transition $1 sepgsql_temp_schema_t:db_procedure >>>> sepgsql_temp_proc_exec_t; >>>> >>>> diff --git a/policy/modules/services/postgresql.te >>>> b/policy/modules/services/postgresql.te >>>> index 8a3c2bd..92d6e66 100644 >>>> --- a/policy/modules/services/postgresql.te >>>> +++ b/policy/modules/services/postgresql.te >>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>>> ') >>>> >>>> allow postgresql_t sepgsql_database_type:db_database *; >>>> -type_transition postgresql_t postgresql_t:db_database >>>> sepgsql_db_t; # deprecated >>>> >>>> allow postgresql_t sepgsql_module_type:db_database install_module; >>>> # Database/Loadable module >>>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>> type_transition postgresql_t sepgsql_database_type:db_schema >>>> sepgsql_temp_schema_t "pg_temp"; >>>> >>>> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>>> -type_transition postgresql_t sepgsql_database_type:db_table >>>> sepgsql_sysobj_t; # deprecated >>>> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>>> >>>> allow postgresql_t sepgsql_sequence_type:db_sequence *; >>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>>> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>>> >>>> allow postgresql_t sepgsql_procedure_type:db_procedure *; >>>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>>> sepgsql_proc_exec_t; # deprecated >>>> type_transition postgresql_t sepgsql_schema_type:db_procedure >>>> sepgsql_proc_exec_t; >>>> >>>> allow postgresql_t sepgsql_blob_type:db_blob *; >>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>>> sepgsql_client_type:db_database sepgsql_db_t >>>> >>>> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>>> >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>> use select insert lock }; >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>> use select insert }; >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>> select insert lock }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>> select insert }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>>> >>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>>> select update insert delete lock }; >>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>>> select update insert }; >>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>>> update insert delete }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>>> update insert delete lock }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>>> update insert }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>>> insert delete }; >>>> >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>>> select lock }; >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>>> >>>> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>>> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>>> >>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>>> select lock }; >>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>>> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>>> >>>> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>>> relabelfrom }; >>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>>> # >>>> >>>> allow sepgsql_admin_type sepgsql_database_type:db_database { create >>>> drop getattr setattr relabelfrom relabelto access }; >>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>>> sepgsql_db_t; # deprecated >>>> >>>> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>>> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>>> sepgsql_schema_t; >>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>>> sepgsql_table_type:db_table { create drop getattr setat >>>> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>>> getattr setattr relabelfrom relabelto }; >>>> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>>> relabelfrom relabelto select update insert delete }; >>>> >>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>>> sepgsql_table_t; # deprecated >>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>>> sepgsql_table_t; >>>> >>>> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>>> drop getattr setattr relabelfrom relabelto get_value next_value >>>> set_value }; >>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>>> sepgsql_schema_type:db_view sepgsql_view_t; >>>> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>>> drop getattr relabelfrom relabelto }; >>>> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>>> >>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>>> sepgsql_proc_exec_t; # deprecated >>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>>> sepgsql_proc_exec_t; >>>> >>>> allow sepgsql_admin_type sepgsql_language_type:db_language { create >>>> drop getattr setattr relabelfrom relabelto execute }; >>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>>> # >>>> >>>> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >>>> >>>> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>>> >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>>> sepgsql_table_t; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>>> sepgsql_view_t; -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-10 12:46 ` Christopher J. PeBenito 0 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-10 12:46 UTC (permalink / raw) To: refpolicy On 05/04/12 13:24, Kohei KaiGai wrote: > 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >> On 05/04/12 09:33, Kohei KaiGai wrote: >>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>> objects. >>> >>> Please check the newer version. Thanks, >> >> Looks like the revised patch is missing. >> > Sorry, it is the attached one. > > Thanks, This one doesn't apply, the last hunk fails. I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. >>> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>>> This patch might be arguable. It redefines the "use" permission on db_tuple >>>> class that has marked deprecated for a few years, to control usage of system >>>> objects but without individual object classes. >>>> >>>> We didn't try to port all the supported database object types in PostgreSQL >>>> into SELinux policy model, because its variation is too large to port and >>>> less priority in comparison with "major" object classes such as tables. >>>> >>>> So, we handle permissions to create, drop and alter these objects as >>>> permissions to insert, delete or update of system catalogs; labeled as >>>> sepgsql_sysobj_t, and so on. >>>> >>>> On the other hand, some of system objects requires to check permission >>>> when user "use" these objects, such as data types, tablespaces, >>>> operators and so on. >>>> I don't think it is reasonable approach to define individual object classes >>>> for each object types reflects to PostgreSQL. However, it is preferable >>>> to have double checks by selinux on strategic points. >>>> >>>> So, I try to redefine "use" permission on db_tuple class; that means >>>> permission to "use" this object when the tuple is an entry of system >>>> catalog corresponding to a particular database object but don't have >>>> a particular object class like tables. >>>> >>>> The deprecated permissions and rules are not in use for a few years, >>>> so, it is a time to be utilized or eliminated. >>>> >>>> Thanks, >>>> >>>> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>>> -- >>>> policy/flask/access_vectors | 4 +--- >>>> policy/modules/services/postgresql.if | 16 ++++++---------- >>>> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >>>> 3 files changed, 18 insertions(+), 33 deletions(-) >>>> >>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>>> index bf24160..f462e95 100644 >>>> --- a/policy/flask/access_vectors >>>> +++ b/policy/flask/access_vectors >>>> @@ -761,7 +761,6 @@ inherits database >>>> class db_table >>>> inherits database >>>> { >>>> - use # deprecated >>>> select >>>> update >>>> insert >>>> @@ -780,7 +779,6 @@ inherits database >>>> class db_column >>>> inherits database >>>> { >>>> - use # deprecated >>>> select >>>> update >>>> insert >>>> @@ -790,7 +788,7 @@ class db_tuple >>>> { >>>> relabelfrom >>>> relabelto >>>> - use # deprecated >>>> + use >>>> select >>>> update >>>> insert >>>> diff --git a/policy/modules/services/postgresql.if >>>> b/policy/modules/services/postgresql.if >>>> index 56fc5fa..71f2572 100644 >>>> --- a/policy/modules/services/postgresql.if >>>> +++ b/policy/modules/services/postgresql.if >>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>>> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>>> type_transition $2 sepgsql_database_type:db_schema >>>> sepgsql_temp_schema_t "pg_temp"; >>>> >>>> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >>>> insert delete lock }; >>>> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>>> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >>>> - type_transition $2 sepgsql_database_type:db_table >>>> user_sepgsql_table_t; # deprecated >>>> + allow $2 user_sepgsql_table_t:db_table { getattr select update >>>> insert delete lock }; >>>> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>>> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >>>> type_transition $2 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>>> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>> >>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>>> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>>> >>>> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>> - type_transition $2 sepgsql_database_type:db_procedure >>>> user_sepgsql_proc_exec_t; # deprecated >>>> type_transition $2 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>>> type_transition $2 sepgsql_temp_schema_t:db_procedure >>>> sepgsql_temp_proc_exec_t; >>>> >>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>>> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>>> type_transition $1 sepgsql_database_type:db_schema >>>> unpriv_sepgsql_schema_t "pg_temp"; >>>> >>>> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>>> insert delete lock }; >>>> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>>> update insert }; >>>> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>>> - type_transition $1 sepgsql_database_type:db_table >>>> unpriv_sepgsql_table_t; # deprecated >>>> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>>> insert delete lock }; >>>> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>>> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>>> type_transition $1 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>>> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>> >>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>>> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>>> >>>> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>> - type_transition $1 sepgsql_database_type:db_procedure >>>> unpriv_sepgsql_proc_exec_t; # deprecated >>>> type_transition $1 {sepgsql_schema_type - >>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>>> type_transition $1 sepgsql_temp_schema_t:db_procedure >>>> sepgsql_temp_proc_exec_t; >>>> >>>> diff --git a/policy/modules/services/postgresql.te >>>> b/policy/modules/services/postgresql.te >>>> index 8a3c2bd..92d6e66 100644 >>>> --- a/policy/modules/services/postgresql.te >>>> +++ b/policy/modules/services/postgresql.te >>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>>> ') >>>> >>>> allow postgresql_t sepgsql_database_type:db_database *; >>>> -type_transition postgresql_t postgresql_t:db_database >>>> sepgsql_db_t; # deprecated >>>> >>>> allow postgresql_t sepgsql_module_type:db_database install_module; >>>> # Database/Loadable module >>>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>> type_transition postgresql_t sepgsql_database_type:db_schema >>>> sepgsql_temp_schema_t "pg_temp"; >>>> >>>> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>>> -type_transition postgresql_t sepgsql_database_type:db_table >>>> sepgsql_sysobj_t; # deprecated >>>> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>>> >>>> allow postgresql_t sepgsql_sequence_type:db_sequence *; >>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>>> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>>> >>>> allow postgresql_t sepgsql_procedure_type:db_procedure *; >>>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>>> sepgsql_proc_exec_t; # deprecated >>>> type_transition postgresql_t sepgsql_schema_type:db_procedure >>>> sepgsql_proc_exec_t; >>>> >>>> allow postgresql_t sepgsql_blob_type:db_blob *; >>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>>> sepgsql_client_type:db_database sepgsql_db_t >>>> >>>> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>>> >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>> use select insert lock }; >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>> use select insert }; >>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>> select insert lock }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>> select insert }; >>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>>> >>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>>> select update insert delete lock }; >>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>>> select update insert }; >>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>>> update insert delete }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>>> update insert delete lock }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>>> update insert }; >>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>>> insert delete }; >>>> >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>>> select lock }; >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>>> >>>> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>>> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>>> >>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>>> select lock }; >>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>>> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>>> >>>> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>>> relabelfrom }; >>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>>> # >>>> >>>> allow sepgsql_admin_type sepgsql_database_type:db_database { create >>>> drop getattr setattr relabelfrom relabelto access }; >>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>>> sepgsql_db_t; # deprecated >>>> >>>> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>>> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>>> sepgsql_schema_t; >>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>>> sepgsql_table_type:db_table { create drop getattr setat >>>> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>>> getattr setattr relabelfrom relabelto }; >>>> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>>> relabelfrom relabelto select update insert delete }; >>>> >>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>>> sepgsql_table_t; # deprecated >>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>>> sepgsql_table_t; >>>> >>>> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>>> drop getattr setattr relabelfrom relabelto get_value next_value >>>> set_value }; >>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>>> sepgsql_schema_type:db_view sepgsql_view_t; >>>> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>>> drop getattr relabelfrom relabelto }; >>>> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>>> >>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>>> sepgsql_proc_exec_t; # deprecated >>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>>> sepgsql_proc_exec_t; >>>> >>>> allow sepgsql_admin_type sepgsql_language_type:db_language { create >>>> drop getattr setattr relabelfrom relabelto execute }; >>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>>> # >>>> >>>> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >>>> >>>> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>>> >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >>>> -type_transition sepgsql_unconfined_type >>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>>> sepgsql_table_t; >>>> type_transition sepgsql_unconfined_type >>>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>>> sepgsql_view_t; -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-05-10 12:46 ` [refpolicy] " Christopher J. PeBenito @ 2012-05-11 13:17 ` Kohei KaiGai -1 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-11 13:17 UTC (permalink / raw) To: Christopher J. PeBenito; +Cc: refpolicy, SELinux-NSA [-- Attachment #1: Type: text/plain, Size: 15383 bytes --] 2012/5/10 Christopher J. PeBenito <cpebenito@tresys.com>: > On 05/04/12 13:24, Kohei KaiGai wrote: >> 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >>> On 05/04/12 09:33, Kohei KaiGai wrote: >>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>>> objects. >>>> >>>> Please check the newer version. Thanks, >>> >>> Looks like the revised patch is missing. >>> >> Sorry, it is the attached one. >> >> Thanks, > > This one doesn't apply, the last hunk fails. I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. > Sorry, I generated the series of patches based on the latest refpolicy and contrib tree. And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during regression test efforts. MCS rules are defined twice for db_language class in spite of db_schema being forgotten, and "entrypoint" permission was not restricted at both of MCS / MLS policy. Here is no updates on part-1 ~ part-4 except for patch rebasing. Thanks, >>>> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>>>> This patch might be arguable. It redefines the "use" permission on db_tuple >>>>> class that has marked deprecated for a few years, to control usage of system >>>>> objects but without individual object classes. >>>>> >>>>> We didn't try to port all the supported database object types in PostgreSQL >>>>> into SELinux policy model, because its variation is too large to port and >>>>> less priority in comparison with "major" object classes such as tables. >>>>> >>>>> So, we handle permissions to create, drop and alter these objects as >>>>> permissions to insert, delete or update of system catalogs; labeled as >>>>> sepgsql_sysobj_t, and so on. >>>>> >>>>> On the other hand, some of system objects requires to check permission >>>>> when user "use" these objects, such as data types, tablespaces, >>>>> operators and so on. >>>>> I don't think it is reasonable approach to define individual object classes >>>>> for each object types reflects to PostgreSQL. However, it is preferable >>>>> to have double checks by selinux on strategic points. >>>>> >>>>> So, I try to redefine "use" permission on db_tuple class; that means >>>>> permission to "use" this object when the tuple is an entry of system >>>>> catalog corresponding to a particular database object but don't have >>>>> a particular object class like tables. >>>>> >>>>> The deprecated permissions and rules are not in use for a few years, >>>>> so, it is a time to be utilized or eliminated. >>>>> >>>>> Thanks, >>>>> >>>>> Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>>>> -- >>>>> policy/flask/access_vectors | 4 +--- >>>>> policy/modules/services/postgresql.if | 16 ++++++---------- >>>>> policy/modules/services/postgresql.te | 31 +++++++++++-------------------- >>>>> 3 files changed, 18 insertions(+), 33 deletions(-) >>>>> >>>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>>>> index bf24160..f462e95 100644 >>>>> --- a/policy/flask/access_vectors >>>>> +++ b/policy/flask/access_vectors >>>>> @@ -761,7 +761,6 @@ inherits database >>>>> class db_table >>>>> inherits database >>>>> { >>>>> - use # deprecated >>>>> select >>>>> update >>>>> insert >>>>> @@ -780,7 +779,6 @@ inherits database >>>>> class db_column >>>>> inherits database >>>>> { >>>>> - use # deprecated >>>>> select >>>>> update >>>>> insert >>>>> @@ -790,7 +788,7 @@ class db_tuple >>>>> { >>>>> relabelfrom >>>>> relabelto >>>>> - use # deprecated >>>>> + use >>>>> select >>>>> update >>>>> insert >>>>> diff --git a/policy/modules/services/postgresql.if >>>>> b/policy/modules/services/postgresql.if >>>>> index 56fc5fa..71f2572 100644 >>>>> --- a/policy/modules/services/postgresql.if >>>>> +++ b/policy/modules/services/postgresql.if >>>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>>>> type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>>>> type_transition $2 sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> - allow $2 user_sepgsql_table_t:db_table { getattr use select update >>>>> insert delete lock }; >>>>> - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>>>> - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; >>>>> - type_transition $2 sepgsql_database_type:db_table >>>>> user_sepgsql_table_t; # deprecated >>>>> + allow $2 user_sepgsql_table_t:db_table { getattr select update >>>>> insert delete lock }; >>>>> + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; >>>>> type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>>>> type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>>>> type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>>>> >>>>> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - type_transition $2 sepgsql_database_type:db_procedure >>>>> user_sepgsql_proc_exec_t; # deprecated >>>>> type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>>>> type_transition $2 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>>>> type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>>>> type_transition $1 sepgsql_database_type:db_schema >>>>> unpriv_sepgsql_schema_t "pg_temp"; >>>>> >>>>> - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>>>> insert delete lock }; >>>>> - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>>>> update insert }; >>>>> - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>>>> - type_transition $1 sepgsql_database_type:db_table >>>>> unpriv_sepgsql_table_t; # deprecated >>>>> + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>>>> insert delete lock }; >>>>> + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>>>> type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>>>> type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>>>> type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>>>> >>>>> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - type_transition $1 sepgsql_database_type:db_procedure >>>>> unpriv_sepgsql_proc_exec_t; # deprecated >>>>> type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>>>> type_transition $1 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> diff --git a/policy/modules/services/postgresql.te >>>>> b/policy/modules/services/postgresql.te >>>>> index 8a3c2bd..92d6e66 100644 >>>>> --- a/policy/modules/services/postgresql.te >>>>> +++ b/policy/modules/services/postgresql.te >>>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>>>> ') >>>>> >>>>> allow postgresql_t sepgsql_database_type:db_database *; >>>>> -type_transition postgresql_t postgresql_t:db_database >>>>> sepgsql_db_t; # deprecated >>>>> >>>>> allow postgresql_t sepgsql_module_type:db_database install_module; >>>>> # Database/Loadable module >>>>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> type_transition postgresql_t sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_table >>>>> sepgsql_sysobj_t; # deprecated >>>>> type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>>>> >>>>> allow postgresql_t sepgsql_sequence_type:db_sequence *; >>>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>>>> type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>>>> >>>>> allow postgresql_t sepgsql_procedure_type:db_procedure *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; # deprecated >>>>> type_transition postgresql_t sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> allow postgresql_t sepgsql_blob_type:db_blob *; >>>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>>>> sepgsql_client_type:db_database sepgsql_db_t >>>>> >>>>> allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> use select insert lock }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> use select insert }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> select insert lock }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>>>> select update insert delete lock }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>>>> select update insert }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>>>> update insert delete }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>>>> update insert delete lock }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>>>> update insert }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>>>> insert delete }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>>>> >>>>> allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>>>> allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>>>> >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>>>> allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>>>> >>>>> allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>>>> relabelfrom }; >>>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>>>> # >>>>> >>>>> allow sepgsql_admin_type sepgsql_database_type:db_database { create >>>>> drop getattr setattr relabelfrom relabelto access }; >>>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>>>> sepgsql_db_t; # deprecated >>>>> >>>>> allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>>>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>>>> type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>>>> sepgsql_schema_t; >>>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>>>> sepgsql_table_type:db_table { create drop getattr setat >>>>> allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>>>> getattr setattr relabelfrom relabelto }; >>>>> allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>>>> relabelfrom relabelto select update insert delete }; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>>>> sepgsql_table_t; # deprecated >>>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> >>>>> allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>>>> drop getattr setattr relabelfrom relabelto get_value next_value >>>>> set_value }; >>>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>>>> sepgsql_schema_type:db_view sepgsql_view_t; >>>>> allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>>>> drop getattr relabelfrom relabelto }; >>>>> allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; # deprecated >>>>> type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> allow sepgsql_admin_type sepgsql_language_type:db_language { create >>>>> drop getattr setattr relabelfrom relabelto execute }; >>>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>>>> # >>>>> >>>>> allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated >>>>> >>>>> allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>>>> type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>>>> >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_table sepgsql_table_t; # deprecated >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> type_transition sepgsql_unconfined_type >>>>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>>>> type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>>>> sepgsql_view_t; > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -- KaiGai Kohei <kaigai@kaigai.gr.jp> [-- Attachment #2: refpolicy-sepgsql-4of4-redefine-use-permission.20120511.patch --] [-- Type: application/octet-stream, Size: 12183 bytes --] policy/flask/access_vectors | 4 +--- policy/mcs | 4 ++-- policy/mls | 4 ++-- policy/modules/services/postgresql.if | 16 ++++++---------- policy/modules/services/postgresql.te | 33 ++++++++++++--------------------- 5 files changed, 23 insertions(+), 38 deletions(-) diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index bf24160..f462e95 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -761,7 +761,6 @@ inherits database class db_table inherits database { - use # deprecated select update insert @@ -780,7 +779,6 @@ inherits database class db_column inherits database { - use # deprecated select update insert @@ -790,7 +788,7 @@ class db_tuple { relabelfrom relabelto - use # deprecated + use select update insert diff --git a/policy/mcs b/policy/mcs index 2175572..f477c7f 100644 --- a/policy/mcs +++ b/policy/mcs @@ -120,10 +120,10 @@ mlsconstrain db_database { drop getattr setattr relabelfrom access install_modul mlsconstrain db_schema { drop getattr setattr relabelfrom search } ( h1 dom h2 ); -mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } +mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete lock } ( h1 dom h2 ); -mlsconstrain db_column { drop getattr setattr relabelfrom select update insert use } +mlsconstrain db_column { drop getattr setattr relabelfrom select update insert } ( h1 dom h2 ); mlsconstrain db_tuple { relabelfrom select update delete use } diff --git a/policy/mls b/policy/mls index 7c0becc..d218387 100644 --- a/policy/mls +++ b/policy/mls @@ -749,13 +749,13 @@ mlsconstrain { db_schema } { getattr search } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_table } { getattr use select lock } +mlsconstrain { db_table } { getattr select lock } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_column } { getattr use select } +mlsconstrain { db_column } { getattr select } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 6f30b1a..c9ff049 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -68,10 +68,9 @@ interface(`postgresql_role',` type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; - allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; # deprecated + allow $2 user_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; + allow $2 user_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $2 sepgsql_schema_type:db_table user_sepgsql_table_t; allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; @@ -84,7 +83,6 @@ interface(`postgresql_role',` type_transition $2 sepgsql_schema_type:db_view user_sepgsql_view_t; allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; # deprecated type_transition $2 sepgsql_schema_type:db_procedure user_sepgsql_proc_exec_t; allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; @@ -506,10 +504,9 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; - allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; - allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; - allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; - type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t; # deprecated + allow $1 unpriv_sepgsql_table_t:db_table { getattr select update insert delete lock }; + allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; + allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; type_transition $1 sepgsql_schema_type:db_table unpriv_sepgsql_table_t; allow $1 unpriv_sepgsql_seq_t:db_sequence { getattr get_value next_value set_value }; @@ -522,7 +519,6 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; - type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; # deprecated type_transition $1 sepgsql_schema_type:db_procedure unpriv_sepgsql_proc_exec_t; allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index c6fbc4a..b828ef1 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -257,7 +257,6 @@ tunable_policy(`sepgsql_transmit_client_label',` ') allow postgresql_t sepgsql_database_type:db_database *; -type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module @@ -268,7 +267,6 @@ type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; -type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; allow postgresql_t sepgsql_sequence_type:db_sequence *; @@ -278,7 +276,6 @@ allow postgresql_t sepgsql_view_type:db_view *; type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; allow postgresql_t sepgsql_procedure_type:db_procedure *; -type_transition postgresql_t sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow postgresql_t sepgsql_blob_type:db_blob *; @@ -429,23 +426,23 @@ type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr use select insert lock }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr use select insert }; -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr select insert lock }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr select insert }; +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use select update insert delete lock }; -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use select update insert }; -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select update insert delete }; +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select update insert }; +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update insert delete }; -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select lock }; -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_value }; @@ -497,7 +494,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` # allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; -type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; # deprecated allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; @@ -505,9 +501,8 @@ type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; -allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; +allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto use select update insert delete }; -type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t; allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop getattr setattr relabelfrom relabelto get_value next_value set_value }; @@ -521,7 +516,6 @@ type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t; allow sepgsql_admin_type sepgsql_language_type:db_language { create drop getattr setattr relabelfrom relabelto execute }; @@ -562,14 +556,11 @@ allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_ # allow sepgsql_unconfined_type sepgsql_database_type:db_database *; -type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; -type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated -type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t; type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t; [-- Attachment #3: refpolicy-sepgsql-3of4-temp-database-objects.20120511.patch --] [-- Type: application/octet-stream, Size: 6132 bytes --] policy/modules/services/postgresql.if | 4 ++++ policy/modules/services/postgresql.te | 25 +++++++++++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 5946b6a..6f30b1a 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -37,6 +37,7 @@ interface(`postgresql_role',` type user_sepgsql_schema_t, user_sepgsql_seq_t; type user_sepgsql_sysobj_t, user_sepgsql_table_t; type user_sepgsql_view_t; + type sepgsql_temp_object_t; ') ######################################## @@ -65,6 +66,7 @@ interface(`postgresql_role',` allow $2 user_sepgsql_schema_t:db_schema { getattr search add_name remove_name }; type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; + type_transition $2 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; @@ -469,6 +471,7 @@ interface(`postgresql_unpriv_client',` type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; type unpriv_sepgsql_view_t; + type sepgsql_temp_object_t; ') ######################################## @@ -501,6 +504,7 @@ interface(`postgresql_unpriv_client',` ') allow $1 unpriv_sepgsql_schema_t:db_schema { getattr add_name remove_name }; type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; + type_transition $1 sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index b48aca1..c6fbc4a 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -165,6 +165,19 @@ optional_policy(` mls_process_set_level(sepgsql_ranged_proc_t) ') +# Types for temporary objects +# +# XXX - All the temporary objects are eliminated at end of database session +# and invisible from other sessions, so it is unnecessary to restrict users +# operations on temporary object. For policy simplification, only one type +# is defined for temporary objects under the "pg_temp" schema. +type sepgsql_temp_object_t; + +postgresql_table_object(sepgsql_temp_object_t) +postgresql_sequence_object(sepgsql_temp_object_t) +postgresql_view_object(sepgsql_temp_object_t) +postgresql_procedure_object(sepgsql_temp_object_t) + # Types for unprivileged client type unpriv_sepgsql_blob_t; postgresql_blob_object(unpriv_sepgsql_blob_t) @@ -250,8 +263,9 @@ allow postgresql_t sepgsql_module_type:db_database install_module; # Database/Loadable module allow sepgsql_database_type sepgsql_module_type:db_database load_module; -allow postgresql_t sepgsql_schema_type:db_schema *; +allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t; +type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; type_transition postgresql_t sepgsql_database_type:db_table sepgsql_sysobj_t; # deprecated @@ -467,6 +481,9 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; +# It is always allowed to operate temporary objects for any database client. +allow sepgsql_client_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; + # Note that permission of creation/deletion are eventually controlled by # create or drop permission of individual objects within shared schemas. # So, it just allows to create/drop user specific types. @@ -484,6 +501,7 @@ type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop getattr setattr relabelfrom relabelto search add_name remove_name }; type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t; +type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; @@ -536,6 +554,8 @@ tunable_policy(`sepgsql_unconfined_dbadm',` allow sepgsql_admin_type sepgsql_blob_type:db_blob *; ') +allow sepgsql_admin_type sepgsql_temp_object_t:{db_schema db_table db_column db_tuple db_sequence db_view db_procedure} ~{ relabelto relabelfrom }; + ######################################## # # Unconfined access to this module @@ -544,8 +564,9 @@ tunable_policy(`sepgsql_unconfined_dbadm',` allow sepgsql_unconfined_type sepgsql_database_type:db_database *; type_transition sepgsql_unconfined_type sepgsql_unconfined_type:db_database sepgsql_db_t; # deprecated -allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; +allow sepgsql_unconfined_type {sepgsql_schema_type sepgsql_temp_object_t}:db_schema *; type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t; +type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp"; type_transition sepgsql_unconfined_type sepgsql_database_type:db_table sepgsql_table_t; # deprecated type_transition sepgsql_unconfined_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated [-- Attachment #4: refpolicy-sepgsql-2of4-foreign-data-wrapper.20120511.patch --] [-- Type: application/octet-stream, Size: 1203 bytes --] policy/modules/services/postgresql.te | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 6d73df2..b48aca1 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -32,6 +32,13 @@ gen_tunable(sepgsql_enable_users_ddl, true) ## </desc> gen_tunable(sepgsql_unconfined_dbadm, true) +## <desc> +## <p> +## Allow transmit client label to foreign database +## </p> +## </desc> +gen_tunable(sepgsql_transmit_client_label, false) + type postgresql_t; type postgresql_exec_t; init_daemon_domain(postgresql_t, postgresql_exec_t) @@ -232,6 +239,9 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; allow postgresql_t self:netlink_selinux_socket create_socket_perms; +tunable_policy(`sepgsql_transmit_client_label',` + allow postgresql_t self:process { setsockcreate }; +') allow postgresql_t sepgsql_database_type:db_database *; type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated [-- Attachment #5: refpolicy-sepgsql-1of4-connection-pooling-support.20120511.patch --] [-- Type: application/octet-stream, Size: 7030 bytes --] policy/modules/services/postgresql.if | 33 ++++++++++++++++++++++++++++++++- policy/modules/services/postgresql.te | 33 +++++++++++++++++++++++++++++---- 2 files changed, 61 insertions(+), 5 deletions(-) diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 09aeffa..5946b6a 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -32,6 +32,7 @@ interface(`postgresql_role',` attribute sepgsql_schema_type, sepgsql_sysobj_table_type; type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; + type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; type user_sepgsql_schema_t, user_sepgsql_seq_t; type user_sepgsql_sysobj_t, user_sepgsql_table_t; @@ -45,6 +46,7 @@ interface(`postgresql_role',` typeattribute $2 sepgsql_client_type; role $1 types sepgsql_trusted_proc_t; + role $1 types sepgsql_ranged_proc_t; ############################## # @@ -88,6 +90,10 @@ interface(`postgresql_role',` allow $2 sepgsql_trusted_proc_t:process transition; type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; + + allow $2 sepgsql_ranged_proc_t:process transition; + type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; + allow sepgsql_ranged_proc_t $2:process dyntransition; ') ######################################## @@ -223,7 +229,7 @@ interface(`postgresql_view_object',` ## </summary> ## <param name="type"> ## <summary> -## Type marked as a database object type. +## Type marked as a procedure object type. ## </summary> ## </param> # @@ -237,6 +243,26 @@ interface(`postgresql_procedure_object',` ######################################## ## <summary> +## Marks as a SE-PostgreSQL trusted procedure object type +## </summary> +## <param name="type"> +## <summary> +## Type marked as a trusted procedure object type. +## </summary> +## </param> +# +interface(`postgresql_trusted_procedure_object',` + gen_require(` + attribute sepgsql_procedure_type; + attribute sepgsql_trusted_procedure_type; + ') + + typeattribute $1 sepgsql_procedure_type; + typeattribute $1 sepgsql_trusted_procedure_type; +') + +######################################## +## <summary> ## Marks as a SE-PostgreSQL procedural language object type ## </summary> ## <param name="type"> @@ -438,6 +464,7 @@ interface(`postgresql_unpriv_client',` attribute sepgsql_sysobj_table_type; type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t; + type sepgsql_ranged_proc_t, sepgsql_ranged_proc_exec_t; type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t; type unpriv_sepgsql_schema_t, unpriv_sepgsql_seq_t; type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t; @@ -459,6 +486,10 @@ interface(`postgresql_unpriv_client',` type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; allow $1 sepgsql_trusted_proc_t:process transition; + type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; + allow $1 sepgsql_ranged_proc_t:process transition; + allow sepgsql_ranged_proc_t $1:process dyntransition; + tunable_policy(`sepgsql_enable_users_ddl',` allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index f7b72d4..6d73df2 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -70,6 +70,7 @@ attribute sepgsql_sysobj_table_type; attribute sepgsql_sequence_type; attribute sepgsql_view_type; attribute sepgsql_procedure_type; +attribute sepgsql_trusted_procedure_type; attribute sepgsql_language_type; attribute sepgsql_blob_type; attribute sepgsql_module_type; @@ -122,7 +123,10 @@ type sepgsql_table_t; postgresql_table_object(sepgsql_table_t) type sepgsql_trusted_proc_exec_t; -postgresql_procedure_object(sepgsql_trusted_proc_exec_t) +postgresql_trusted_procedure_object(sepgsql_trusted_proc_exec_t) + +type sepgsql_ranged_proc_exec_t; +postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t) type sepgsql_view_t; postgresql_view_object(sepgsql_view_t) @@ -133,6 +137,27 @@ domain_type(sepgsql_trusted_proc_t) postgresql_unconfined(sepgsql_trusted_proc_t) role system_r types sepgsql_trusted_proc_t; +# Ranged Trusted Procedure Domain +# +# XXX - the purpose of this domain is to switch security context of +# the database client using dynamic domain transition; typically, +# used for connection pooling software that shall assign a security +# context at beginning of the user session based on the credentials +# being invisible from unprivileged domains. +# +type sepgsql_ranged_proc_t; +domain_type(sepgsql_ranged_proc_t) +postgresql_unconfined(sepgsql_ranged_proc_t) +domain_dyntrans_type(sepgsql_ranged_proc_t) +allow sepgsql_ranged_proc_t self:process { setcurrent }; +role system_r types sepgsql_ranged_proc_t; +optional_policy(` + mcs_process_set_categories(sepgsql_ranged_proc_t) +') +optional_policy(` + mls_process_set_level(sepgsql_ranged_proc_t) +') + # Types for unprivileged client type unpriv_sepgsql_blob_t; postgresql_blob_object(unpriv_sepgsql_blob_t) @@ -404,7 +429,7 @@ allow sepgsql_client_type sepgsql_seq_t:db_sequence { getattr get_value next_val allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr execute install }; -allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint }; +allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { getattr execute entrypoint }; allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; @@ -493,7 +518,7 @@ tunable_policy(`sepgsql_unconfined_dbadm',` allow sepgsql_admin_type sepgsql_view_type:db_view *; allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; - allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; + allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install; allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; @@ -528,7 +553,7 @@ allow sepgsql_unconfined_type sepgsql_view_type:db_view *; # unconfined domain is not allowed to invoke user defined procedure directly. # They have to confirm and relabel it at first. allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; -allow sepgsql_unconfined_type sepgsql_trusted_proc_exec_t:db_procedure ~install; +allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure ~install; allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ execute install }; allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; [-- Attachment #6: refpolicy-sepgsql-0of4-fixbug-mcs-mls.20120511.patch --] [-- Type: application/octet-stream, Size: 1554 bytes --] policy/mcs | 4 ++-- policy/mls | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/policy/mcs b/policy/mcs index df8e0fa..2175572 100644 --- a/policy/mcs +++ b/policy/mcs @@ -117,7 +117,7 @@ mlsconstrain { db_tuple } { insert relabelto } mlsconstrain db_database { drop getattr setattr relabelfrom access install_module load_module get_param set_param } ( h1 dom h2 ); -mlsconstrain db_language { drop getattr setattr relabelfrom execute } +mlsconstrain db_schema { drop getattr setattr relabelfrom search } ( h1 dom h2 ); mlsconstrain db_table { drop getattr setattr relabelfrom select update insert delete use lock } @@ -135,7 +135,7 @@ mlsconstrain db_sequence { drop getattr setattr relabelfrom get_value next_value mlsconstrain db_view { drop getattr setattr relabelfrom expand } ( h1 dom h2 ); -mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install } +mlsconstrain db_procedure { drop getattr setattr relabelfrom execute install entrypoint } ( h1 dom h2 ); mlsconstrain db_language { drop getattr setattr relabelfrom execute } diff --git a/policy/mls b/policy/mls index 0e8474b..7c0becc 100644 --- a/policy/mls +++ b/policy/mls @@ -773,7 +773,7 @@ mlsconstrain { db_view } { getattr expand } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_procedure } { getattr execute install } +mlsconstrain { db_procedure } { getattr execute entrypoint install } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or ^ permalink raw reply related [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-11 13:17 ` Kohei KaiGai 0 siblings, 0 replies; 14+ messages in thread From: Kohei KaiGai @ 2012-05-11 13:17 UTC (permalink / raw) To: refpolicy 2012/5/10 Christopher J. PeBenito <cpebenito@tresys.com>: > On 05/04/12 13:24, Kohei KaiGai wrote: >> 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >>> On 05/04/12 09:33, Kohei KaiGai wrote: >>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>>> objects. >>>> >>>> Please check the newer version. Thanks, >>> >>> Looks like the revised patch is missing. >>> >> Sorry, it is the attached one. >> >> Thanks, > > This one doesn't apply, the last hunk fails. ?I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. > Sorry, I generated the series of patches based on the latest refpolicy and contrib tree. And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during regression test efforts. MCS rules are defined twice for db_language class in spite of db_schema being forgotten, and "entrypoint" permission was not restricted at both of MCS / MLS policy. Here is no updates on part-1 ~ part-4 except for patch rebasing. Thanks, >>>> 2012/3/25 Kohei KaiGai <kaigai@kaigai.gr.jp>: >>>>> This patch might be arguable. It redefines the "use" permission on db_tuple >>>>> class that has marked deprecated for a few years, to control usage of system >>>>> objects but without individual object classes. >>>>> >>>>> We didn't try to port all the supported database object types in PostgreSQL >>>>> into SELinux policy model, because its variation is too large to port and >>>>> less priority in comparison with "major" object classes such as tables. >>>>> >>>>> So, we handle permissions to create, drop and alter these objects as >>>>> permissions to insert, delete or update of system catalogs; labeled as >>>>> sepgsql_sysobj_t, and so on. >>>>> >>>>> On the other hand, some of system objects requires to check permission >>>>> when user "use" these objects, such as data types, tablespaces, >>>>> operators and so on. >>>>> I don't think it is reasonable approach to define individual object classes >>>>> for each object types reflects to PostgreSQL. However, it is preferable >>>>> to have double checks by selinux on strategic points. >>>>> >>>>> So, I try to redefine "use" permission on db_tuple class; that means >>>>> permission to "use" this object when the tuple is an entry of system >>>>> catalog corresponding to a particular database object but don't have >>>>> a particular object class like tables. >>>>> >>>>> The deprecated permissions and rules are not in use for a few years, >>>>> so, it is a time to be utilized or eliminated. >>>>> >>>>> Thanks, >>>>> >>>>> ?Signed-off-by: KaiGai Kohei <kohei.kaigai@emea.nec.com> >>>>> -- >>>>> ?policy/flask/access_vectors ? ? ? ? ? | ? ?4 +--- >>>>> ?policy/modules/services/postgresql.if | ? 16 ++++++---------- >>>>> ?policy/modules/services/postgresql.te | ? 31 +++++++++++-------------------- >>>>> ?3 files changed, 18 insertions(+), 33 deletions(-) >>>>> >>>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>>>> index bf24160..f462e95 100644 >>>>> --- a/policy/flask/access_vectors >>>>> +++ b/policy/flask/access_vectors >>>>> @@ -761,7 +761,6 @@ inherits database >>>>> ?class db_table >>>>> ?inherits database >>>>> ?{ >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> @@ -780,7 +779,6 @@ inherits database >>>>> ?class db_column >>>>> ?inherits database >>>>> ?{ >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> @@ -790,7 +788,7 @@ class db_tuple >>>>> ?{ >>>>> ? ? ? ?relabelfrom >>>>> ? ? ? ?relabelto >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> + ? ? ? use >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> diff --git a/policy/modules/services/postgresql.if >>>>> b/policy/modules/services/postgresql.if >>>>> index 56fc5fa..71f2572 100644 >>>>> --- a/policy/modules/services/postgresql.if >>>>> +++ b/policy/modules/services/postgresql.if >>>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>>>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>>>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr use select update >>>>> insert delete lock }; >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ use select update insert delete }; >>>>> - ? ? ? type_transition $2 sepgsql_database_type:db_table >>>>> user_sepgsql_table_t; ? ? ? ? ? # deprecated >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr select update >>>>> insert delete lock }; >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ select update insert delete }; >>>>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>>>> >>>>> ? ? ? ?allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - ? ? ? type_transition $2 sepgsql_database_type:db_procedure >>>>> user_sepgsql_proc_exec_t; ? ? ? # deprecated >>>>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>>>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>>>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema >>>>> unpriv_sepgsql_schema_t "pg_temp"; >>>>> >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>>>> insert delete lock }; >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>>>> update insert }; >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>>>> - ? ? ? type_transition $1 sepgsql_database_type:db_table >>>>> unpriv_sepgsql_table_t; # deprecated >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>>>> insert delete lock }; >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>>>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>>>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>>>> ? ? ? ?type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>>>> >>>>> ? ? ? ?allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - ? ? ? type_transition $1 sepgsql_database_type:db_procedure >>>>> unpriv_sepgsql_proc_exec_t; # deprecated >>>>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>>>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> diff --git a/policy/modules/services/postgresql.te >>>>> b/policy/modules/services/postgresql.te >>>>> index 8a3c2bd..92d6e66 100644 >>>>> --- a/policy/modules/services/postgresql.te >>>>> +++ b/policy/modules/services/postgresql.te >>>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>>>> ?') >>>>> >>>>> ?allow postgresql_t sepgsql_database_type:db_database *; >>>>> -type_transition postgresql_t postgresql_t:db_database >>>>> sepgsql_db_t; ? ? ? ? ? # deprecated >>>>> >>>>> ?allow postgresql_t sepgsql_module_type:db_database install_module; >>>>> ?# Database/Loadable module >>>>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> ?type_transition postgresql_t sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> ?allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_table >>>>> sepgsql_sysobj_t; ? ? ? # deprecated >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>>>> >>>>> ?allow postgresql_t sepgsql_sequence_type:db_sequence *; >>>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>>>> >>>>> ?allow postgresql_t sepgsql_procedure_type:db_procedure *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; ? ?# deprecated >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> ?allow postgresql_t sepgsql_blob_type:db_blob *; >>>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>>>> sepgsql_client_type:db_database sepgsql_db_t >>>>> >>>>> ?allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> use select insert lock }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> use select insert }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> select insert lock }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>>>> select update insert delete lock }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>>>> select update insert }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>>>> update insert delete }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>>>> update insert delete lock }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>>>> update insert }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>>>> insert delete }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>>>> >>>>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>>>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>>>> >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>>>> ?allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>>>> >>>>> ?allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>>>> relabelfrom }; >>>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>>>> ?# >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_database_type:db_database { create >>>>> drop getattr setattr relabelfrom relabelto access }; >>>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>>>> sepgsql_db_t; ? ? ? ? ? # deprecated >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>>>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>>>> ?type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>>>> sepgsql_schema_t; >>>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>>>> sepgsql_table_type:db_table { create drop getattr setat >>>>> ?allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>>>> getattr setattr relabelfrom relabelto }; >>>>> ?allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>>>> relabelfrom relabelto select update insert delete }; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>>>> sepgsql_table_t; ? ? ? ?# deprecated >>>>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>>>> drop getattr setattr relabelfrom relabelto get_value next_value >>>>> set_value }; >>>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>>>> sepgsql_schema_type:db_view sepgsql_view_t; >>>>> ?allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>>>> drop getattr relabelfrom relabelto }; >>>>> ?allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; ? ?# deprecated >>>>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_language_type:db_language { create >>>>> drop getattr setattr relabelfrom relabelto execute }; >>>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>>>> ?# >>>>> >>>>> ?allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_unconfined_type:db_database sepgsql_db_t; ? ? ? # deprecated >>>>> >>>>> ?allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>>>> >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_table sepgsql_table_t; ? ? ? ? # deprecated >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>>>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>>>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>>>> sepgsql_view_t; > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -- KaiGai Kohei <kaigai@kaigai.gr.jp> -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-4of4-redefine-use-permission.20120511.patch Type: application/octet-stream Size: 12182 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0005.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-3of4-temp-database-objects.20120511.patch Type: application/octet-stream Size: 6131 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0006.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-2of4-foreign-data-wrapper.20120511.patch Type: application/octet-stream Size: 1202 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0007.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-1of4-connection-pooling-support.20120511.patch Type: application/octet-stream Size: 7029 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0008.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-0of4-fixbug-mcs-mls.20120511.patch Type: application/octet-stream Size: 1553 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0009.obj ^ permalink raw reply [flat|nested] 14+ messages in thread
* Re: [4/4] sepgsql -redefinition of use permission onto system objects 2012-05-11 13:17 ` [refpolicy] " Kohei KaiGai @ 2012-05-18 18:20 ` Christopher J. PeBenito -1 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-18 18:20 UTC (permalink / raw) To: Kohei KaiGai; +Cc: refpolicy, SELinux-NSA On 05/11/12 09:17, Kohei KaiGai wrote: > 2012/5/10 Christopher J. PeBenito <cpebenito@tresys.com>: >> On 05/04/12 13:24, Kohei KaiGai wrote: >>> 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >>>> On 05/04/12 09:33, Kohei KaiGai wrote: >>>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>>>> objects. >>>>> >>>>> Please check the newer version. Thanks, >>>> >>>> Looks like the revised patch is missing. >>>> >>> Sorry, it is the attached one. >>> >>> Thanks, >> >> This one doesn't apply, the last hunk fails. I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. >> > Sorry, I generated the series of patches based on the latest refpolicy and > contrib tree. > > And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during > regression test efforts. MCS rules are defined twice for db_language class > in spite of db_schema being forgotten, and "entrypoint" permission was not > restricted at both of MCS / MLS policy. > > Here is no updates on part-1 ~ part-4 except for patch rebasing. Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 14+ messages in thread
* [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects @ 2012-05-18 18:20 ` Christopher J. PeBenito 0 siblings, 0 replies; 14+ messages in thread From: Christopher J. PeBenito @ 2012-05-18 18:20 UTC (permalink / raw) To: refpolicy On 05/11/12 09:17, Kohei KaiGai wrote: > 2012/5/10 Christopher J. PeBenito <cpebenito@tresys.com>: >> On 05/04/12 13:24, Kohei KaiGai wrote: >>> 2012/5/4 Christopher J. PeBenito <cpebenito@tresys.com>: >>>> On 05/04/12 09:33, Kohei KaiGai wrote: >>>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>>>> objects. >>>>> >>>>> Please check the newer version. Thanks, >>>> >>>> Looks like the revised patch is missing. >>>> >>> Sorry, it is the attached one. >>> >>> Thanks, >> >> This one doesn't apply, the last hunk fails. I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. >> > Sorry, I generated the series of patches based on the latest refpolicy and > contrib tree. > > And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during > regression test efforts. MCS rules are defined twice for db_language class > in spite of db_schema being forgotten, and "entrypoint" permission was not > restricted at both of MCS / MLS policy. > > Here is no updates on part-1 ~ part-4 except for patch rebasing. Merged. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com ^ permalink raw reply [flat|nested] 14+ messages in thread
end of thread, other threads:[~2012-05-18 18:20 UTC | newest] Thread overview: 14+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-03-25 21:16 [4/4] sepgsql -redefinition of use permission onto system objects Kohei KaiGai 2012-03-25 21:16 ` [refpolicy] " Kohei KaiGai 2012-05-04 13:33 ` Kohei KaiGai 2012-05-04 13:33 ` [refpolicy] " Kohei KaiGai 2012-05-04 15:51 ` Christopher J. PeBenito 2012-05-04 15:51 ` [refpolicy] " Christopher J. PeBenito 2012-05-04 17:24 ` Kohei KaiGai 2012-05-04 17:24 ` [refpolicy] " Kohei KaiGai 2012-05-10 12:46 ` Christopher J. PeBenito 2012-05-10 12:46 ` [refpolicy] " Christopher J. PeBenito 2012-05-11 13:17 ` Kohei KaiGai 2012-05-11 13:17 ` [refpolicy] " Kohei KaiGai 2012-05-18 18:20 ` Christopher J. PeBenito 2012-05-18 18:20 ` [refpolicy] " Christopher J. PeBenito
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.