2011-01-24 02:44:48 +01:00
|
|
|
--
|
|
|
|
|
-- Regression Test for DML Permissions
|
|
|
|
|
--
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
-- Setup
|
|
|
|
|
--
|
|
|
|
|
CREATE TABLE t1 (a int, b text);
|
|
|
|
|
SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
|
|
|
|
|
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t2 (x int, y text);
|
|
|
|
|
SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
|
|
|
|
|
INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t3 (s int, t text);
|
|
|
|
|
SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
|
|
|
|
|
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t4 (m int, n text);
|
|
|
|
|
SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
|
|
|
|
|
INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');
|
|
|
|
|
|
|
|
|
|
CREATE TABLE t5 (e text, f text, g text);
|
|
|
|
|
SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
|
|
|
|
|
SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
|
|
|
|
|
SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
|
|
|
|
|
SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
|
|
|
|
|
|
|
|
|
|
CREATE TABLE customer (cid int primary key, cname text, ccredit text);
|
|
|
|
|
SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
|
|
|
|
|
INSERT INTO customer VALUES (1, 'Taro', '1111-2222-3333-4444'),
|
|
|
|
|
(2, 'Hanako', '5555-6666-7777-8888');
|
|
|
|
|
CREATE FUNCTION customer_credit(int) RETURNS text
|
|
|
|
|
AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
|
|
|
|
|
LANGUAGE sql;
|
|
|
|
|
SECURITY LABEL ON FUNCTION customer_credit(int)
|
|
|
|
|
IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
|
|
|
|
|
|
|
|
|
|
SELECT objtype, objname, label FROM pg_seclabels
|
|
|
|
|
WHERE provider = 'selinux'
|
|
|
|
|
AND objtype in ('table', 'column')
|
2011-02-03 05:46:51 +01:00
|
|
|
AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
|
|
|
|
|
ORDER BY objname;
|
2011-01-24 02:44:48 +01:00
|
|
|
|
2013-04-05 14:51:31 +02:00
|
|
|
CREATE SCHEMA my_schema_1;
|
|
|
|
|
CREATE TABLE my_schema_1.ts1 (a int, b text);
|
|
|
|
|
CREATE SCHEMA my_schema_2;
|
|
|
|
|
CREATE TABLE my_schema_2.ts2 (x int, y text);
|
|
|
|
|
|
|
|
|
|
SECURITY LABEL ON SCHEMA my_schema_2
|
|
|
|
|
IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0';
|
|
|
|
|
|
2011-01-24 02:44:48 +01:00
|
|
|
-- Hardwired Rules
|
|
|
|
|
UPDATE pg_attribute SET attisdropped = true
|
|
|
|
|
WHERE attrelid = 't5'::regclass AND attname = 'f'; -- failed
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
-- Simple DML statements
|
|
|
|
|
--
|
|
|
|
|
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
|
|
|
|
|
|
|
|
|
|
SELECT * FROM t1; -- ok
|
|
|
|
|
SELECT * FROM t2; -- ok
|
|
|
|
|
SELECT * FROM t3; -- ok
|
|
|
|
|
SELECT * FROM t4; -- failed
|
|
|
|
|
SELECT * FROM t5; -- failed
|
|
|
|
|
SELECT e,f FROM t5; -- ok
|
|
|
|
|
|
|
|
|
|
SELECT * FROM customer; -- failed
|
|
|
|
|
SELECT cid, cname, customer_credit(cid) FROM customer; -- ok
|
|
|
|
|
|
|
|
|
|
SELECT count(*) FROM t5; -- ok
|
|
|
|
|
SELECT count(*) FROM t5 WHERE g IS NULL; -- failed
|
|
|
|
|
|
|
|
|
|
INSERT INTO t1 VALUES (4, 'abc'); -- ok
|
|
|
|
|
INSERT INTO t2 VALUES (4, 'xyz'); -- failed
|
|
|
|
|
INSERT INTO t3 VALUES (4, 'stu'); -- ok
|
|
|
|
|
INSERT INTO t4 VALUES (4, 'mno'); -- failed
|
|
|
|
|
INSERT INTO t5 VALUES (1,2,3); -- failed
|
|
|
|
|
INSERT INTO t5 (e,f) VALUES ('abc', 'def'); -- failed
|
|
|
|
|
INSERT INTO t5 (e) VALUES ('abc'); -- ok
|
|
|
|
|
|
|
|
|
|
UPDATE t1 SET b = b || '_upd'; -- ok
|
|
|
|
|
UPDATE t2 SET y = y || '_upd'; -- failed
|
|
|
|
|
UPDATE t3 SET t = t || '_upd'; -- failed
|
|
|
|
|
UPDATE t4 SET n = n || '_upd'; -- failed
|
|
|
|
|
UPDATE t5 SET e = 'xyz'; -- ok
|
|
|
|
|
UPDATE t5 SET e = f || '_upd'; -- ok
|
|
|
|
|
UPDATE t5 SET e = g || '_upd'; -- failed
|
|
|
|
|
|
|
|
|
|
DELETE FROM t1; -- ok
|
|
|
|
|
DELETE FROM t2; -- failed
|
|
|
|
|
DELETE FROM t3; -- failed
|
|
|
|
|
DELETE FROM t4; -- failed
|
|
|
|
|
DELETE FROM t5; -- ok
|
|
|
|
|
DELETE FROM t5 WHERE f IS NULL; -- ok
|
|
|
|
|
DELETE FROM t5 WHERE g IS NULL; -- failed
|
|
|
|
|
|
|
|
|
|
--
|
|
|
|
|
-- COPY TO/FROM statements
|
|
|
|
|
--
|
|
|
|
|
COPY t1 TO '/dev/null'; -- ok
|
|
|
|
|
COPY t2 TO '/dev/null'; -- ok
|
|
|
|
|
COPY t3 TO '/dev/null'; -- ok
|
|
|
|
|
COPY t4 TO '/dev/null'; -- failed
|
|
|
|
|
COPY t5 TO '/dev/null'; -- failed
|
|
|
|
|
COPY t5(e,f) TO '/dev/null'; -- ok
|
|
|
|
|
|
|
|
|
|
COPY t1 FROM '/dev/null'; -- ok
|
|
|
|
|
COPY t2 FROM '/dev/null'; -- failed
|
|
|
|
|
COPY t3 FROM '/dev/null'; -- ok
|
|
|
|
|
COPY t4 FROM '/dev/null'; -- failed
|
|
|
|
|
COPY t5 FROM '/dev/null'; -- failed
|
|
|
|
|
COPY t5 (e,f) FROM '/dev/null'; -- failed
|
|
|
|
|
COPY t5 (e) FROM '/dev/null'; -- ok
|
|
|
|
|
|
2013-04-05 14:51:31 +02:00
|
|
|
--
|
|
|
|
|
-- Schema search path
|
|
|
|
|
--
|
|
|
|
|
SET search_path = my_schema_1, my_schema_2, public;
|
|
|
|
|
SELECT * FROM ts1; -- ok
|
|
|
|
|
SELECT * FROM ts2; -- failed (relation not found)
|
|
|
|
|
SELECT * FROM my_schema_2.ts2; -- failed (policy violation)
|
|
|
|
|
|
2011-01-24 02:44:48 +01:00
|
|
|
--
|
|
|
|
|
-- Clean up
|
|
|
|
|
--
|
Fix sepgsql regression tests.
The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.
The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.
Back-patch to 9.3. The regression tests will need more work before
working correctly on 9.2. Starting with 9.2, sepgsql has had dependencies
on libselinux versions that are only available on newer distros with
the changed set of policies (e.g. RHEL 7.x). On 9.1 sepgsql works
fine with the older distros with original policy set (e.g. RHEL 6.x),
and on which the existing regression tests work fine. We might want
eventually change 9.1 sepgsql regression tests to be more independent
from the underlying OS policies, however more work will be needed to
make that happen and it is not clear that it is worth the effort.
Kohei KaiGai with review by Adam Brightwell and me, commentary by
Stephen, Alvaro, Tom, Robert, and others.
2015-08-30 20:09:05 +02:00
|
|
|
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
|
2011-01-24 02:44:48 +01:00
|
|
|
DROP TABLE IF EXISTS t1 CASCADE;
|
|
|
|
|
DROP TABLE IF EXISTS t2 CASCADE;
|
|
|
|
|
DROP TABLE IF EXISTS t3 CASCADE;
|
|
|
|
|
DROP TABLE IF EXISTS t4 CASCADE;
|
|
|
|
|
DROP TABLE IF EXISTS t5 CASCADE;
|
|
|
|
|
DROP TABLE IF EXISTS customer CASCADE;
|
2013-04-05 14:51:31 +02:00
|
|
|
DROP SCHEMA IF EXISTS my_schema_1 CASCADE;
|
|
|
|
|
DROP SCHEMA IF EXISTS my_schema_2 CASCADE;
|
