postgresql/contrib/sepgsql/expected/dml.out

--
-- Regression Test for DML Permissions
--
--
-- Setup
--
CREATE TABLE t1 (a int, b text);
SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
CREATE TABLE t2 (x int, y text);
SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');
CREATE TABLE t3 (s int, t text);
SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
CREATE TABLE t4 (m int, n text);
SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');
CREATE TABLE t5 (e text, f text, g text);
SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
CREATE TABLE customer (cid int primary key, cname text, ccredit text);
SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO customer VALUES (1, 'Taro',   '1111-2222-3333-4444'),
                            (2, 'Hanako', '5555-6666-7777-8888');
CREATE FUNCTION customer_credit(int) RETURNS text
    AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
    LANGUAGE sql;
SECURITY LABEL ON FUNCTION customer_credit(int)
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
SELECT objtype, objname, label FROM pg_seclabels
    WHERE provider = 'selinux'
     AND  objtype in ('table', 'column')
     AND  objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
ORDER BY objname;
 objtype | objname |                    label                    
---------+---------+---------------------------------------------
 table   | t1      | system_u:object_r:sepgsql_table_t:s0
 table   | t2      | system_u:object_r:sepgsql_ro_table_t:s0
 table   | t3      | system_u:object_r:sepgsql_fixed_table_t:s0
 table   | t4      | system_u:object_r:sepgsql_secret_table_t:s0
 table   | t5      | system_u:object_r:sepgsql_table_t:s0
 column  | t5.e    | system_u:object_r:sepgsql_table_t:s0
 column  | t5.f    | system_u:object_r:sepgsql_ro_table_t:s0
 column  | t5.g    | system_u:object_r:sepgsql_secret_table_t:s0
(8 rows)

CREATE SCHEMA my_schema_1;
CREATE TABLE my_schema_1.ts1 (a int, b text);
CREATE SCHEMA my_schema_2;
CREATE TABLE my_schema_2.ts2 (x int, y text);
SECURITY LABEL ON SCHEMA my_schema_2
    IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0';
-- Hardwired Rules
UPDATE pg_attribute SET attisdropped = true
    WHERE attrelid = 't5'::regclass AND attname = 'f';	-- failed
ERROR:  SELinux: hardwired security policy violation
--
-- Simple DML statements
--
SELECT sepgsql_getcon();	-- confirm client privilege
                   sepgsql_getcon                    
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

SELECT * FROM t1;			-- ok
 a |  b  
---+-----
 1 | aaa
 2 | bbb
 3 | ccc
(3 rows)

SELECT * FROM t2;			-- ok
 x |  y  
---+-----
 1 | xxx
 2 | yyy
 3 | zzz
(3 rows)

SELECT * FROM t3;			-- ok
 s |  t  
---+-----
 1 | sss
 2 | ttt
 3 | uuu
(3 rows)

SELECT * FROM t4;			-- failed
ERROR:  SELinux: security policy violation
SELECT * FROM t5;			-- failed
ERROR:  SELinux: security policy violation
SELECT e,f FROM t5;			-- ok
 e | f 
---+---
(0 rows)

SELECT * FROM customer;			-- failed
ERROR:  SELinux: security policy violation
SELECT cid, cname, customer_credit(cid) FROM customer;	-- ok
 cid | cname  |   customer_credit   
-----+--------+---------------------
   1 | Taro   | 1111-2222-3333-????
   2 | Hanako | 5555-6666-7777-????
(2 rows)

SELECT count(*) FROM t5;			-- ok
 count 
-------
     0
(1 row)

SELECT count(*) FROM t5 WHERE g IS NULL;	-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t1 VALUES (4, 'abc');		-- ok
INSERT INTO t2 VALUES (4, 'xyz');		-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t3 VALUES (4, 'stu');		-- ok
INSERT INTO t4 VALUES (4, 'mno');		-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 VALUES (1,2,3);			-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 (e,f) VALUES ('abc', 'def');	-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 (e) VALUES ('abc');		-- ok
UPDATE t1 SET b = b || '_upd';			-- ok
UPDATE t2 SET y = y || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t3 SET t = t || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t4 SET n = n || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t5 SET e = 'xyz';			-- ok
UPDATE t5 SET e = f || '_upd';			-- ok
UPDATE t5 SET e = g || '_upd';			-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t1;					-- ok
DELETE FROM t2;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t3;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t4;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t5;					-- ok
DELETE FROM t5 WHERE f IS NULL;			-- ok
DELETE FROM t5 WHERE g IS NULL;			-- failed
ERROR:  SELinux: security policy violation
--
-- COPY TO/FROM statements
--
COPY t1 TO '/dev/null';				-- ok
COPY t2 TO '/dev/null';				-- ok
COPY t3 TO '/dev/null';				-- ok
COPY t4 TO '/dev/null';				-- failed
ERROR:  SELinux: security policy violation
COPY t5 TO '/dev/null';				-- failed
ERROR:  SELinux: security policy violation
COPY t5(e,f) TO '/dev/null';			-- ok
COPY t1 FROM '/dev/null';			-- ok
COPY t2 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t3 FROM '/dev/null';			-- ok
COPY t4 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 (e,f) FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 (e) FROM '/dev/null';			-- ok
--
-- Schema search path
--
SET search_path = my_schema_1, my_schema_2, public;
SELECT * FROM ts1;		-- ok
 a | b 
---+---
(0 rows)

SELECT * FROM ts2;		-- failed (relation not found)
ERROR:  relation "ts2" does not exist
LINE 1: SELECT * FROM ts2;
                      ^
SELECT * FROM my_schema_2.ts2;	-- failed (policy violation)
ERROR:  SELinux: security policy violation
LINE 1: SELECT * FROM my_schema_2.ts2;
                      ^
--
-- Clean up
--
SELECT sepgsql_getcon();	-- confirm client privilege
                    sepgsql_getcon                    
------------------------------------------------------
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
(1 row)

DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP TABLE IF EXISTS t5 CASCADE;
DROP TABLE IF EXISTS customer CASCADE;
DROP SCHEMA IF EXISTS my_schema_1 CASCADE;
NOTICE:  drop cascades to table my_schema_1.ts1
DROP SCHEMA IF EXISTS my_schema_2 CASCADE;
NOTICE:  drop cascades to table my_schema_2.ts2