policy_module(sepgsql-regtest, 1.02) gen_require(` all_userspace_class_perms ') ## ##

## Allow to launch regression test of SE-PostgreSQL ## Don't switch to TRUE in normal cases ##

##
gen_tunable(sepgsql_regression_test_mode, false) # # Type definitions for regression test # type sepgsql_regtest_trusted_proc_exec_t; postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) # # Test domains for database administrators # role sepgsql_regtest_dba_r; userdom_base_user_template(sepgsql_regtest_dba) userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) optional_policy(` postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) postgresql_stream_connect(sepgsql_regtest_dba_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_dba_t) unconfined_rw_pipes(sepgsql_regtest_dba_t) ') # # Dummy domain for unpriv users # role sepgsql_regtest_user_r; userdom_base_user_template(sepgsql_regtest_user) userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) optional_policy(` postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) postgresql_stream_connect(sepgsql_regtest_user_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_user_t) unconfined_rw_pipes(sepgsql_regtest_user_t) ') # # Rules to launch psql in the dummy domains # optional_policy(` gen_require(` role unconfined_r; type unconfined_t; type sepgsql_trusted_proc_t; ') tunable_policy(`sepgsql_regression_test_mode',` allow unconfined_t sepgsql_regtest_dba_t : process { transition }; allow unconfined_t sepgsql_regtest_user_t : process { transition }; ') role unconfined_r types sepgsql_regtest_dba_t; role unconfined_r types sepgsql_regtest_user_t; role unconfined_r types sepgsql_trusted_proc_t; ') # # Rule to check # optional_policy(` # These rules intends sepgsql_regtest_user_t domain to translate # sepgsql_regtest_dba_t on execution of procedures labeled as # sepgsql_regtest_trusted_proc_exec_t, but does not allow transition # permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t. # gen_require(` attribute sepgsql_client_type; ') allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install }; type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; ')