postgresql/contrib/sepgsql/sepgsql-regtest.te
Robert Haas f8a54e936b sepgsql: Enforce db_procedure:{execute} permission.
To do this, we add an additional object access hook type,
OAT_FUNCTION_EXECUTE.

KaiGai Kohei
2013-04-12 08:58:01 -04:00

186 lines
7.0 KiB
Plaintext

policy_module(sepgsql-regtest, 1.07)
gen_require(`
all_userspace_class_perms
')
## <desc>
## <p>
## Allow to launch regression test of SE-PostgreSQL
## Don't switch to TRUE in normal cases
## </p>
## </desc>
gen_tunable(sepgsql_regression_test_mode, false)
#
# Type definitions for regression test
#
type sepgsql_regtest_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
type sepgsql_nosuch_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t)
type sepgsql_regtest_invisible_schema_t;
postgresql_schema_object(sepgsql_regtest_invisible_schema_t);
#
# Test domains for database administrators
#
role sepgsql_regtest_dba_r;
userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
postgresql_stream_connect(sepgsql_regtest_dba_t)
')
optional_policy(`
unconfined_stream_connect(sepgsql_regtest_dba_t)
unconfined_rw_pipes(sepgsql_regtest_dba_t)
')
# Type transition rules
allow sepgsql_regtest_dba_t self : process { setcurrent };
allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };
# special rule for system columns
optional_policy(`
gen_require(`
attribute sepgsql_table_type;
type sepgsql_sysobj_t;
')
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax";
type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid";
')
#
# Dummy domain for unpriv users
#
role sepgsql_regtest_user_r;
userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
postgresql_stream_connect(sepgsql_regtest_user_t)
')
optional_policy(`
unconfined_stream_connect(sepgsql_regtest_user_t)
unconfined_rw_pipes(sepgsql_regtest_user_t)
')
# Type transition rules
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t;
#
# Dummy domain for (virtual) connection pooler software
#
# XXX - this test scenario assumes sepgsql_regtest_pool_t domain performs
# as a typical connection pool server; that switches the client label of
# this session prior to any user queries. The sepgsql_regtest_(foo|var)_t
# is allowed to access its own table types, but not allowed to reference
# other's one.
#
role sepgsql_regtest_pool_r;
userdom_base_user_template(sepgsql_regtest_pool)
userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
type sepgsql_regtest_foo_t;
type sepgsql_regtest_var_t;
type sepgsql_regtest_foo_table_t;
type sepgsql_regtest_var_table_t;
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_table { getattr select update insert delete lock };
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_column { getattr select update insert };
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_tuple { select update insert delete };
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_table { getattr select update insert delete lock };
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_column { getattr select update insert };
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_tuple { select update insert delete };
optional_policy(`
gen_require(`
role unconfined_r;
')
postgresql_role(unconfined_r, sepgsql_regtest_foo_t)
postgresql_role(unconfined_r, sepgsql_regtest_var_t)
postgresql_table_object(sepgsql_regtest_foo_table_t)
postgresql_table_object(sepgsql_regtest_var_table_t)
')
optional_policy(`
postgresql_stream_connect(sepgsql_regtest_pool_t)
postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
')
optional_policy(`
unconfined_stream_connect(sepgsql_regtest_pool_t)
unconfined_rw_pipes(sepgsql_regtest_pool_t)
')
# type transitions
allow sepgsql_regtest_pool_t self:process { setcurrent };
allow sepgsql_regtest_pool_t sepgsql_regtest_dba_t:process { transition };
type_transition sepgsql_regtest_pool_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } self:process { setcurrent };
allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:process { dyntransition };
#
# Dummy domain for non-exist users
#
role sepgsql_regtest_nosuch_r;
userdom_base_user_template(sepgsql_regtest_nosuch)
optional_policy(`
postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
')
#
# Rules to launch psql in the dummy domains
#
optional_policy(`
gen_require(`
role unconfined_r;
type unconfined_t;
type sepgsql_trusted_proc_t;
')
tunable_policy(`sepgsql_regression_test_mode',`
allow unconfined_t self : process { setcurrent dyntransition };
allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition };
allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition };
allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition };
')
role unconfined_r types sepgsql_regtest_dba_t;
role unconfined_r types sepgsql_regtest_user_t;
role unconfined_r types sepgsql_regtest_nosuch_t;
role unconfined_r types sepgsql_trusted_proc_t;
role unconfined_r types sepgsql_regtest_pool_t;
role unconfined_r types sepgsql_regtest_foo_t;
role unconfined_r types sepgsql_regtest_var_t;
')
#
# Rule to execute original trusted procedures
#
# These rules intends to allow any valid client types to launch trusted-
# procedures (including ones causes domain transition to invalid domain)
# being labeled as sepgsql_regtest_trusted_proc_exec_t and
# sepgsql_nosuch_trusted_proc_exec_t.
#
optional_policy(`
gen_require(`
attribute sepgsql_client_type;
')
allow sepgsql_client_type { sepgsql_regtest_trusted_proc_exec_t sepgsql_nosuch_trusted_proc_exec_t }:db_procedure { getattr execute entrypoint };
')