postgresql/contrib/sepgsql/sepgsql-regtest.te

88 lines
2.5 KiB
Plaintext
Raw Normal View History

policy_module(sepgsql-regtest, 1.03)
gen_require(`
all_userspace_class_perms
')
## <desc>
## <p>
## Allow to launch regression test of SE-PostgreSQL
## Don't switch to TRUE in normal cases
## </p>
## </desc>
gen_tunable(sepgsql_regression_test_mode, false)
#
# Type definitions for regression test
#
type sepgsql_regtest_trusted_proc_exec_t;
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
#
# Test domains for database administrators
#
role sepgsql_regtest_dba_r;
userdom_base_user_template(sepgsql_regtest_dba)
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
postgresql_stream_connect(sepgsql_regtest_dba_t)
')
optional_policy(`
unconfined_stream_connect(sepgsql_regtest_dba_t)
unconfined_rw_pipes(sepgsql_regtest_dba_t)
')
#
# Dummy domain for unpriv users
#
role sepgsql_regtest_user_r;
userdom_base_user_template(sepgsql_regtest_user)
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
optional_policy(`
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
postgresql_stream_connect(sepgsql_regtest_user_t)
')
optional_policy(`
unconfined_stream_connect(sepgsql_regtest_user_t)
unconfined_rw_pipes(sepgsql_regtest_user_t)
')
#
# Rules to launch psql in the dummy domains
#
optional_policy(`
gen_require(`
role unconfined_r;
type unconfined_t;
type sepgsql_trusted_proc_t;
')
tunable_policy(`sepgsql_regression_test_mode',`
allow unconfined_t sepgsql_regtest_dba_t : process { transition };
allow unconfined_t sepgsql_regtest_user_t : process { transition };
')
role unconfined_r types sepgsql_regtest_dba_t;
role unconfined_r types sepgsql_regtest_user_t;
role unconfined_r types sepgsql_trusted_proc_t;
')
#
# Rule to check
#
optional_policy(`
# These rules intends sepgsql_regtest_user_t domain to translate
# sepgsql_regtest_dba_t on execution of procedures labeled as
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
#
gen_require(`
attribute sepgsql_client_type;
')
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
')