mirror of
https://git.postgresql.org/git/postgresql.git
synced 2024-12-27 08:39:28 +08:00
523176cbf1
This is intended as infrastructure to allow sepgsql to cooperate with connection pooling software, by allowing the effective security label to be set for each new connection. KaiGai Kohei, reviewed by Yeb Havinga.
179 lines
6.6 KiB
Plaintext
179 lines
6.6 KiB
Plaintext
policy_module(sepgsql-regtest, 1.04)
|
|
|
|
gen_require(`
|
|
all_userspace_class_perms
|
|
')
|
|
|
|
## <desc>
|
|
## <p>
|
|
## Allow to launch regression test of SE-PostgreSQL
|
|
## Don't switch to TRUE in normal cases
|
|
## </p>
|
|
## </desc>
|
|
gen_tunable(sepgsql_regression_test_mode, false)
|
|
|
|
#
|
|
# Type definitions for regression test
|
|
#
|
|
type sepgsql_regtest_trusted_proc_exec_t;
|
|
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
|
|
type sepgsql_nosuch_trusted_proc_exec_t;
|
|
postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t)
|
|
|
|
#
|
|
# Test domains for database administrators
|
|
#
|
|
role sepgsql_regtest_dba_r;
|
|
userdom_base_user_template(sepgsql_regtest_dba)
|
|
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
|
|
userdom_exec_user_home_content_files(sepgsql_regtest_dba_t)
|
|
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
|
|
optional_policy(`
|
|
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
|
|
postgresql_stream_connect(sepgsql_regtest_dba_t)
|
|
')
|
|
optional_policy(`
|
|
unconfined_stream_connect(sepgsql_regtest_dba_t)
|
|
unconfined_rw_pipes(sepgsql_regtest_dba_t)
|
|
')
|
|
|
|
# Type transition rules
|
|
allow sepgsql_regtest_dba_t self : process { setcurrent };
|
|
allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition };
|
|
allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };
|
|
allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };
|
|
|
|
#
|
|
# Dummy domain for unpriv users
|
|
#
|
|
role sepgsql_regtest_user_r;
|
|
userdom_base_user_template(sepgsql_regtest_user)
|
|
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
|
|
userdom_exec_user_home_content_files(sepgsql_regtest_user_t)
|
|
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
|
|
optional_policy(`
|
|
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
|
|
postgresql_stream_connect(sepgsql_regtest_user_t)
|
|
')
|
|
optional_policy(`
|
|
unconfined_stream_connect(sepgsql_regtest_user_t)
|
|
unconfined_rw_pipes(sepgsql_regtest_user_t)
|
|
')
|
|
# Type transition rules
|
|
allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition };
|
|
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
|
|
type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t;
|
|
|
|
#
|
|
# Dummy domain for (virtual) connection pooler software
|
|
#
|
|
# XXX - this test scenario assumes sepgsql_regtest_pool_t domain performs
|
|
# as a typical connection pool server; that switches the client label of
|
|
# this session prior to any user queries. The sepgsql_regtest_(foo|var)_t
|
|
# is allowed to access its own table types, but not allowed to reference
|
|
# other's one.
|
|
#
|
|
role sepgsql_regtest_pool_r;
|
|
userdom_base_user_template(sepgsql_regtest_pool)
|
|
userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
|
|
userdom_exec_user_home_content_files(sepgsql_regtest_pool_t)
|
|
userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t)
|
|
|
|
type sepgsql_regtest_foo_t;
|
|
type sepgsql_regtest_var_t;
|
|
type sepgsql_regtest_foo_table_t;
|
|
type sepgsql_regtest_var_table_t;
|
|
|
|
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_table { getattr select update insert delete lock };
|
|
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_column { getattr select update insert };
|
|
allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_tuple { select update insert delete };
|
|
|
|
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_table { getattr select update insert delete lock };
|
|
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_column { getattr select update insert };
|
|
allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_tuple { select update insert delete };
|
|
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
')
|
|
postgresql_role(unconfined_r, sepgsql_regtest_foo_t)
|
|
postgresql_role(unconfined_r, sepgsql_regtest_var_t)
|
|
postgresql_table_object(sepgsql_regtest_foo_table_t)
|
|
postgresql_table_object(sepgsql_regtest_var_table_t)
|
|
')
|
|
optional_policy(`
|
|
postgresql_stream_connect(sepgsql_regtest_pool_t)
|
|
postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t)
|
|
')
|
|
optional_policy(`
|
|
unconfined_stream_connect(sepgsql_regtest_pool_t)
|
|
unconfined_rw_pipes(sepgsql_regtest_pool_t)
|
|
')
|
|
# type transitions
|
|
allow sepgsql_regtest_pool_t self:process { setcurrent };
|
|
allow sepgsql_regtest_pool_t sepgsql_regtest_dba_t:process { transition };
|
|
type_transition sepgsql_regtest_pool_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
|
|
|
|
allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } self:process { setcurrent };
|
|
allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:process { dyntransition };
|
|
|
|
#
|
|
# Dummy domain for non-exist users
|
|
#
|
|
role sepgsql_regtest_nosuch_r;
|
|
userdom_base_user_template(sepgsql_regtest_nosuch)
|
|
optional_policy(`
|
|
postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t)
|
|
')
|
|
|
|
#
|
|
# Rules to launch psql in the dummy domains
|
|
#
|
|
optional_policy(`
|
|
gen_require(`
|
|
role unconfined_r;
|
|
type unconfined_t;
|
|
type sepgsql_trusted_proc_t;
|
|
')
|
|
tunable_policy(`sepgsql_regression_test_mode',`
|
|
allow unconfined_t self : process { setcurrent dyntransition };
|
|
allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition };
|
|
allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition };
|
|
allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition };
|
|
')
|
|
role unconfined_r types sepgsql_regtest_dba_t;
|
|
role unconfined_r types sepgsql_regtest_user_t;
|
|
role unconfined_r types sepgsql_regtest_nosuch_t;
|
|
role unconfined_r types sepgsql_trusted_proc_t;
|
|
|
|
role unconfined_r types sepgsql_regtest_pool_t;
|
|
role unconfined_r types sepgsql_regtest_foo_t;
|
|
role unconfined_r types sepgsql_regtest_var_t;
|
|
')
|
|
|
|
#
|
|
# Rule to execute original trusted procedures
|
|
#
|
|
# XXX - sepgsql_client_type contains any valid client types, so we allow
|
|
# them to execute the original trusted procedure at once.
|
|
#
|
|
optional_policy(`
|
|
gen_require(`
|
|
attribute sepgsql_client_type;
|
|
')
|
|
allow sepgsql_client_type { sepgsql_regtest_trusted_proc_exec_t sepgsql_nosuch_trusted_proc_exec_t }:db_procedure { getattr execute };
|
|
|
|
# These rules intends sepgsql_regtest_user_t domain to translate
|
|
# sepgsql_regtest_dba_t on execution of procedures labeled as
|
|
# sepgsql_regtest_trusted_proc_exec_t.
|
|
#
|
|
# allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute };
|
|
|
|
# These rules intends sepgsql_regtest_user_t domain to translate
|
|
# sepgsql_regtest_nosuch_t on execution of procedures labeled as
|
|
# sepgsql_nosuch_trusted_proc_exec_t, without permissions to
|
|
# translate to sepgsql_nosuch_trusted_proc_exec_t.
|
|
#
|
|
# allow sepgsql_client_type sepgsql_nosuch_trusted_proc_exec_t:db_procedure { getattr execute install };
|
|
')
|