2005-06-01 15:40:37 +00:00
|
|
|
# FLASK
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# Define the security object classes
|
|
|
|
|
#
|
|
|
|
|
|
2005-08-22 14:13:19 +00:00
|
|
|
# Classes marked as userspace are classes
|
|
|
|
|
# for userspace object managers
|
|
|
|
|
|
2005-06-01 15:40:37 +00:00
|
|
|
class security
|
|
|
|
|
class process
|
|
|
|
|
class system
|
|
|
|
|
class capability
|
|
|
|
|
|
|
|
|
|
# file-related classes
|
|
|
|
|
class filesystem
|
|
|
|
|
class file
|
|
|
|
|
class dir
|
|
|
|
|
class fd
|
|
|
|
|
class lnk_file
|
|
|
|
|
class chr_file
|
|
|
|
|
class blk_file
|
|
|
|
|
class sock_file
|
|
|
|
|
class fifo_file
|
|
|
|
|
|
|
|
|
|
# network-related classes
|
|
|
|
|
class socket
|
|
|
|
|
class tcp_socket
|
|
|
|
|
class udp_socket
|
|
|
|
|
class rawip_socket
|
|
|
|
|
class node
|
|
|
|
|
class netif
|
|
|
|
|
class netlink_socket
|
|
|
|
|
class packet_socket
|
|
|
|
|
class key_socket
|
|
|
|
|
class unix_stream_socket
|
|
|
|
|
class unix_dgram_socket
|
|
|
|
|
|
|
|
|
|
# sysv-ipc-related classes
|
|
|
|
|
class sem
|
|
|
|
|
class msg
|
|
|
|
|
class msgq
|
|
|
|
|
class shm
|
|
|
|
|
class ipc
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
|
# userspace object manager classes
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
# passwd/chfn/chsh
|
2005-08-22 14:13:19 +00:00
|
|
|
class passwd # userspace
|
2005-06-01 15:40:37 +00:00
|
|
|
|
2008-04-01 20:23:23 +00:00
|
|
|
# SE-X Windows stuff (more classes below)
|
|
|
|
|
class x_drawable # userspace
|
|
|
|
|
class x_screen # userspace
|
|
|
|
|
class x_gc # userspace
|
|
|
|
|
class x_font # userspace
|
|
|
|
|
class x_colormap # userspace
|
|
|
|
|
class x_property # userspace
|
|
|
|
|
class x_selection # userspace
|
|
|
|
|
class x_cursor # userspace
|
|
|
|
|
class x_client # userspace
|
|
|
|
|
class x_device # userspace
|
|
|
|
|
class x_server # userspace
|
|
|
|
|
class x_extension # userspace
|
2005-06-01 15:40:37 +00:00
|
|
|
|
|
|
|
|
# extended netlink sockets
|
|
|
|
|
class netlink_route_socket
|
|
|
|
|
class netlink_firewall_socket
|
|
|
|
|
class netlink_tcpdiag_socket
|
|
|
|
|
class netlink_nflog_socket
|
|
|
|
|
class netlink_xfrm_socket
|
|
|
|
|
class netlink_selinux_socket
|
|
|
|
|
class netlink_audit_socket
|
|
|
|
|
class netlink_ip6fw_socket
|
|
|
|
|
class netlink_dnrt_socket
|
|
|
|
|
|
2005-08-22 14:13:19 +00:00
|
|
|
class dbus # userspace
|
|
|
|
|
class nscd # userspace
|
2005-06-01 15:40:37 +00:00
|
|
|
|
|
|
|
|
# IPSec association
|
|
|
|
|
class association
|
|
|
|
|
|
|
|
|
|
# Updated Netlink class for KOBJECT_UEVENT family.
|
|
|
|
|
class netlink_kobject_uevent_socket
|
|
|
|
|
|
2006-05-04 20:40:49 +00:00
|
|
|
class appletalk_socket
|
|
|
|
|
|
2006-05-19 17:45:46 +00:00
|
|
|
class packet
|
|
|
|
|
|
2006-06-21 21:02:49 +00:00
|
|
|
# Kernel access key retention
|
|
|
|
|
class key
|
|
|
|
|
|
2006-10-20 14:44:23 +00:00
|
|
|
class context # userspace
|
|
|
|
|
|
2007-02-26 15:39:59 +00:00
|
|
|
class dccp_socket
|
|
|
|
|
|
2007-06-19 13:02:26 +00:00
|
|
|
class memprotect
|
|
|
|
|
|
2007-08-09 13:15:07 +00:00
|
|
|
class db_database # userspace
|
|
|
|
|
class db_table # userspace
|
|
|
|
|
class db_procedure # userspace
|
|
|
|
|
class db_column # userspace
|
|
|
|
|
class db_tuple # userspace
|
|
|
|
|
class db_blob # userspace
|
2014-06-24 10:34:10 +00:00
|
|
|
class db_exception # userspace
|
2014-06-25 12:24:33 +00:00
|
|
|
class db_datatype # userspace
|
2007-08-09 13:15:07 +00:00
|
|
|
|
2008-01-03 16:20:01 +00:00
|
|
|
# network peer labels
|
|
|
|
|
class peer
|
|
|
|
|
|
2008-02-07 17:51:59 +00:00
|
|
|
# Capabilities >= 32
|
|
|
|
|
class capability2
|
|
|
|
|
|
2008-04-01 20:23:23 +00:00
|
|
|
# More SE-X Windows stuff
|
|
|
|
|
class x_resource # userspace
|
|
|
|
|
class x_event # userspace
|
|
|
|
|
class x_synthetic_event # userspace
|
2008-05-06 14:37:05 +00:00
|
|
|
class x_application_data # userspace
|
2008-04-01 20:23:23 +00:00
|
|
|
|
2009-01-05 21:44:33 +00:00
|
|
|
# kernel services that need to override task security, e.g. cachefiles
|
|
|
|
|
class kernel_service
|
|
|
|
|
|
2009-08-28 21:13:06 +00:00
|
|
|
class tun_socket
|
|
|
|
|
|
2015-05-06 16:31:28 +00:00
|
|
|
class binder
|
|
|
|
|
|
2015-05-21 17:38:09 +00:00
|
|
|
# Updated netlink classes for more recent netlink protocols.
|
|
|
|
|
class netlink_iscsi_socket
|
|
|
|
|
class netlink_fib_lookup_socket
|
|
|
|
|
class netlink_connector_socket
|
|
|
|
|
class netlink_netfilter_socket
|
|
|
|
|
class netlink_generic_socket
|
|
|
|
|
class netlink_scsitransport_socket
|
|
|
|
|
class netlink_rdma_socket
|
|
|
|
|
class netlink_crypto_socket
|
|
|
|
|
|
2009-10-13 23:17:13 +00:00
|
|
|
# Still More SE-X Windows stuff
|
|
|
|
|
class x_pointer # userspace
|
|
|
|
|
class x_keyboard # userspace
|
|
|
|
|
|
New database object classes
The attached patch adds a few database object classes, as follows:
* db_schema
------------
A schema object performs as a namespace in database; similar to
directories in filesystem.
It seems some of (but not all) database objects are stored within
a certain schema logically. We can qualify these objects using
schema name. For example, a table: "my_tbl" within a schema: "my_scm"
is identified by "my_scm.my_tbl". This table is completely different
from "your_scm.my_tbl" that it a table within a schema: "your_scm".
Its characteristics is similar to a directory in filesystem, so
it has similar permissions.
The 'search' controls to resolve object name within a schema.
The 'add_name' and 'remove_name' controls to add/remove an object
to/from a schema.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html
In the past discussion, a rubix folks concerned about no object
class definition for schema and catalog which is an upper level
namespace. Since I'm not certain whether we have a disadvantage
when 'db_schema' class is applied on catalog class, I don't add
this definition yet.
Default security context of 'db_table' and 'db_procedure' classes
get being computed using type_transition with 'db_schema' class,
instead of 'db_database' class. It reflects logical hierarchy of
database object more correctly.
* db_view
----------
A view object performs as a virtual table. We can run SELECT
statement on views, although it has no physical entities.
The definition of views are expanded in run-time, so it allows
us to describe complex queries with keeping readability.
This object class uniquely provides 'expand' permission that
controls whether user can expand this view, or not.
The default security context shall be computed by type transition
rule with a schema object that owning the view.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createview.html
* db_sequence
--------------
A sequence object is a sequential number generator.
This object class uniquely provides 'get_value', 'next_value' and
'set_value' permissions. The 'get_value' controls to reference the
sequence object. The 'next_value' controls to fetch and increment
the value of sequence object. The 'set_value' controls to set
an arbitrary value.
The default security context shall be computed by type transition
rule with a schema object that owning the sequence.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html
* db_language
--------------
A language object is an installed engine to execute procedures.
PostgreSQL supports to define SQL procedures using regular script
languages; such as Perl, Tcl, not only SQL or binary modules.
In addition, v9.0 or later supports DO statement. It allows us to
execute a script statement on server side without defining a SQL
procedure. It requires to control whether user can execute DO
statement on this language, or not.
This object class uniquely provides 'implement' and 'execute'
permissions. The 'implement' controls whether a procedure can
be implemented with this language, or not. So, it takes security
context of the procedure as subject. The 'execute' controls to
execute code block using DO statement.
The default security context shall be computed by type transition
rule with a database object, because it is not owned by a certain
schema.
In the default policy, we provide two types: 'sepgsql_lang_t' and
'sepgsql_safe_lang_t' that allows unpriv users to execute DO
statement. The default is 'sepgsql_leng_t'.
We assume newly installed language may be harm, so DBA has to relabel
it explicitly, if he want user defined procedures using the language.
See also,
http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html
http://developer.postgresql.org/pgdocs/postgres/sql-do.html
P.S)
I found a bug in MCS. It didn't constraint 'relabelfrom' permission
of 'db_procedure' class. IIRC, I fixed it before, but it might be
only MLS side. Sorry.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
policy/flask/access_vectors | 29 ++++++++
policy/flask/security_classes | 6 ++
policy/mcs | 16 ++++-
policy/mls | 58 ++++++++++++++-
policy/modules/kernel/kernel.if | 8 ++
policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++--
policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++-
7 files changed, 342 insertions(+), 16 deletions(-)
2010-12-10 09:49:24 +00:00
|
|
|
# More Database stuff
|
|
|
|
|
class db_schema # userspace
|
|
|
|
|
class db_view # userspace
|
|
|
|
|
class db_sequence # userspace
|
|
|
|
|
class db_language # userspace
|
|
|
|
|
|
2015-10-20 15:29:11 +00:00
|
|
|
class service # userspace
|
|
|
|
|
|
2016-04-06 18:52:26 +00:00
|
|
|
# Capability checks when on a non-init user namespace
|
|
|
|
|
class cap_userns
|
|
|
|
|
class cap2_userns
|
|
|
|
|
|
2005-06-01 15:40:37 +00:00
|
|
|
# FLASK
|
