Add dbadm, from KaiGai Kohei.
This commit is contained in:
Chris PeBenito
parent
edc2f7dea4
commit
22a2874dbf
|
|
@ -1,4 +1,6 @@
|
|||
- X object manager revisions from Eamon Walsh.
|
||||
- Added modules:
|
||||
dbadm (KaiGai Kohei)
|
||||
|
||||
* Tue Nov 17 2009 Chris PeBenito <selinux@tresys.com> - 2.20091117
|
||||
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
|
||||
|
|
|
|||
|
|
@ -0,0 +1 @@
|
|||
# No dbadm file contexts
|
||||
|
|
@ -0,0 +1,50 @@
|
|||
## <summary>Database administrator role</summary>
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Change to the database administrator role.
|
||||
## </summary>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dbadm_role_change',`
|
||||
get_require(`
|
||||
role dbadm_r'
|
||||
')
|
||||
|
||||
allow $1 dbadm_r;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Change from the database administrator role.
|
||||
## </summary>
|
||||
## <desc>
|
||||
## <p>
|
||||
## Change from the web administrator role to
|
||||
## the specified role.
|
||||
## </p>
|
||||
## <p>
|
||||
## This is an interface to support third party modules
|
||||
## and its use is not allowed in upstream reference
|
||||
## policy.
|
||||
## </p>
|
||||
## </desc>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## Role allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`dbadm_role_change_to',`
|
||||
gen_require(`
|
||||
role dbadm_r;
|
||||
')
|
||||
|
||||
allow dbadm_r $1;
|
||||
')
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
|
||||
policy_module(dbadm, 1.0.0)
|
||||
|
||||
########################################
|
||||
#
|
||||
# Declarations
|
||||
#
|
||||
|
||||
role dbadm_r;
|
||||
|
||||
userdom_unpriv_user_template(dbadm)
|
||||
|
||||
########################################
|
||||
#
|
||||
# database admin local policy
|
||||
#
|
||||
|
||||
optional_policy(`
|
||||
mysql_admin(dbadm_t, dbadm_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_admin(dbadm_t, dbadm_r)
|
||||
')
|
||||
|
||||
# For starting up daemon processes
|
||||
optional_policy(`
|
||||
su_role_template(dbadm, dbadm_r, dbadm_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
sudo_role_template(dbadm, dbadm_r, dbadm_t)
|
||||
')
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(staff, 2.0.0)
|
||||
policy_module(staff, 2.0.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
@ -100,6 +100,10 @@ optional_policy(`
|
|||
oident_relabel_user_content(staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_role(staff_r, staff_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pyzor_role(staff_r, staff_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(unprivuser, 2.0.0)
|
||||
policy_module(unprivuser, 2.0.1)
|
||||
|
||||
# this module should be named user, but that is
|
||||
# a compile error since user is a keyword.
|
||||
|
|
@ -94,6 +94,10 @@ optional_policy(`
|
|||
oident_relabel_user_content(user_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_role(user_r, user_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
pyzor_role(user_r, user_t)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -2,6 +2,7 @@
|
|||
# /etc
|
||||
#
|
||||
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
|
||||
/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
|
||||
|
||||
#
|
||||
# /usr
|
||||
|
|
|
|||
|
|
@ -384,3 +384,54 @@ interface(`postgresql_unconfined',`
|
|||
|
||||
typeattribute $1 sepgsql_unconfined_type;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate an postgresql environment
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <param name="role">
|
||||
## <summary>
|
||||
## The role to be allowed to manage the postgresql domain.
|
||||
## </summary>
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`postgresql_admin',`
|
||||
gen_require(`
|
||||
attribute sepgsql_admin_type;
|
||||
attribute sepgsql_client_type;
|
||||
|
||||
type postgresql_t, postgresql_var_run_t;
|
||||
type postgresql_tmp_t, postgresql_db_t;
|
||||
type postgresql_etc_t, postgresql_log_t;
|
||||
type postgresql_initrc_exec_t;
|
||||
')
|
||||
|
||||
typeattribute $1 sepgsql_admin_type;
|
||||
|
||||
allow $1 postgresql_t:process { ptrace signal_perms };
|
||||
ps_process_pattern($1, postgresql_t)
|
||||
|
||||
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
|
||||
domain_system_change_exemption($1)
|
||||
role_transition $2 postgresql_initrc_exec_t system_r;
|
||||
allow $2 system_r;
|
||||
|
||||
admin_pattern($1, postgresql_var_run_t)
|
||||
|
||||
admin_pattern($1, postgresql_db_t)
|
||||
|
||||
admin_pattern($1, postgresql_etc_t)
|
||||
|
||||
admin_pattern($1, postgresql_log_t)
|
||||
|
||||
admin_pattern($1, postgresql_tmp_t)
|
||||
|
||||
postgresql_tcp_connect($1)
|
||||
postgresql_stream_connect($1)
|
||||
')
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(postgresql, 1.9.0)
|
||||
policy_module(postgresql, 1.10.0)
|
||||
|
||||
gen_require(`
|
||||
class db_database all_db_database_perms;
|
||||
|
|
@ -22,6 +22,13 @@ gen_require(`
|
|||
## </desc>
|
||||
gen_tunable(sepgsql_enable_users_ddl, true)
|
||||
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow database admins to execute DML statement
|
||||
## </p>
|
||||
## </desc>
|
||||
gen_tunable(sepgsql_unconfined_dbadm, true)
|
||||
|
||||
type postgresql_t;
|
||||
type postgresql_exec_t;
|
||||
init_daemon_domain(postgresql_t, postgresql_exec_t)
|
||||
|
|
@ -32,6 +39,9 @@ files_type(postgresql_db_t)
|
|||
type postgresql_etc_t;
|
||||
files_config_file(postgresql_etc_t)
|
||||
|
||||
type postgresql_initrc_exec_t;
|
||||
init_script_file(postgresql_initrc_exec_t)
|
||||
|
||||
type postgresql_lock_t;
|
||||
files_lock_file(postgresql_lock_t)
|
||||
|
||||
|
|
@ -45,6 +55,7 @@ type postgresql_var_run_t;
|
|||
files_pid_file(postgresql_var_run_t)
|
||||
|
||||
# database clients attribute
|
||||
attribute sepgsql_admin_type;
|
||||
attribute sepgsql_client_type;
|
||||
attribute sepgsql_unconfined_type;
|
||||
|
||||
|
|
@ -336,7 +347,40 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
|
|||
# to access classified tuples and can make a audit record.
|
||||
#
|
||||
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
|
||||
dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
|
||||
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
|
||||
|
||||
|
||||
########################################
|
||||
#
|
||||
# Rules common to administrator clients
|
||||
#
|
||||
|
||||
allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
|
||||
type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
|
||||
|
||||
allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
|
||||
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
|
||||
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
|
||||
|
||||
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
|
||||
|
||||
allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
|
||||
|
||||
allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
|
||||
|
||||
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
|
||||
|
||||
tunable_policy(`sepgsql_unconfined_dbadm',`
|
||||
allow sepgsql_admin_type sepgsql_database_type:db_database *;
|
||||
|
||||
allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
|
||||
|
||||
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
|
||||
allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
|
||||
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
|
||||
|
||||
allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
|
|
@ -994,10 +994,6 @@ template(`userdom_unpriv_user_template', `
|
|||
netutils_run_traceroute_cond($1_t,$1_r)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
postgresql_role($1_r,$1_t)
|
||||
')
|
||||
|
||||
# Run pppd in pppd_t by default for user
|
||||
optional_policy(`
|
||||
ppp_run_cond($1_t,$1_r)
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(userdomain, 4.3.0)
|
||||
policy_module(userdomain, 4.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in New Issue