diff --git a/Changelog b/Changelog index 017186020..5818f9ef8 100644 --- a/Changelog +++ b/Changelog @@ -1,4 +1,6 @@ - X object manager revisions from Eamon Walsh. +- Added modules: + dbadm (KaiGai Kohei) * Tue Nov 17 2009 Chris PeBenito - 2.20091117 - Add separate x_pointer and x_keyboard classes inheriting from x_device. diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc new file mode 100644 index 000000000..e6aa2fba6 --- /dev/null +++ b/policy/modules/roles/dbadm.fc @@ -0,0 +1 @@ +# No dbadm file contexts diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if new file mode 100644 index 000000000..14adfea11 --- /dev/null +++ b/policy/modules/roles/dbadm.if @@ -0,0 +1,50 @@ +## Database administrator role + +######################################## +## +## Change to the database administrator role. +## +## +## +## Role allowed access. +## +## +## +# +interface(`dbadm_role_change',` + get_require(` + role dbadm_r' + ') + + allow $1 dbadm_r; +') + +######################################## +## +## Change from the database administrator role. +## +## +##

+## Change from the web administrator role to +## the specified role. +##

+##

+## This is an interface to support third party modules +## and its use is not allowed in upstream reference +## policy. +##

+##
+## +## +## Role allowed access. +## +## +## +# +interface(`dbadm_role_change_to',` + gen_require(` + role dbadm_r; + ') + + allow dbadm_r $1; +') diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te new file mode 100644 index 000000000..055eda8c1 --- /dev/null +++ b/policy/modules/roles/dbadm.te @@ -0,0 +1,33 @@ + +policy_module(dbadm, 1.0.0) + +######################################## +# +# Declarations +# + +role dbadm_r; + +userdom_unpriv_user_template(dbadm) + +######################################## +# +# database admin local policy +# + +optional_policy(` + mysql_admin(dbadm_t, dbadm_r) +') + +optional_policy(` + postgresql_admin(dbadm_t, dbadm_r) +') + +# For starting up daemon processes +optional_policy(` + su_role_template(dbadm, dbadm_r, dbadm_t) +') + +optional_policy(` + sudo_role_template(dbadm, dbadm_r, dbadm_t) +') diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te index 7433ca08b..3fd227be4 100644 --- a/policy/modules/roles/staff.te +++ b/policy/modules/roles/staff.te @@ -1,5 +1,5 @@ -policy_module(staff, 2.0.0) +policy_module(staff, 2.0.1) ######################################## # @@ -100,6 +100,10 @@ optional_policy(` oident_relabel_user_content(staff_t) ') +optional_policy(` + postgresql_role(staff_r, staff_t) +') + optional_policy(` pyzor_role(staff_r, staff_t) ') diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te index 2183644ad..b0be6d268 100644 --- a/policy/modules/roles/unprivuser.te +++ b/policy/modules/roles/unprivuser.te @@ -1,5 +1,5 @@ -policy_module(unprivuser, 2.0.0) +policy_module(unprivuser, 2.0.1) # this module should be named user, but that is # a compile error since user is a keyword. @@ -94,6 +94,10 @@ optional_policy(` oident_relabel_user_content(user_t) ') +optional_policy(` + postgresql_role(user_r, user_t) +') + optional_policy(` pyzor_role(user_r, user_t) ') diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index ac18bee96..d91cd035f 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -2,6 +2,7 @@ # /etc # /etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0) +/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) # # /usr diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index f74c7316e..54ea7090f 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -384,3 +384,54 @@ interface(`postgresql_unconfined',` typeattribute $1 sepgsql_unconfined_type; ') + +######################################## +## +## All of the rules required to administrate an postgresql environment +## +## +## +## Domain allowed access. +## +## +## +## +## The role to be allowed to manage the postgresql domain. +## +## +## +# +interface(`postgresql_admin',` + gen_require(` + attribute sepgsql_admin_type; + attribute sepgsql_client_type; + + type postgresql_t, postgresql_var_run_t; + type postgresql_tmp_t, postgresql_db_t; + type postgresql_etc_t, postgresql_log_t; + type postgresql_initrc_exec_t; + ') + + typeattribute $1 sepgsql_admin_type; + + allow $1 postgresql_t:process { ptrace signal_perms }; + ps_process_pattern($1, postgresql_t) + + init_labeled_script_domtrans($1, postgresql_initrc_exec_t) + domain_system_change_exemption($1) + role_transition $2 postgresql_initrc_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, postgresql_var_run_t) + + admin_pattern($1, postgresql_db_t) + + admin_pattern($1, postgresql_etc_t) + + admin_pattern($1, postgresql_log_t) + + admin_pattern($1, postgresql_tmp_t) + + postgresql_tcp_connect($1) + postgresql_stream_connect($1) +') diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index bfefe36f5..0b3eda99e 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql, 1.9.0) +policy_module(postgresql, 1.10.0) gen_require(` class db_database all_db_database_perms; @@ -22,6 +22,13 @@ gen_require(` ## gen_tunable(sepgsql_enable_users_ddl, true) +## +##

+## Allow database admins to execute DML statement +##

+##
+gen_tunable(sepgsql_unconfined_dbadm, true) + type postgresql_t; type postgresql_exec_t; init_daemon_domain(postgresql_t, postgresql_exec_t) @@ -32,6 +39,9 @@ files_type(postgresql_db_t) type postgresql_etc_t; files_config_file(postgresql_etc_t) +type postgresql_initrc_exec_t; +init_script_file(postgresql_initrc_exec_t) + type postgresql_lock_t; files_lock_file(postgresql_lock_t) @@ -45,6 +55,7 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) # database clients attribute +attribute sepgsql_admin_type; attribute sepgsql_client_type; attribute sepgsql_unconfined_type; @@ -336,7 +347,40 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; # to access classified tuples and can make a audit record. # # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. -dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; +dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; + + +######################################## +# +# Rules common to administrator clients +# + +allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access }; +type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t; + +allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock }; +allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto }; +allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete }; + +allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto }; + +allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto }; + +allow sepgsql_admin_type sepgsql_module_type:db_database install_module; + +kernel_relabelfrom_unlabeled_database(sepgsql_admin_type) + +tunable_policy(`sepgsql_unconfined_dbadm',` + allow sepgsql_admin_type sepgsql_database_type:db_database *; + + allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *; + + allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; + allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; + allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install }; + + allow sepgsql_admin_type sepgsql_blob_type:db_blob *; +') ######################################## # diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index f209ccff8..d6198c599 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -994,10 +994,6 @@ template(`userdom_unpriv_user_template', ` netutils_run_traceroute_cond($1_t,$1_r) ') - optional_policy(` - postgresql_role($1_r,$1_t) - ') - # Run pppd in pppd_t by default for user optional_policy(` ppp_run_cond($1_t,$1_r) diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te index 7b7d709d1..c01f7aed0 100644 --- a/policy/modules/system/userdomain.te +++ b/policy/modules/system/userdomain.te @@ -1,5 +1,5 @@ -policy_module(userdomain, 4.3.0) +policy_module(userdomain, 4.3.1) ######################################## #