trunk:

OK, the attached patch adds the following types for unprivileged clients. - unpriv_sepgsql_table_t - unpriv_sepgsql_sysobj_t - unpriv_sepgsql_proc_exec_t - unpriv_sepgsql_blob_t These types are the default for unprivileged and unprefixed domains, such as httpd_t and others. In addition, TYPE_TRANSITION rules are moved to outside of tunable of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the tunable because UBAC domains (user_t and so on) were allowed to create sepgsql_table_t, and its default was pointed to this type when sepgsql_enable_users_ddl is disabled. However, it has different meanings now, so the TYPE_TRANSITION rules should be unconditional. KaiGai Kohei
2009-05-21 11:28:14 +00:00 · 2009-05-21 11:28:14 +00:00 · a01a4a7183
parent 80348b73a0
commit a01a4a7183
2 changed files with 53 additions and 8 deletions
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@ -47,18 +47,18 @@ interface(`postgresql_role',`

 	tunable_policy(`sepgsql_enable_users_ddl',`
 		allow $2 user_sepgsql_table_t:db_table { create drop };
-		type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
-
 		allow $2 user_sepgsql_table_t:db_column { create drop };

 		allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete };
-		type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;
 	')

 	allow $2 user_sepgsql_table_t:db_table  { getattr setattr use select update insert delete lock };
 	allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert };
 	allow $2 user_sepgsql_table_t:db_tuple	{ use select update insert delete };
+	type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t;
+
 	allow $2 user_sepgsql_sysobj_t:db_tuple	{ use select };
+	type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t;

 	allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
 	type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
@ -313,24 +313,55 @@ interface(`postgresql_stream_connect',`
 #
 interface(`postgresql_unpriv_client',`
 	gen_require(`
+		class db_database all_db_database_perms;
 		class db_table all_db_table_perms;
 		class db_procedure all_db_procedure_perms;
+		class db_column all_db_column_perms;
+		class db_tuple all_db_tuple_perms;
 		class db_blob all_db_blob_perms;

 		attribute sepgsql_client_type;
+		attribute sepgsql_database_type, sepgsql_sysobj_table_type;

-		type sepgsql_db_t, sepgsql_table_t, sepgsql_proc_exec_t, sepgsql_blob_t;
 		type sepgsql_trusted_proc_t, sepgsql_trusted_proc_exec_t;
+		type unpriv_sepgsql_blob_t, unpriv_sepgsql_proc_exec_t;
+		type unpriv_sepgsql_sysobj_t, unpriv_sepgsql_table_t;
 	')

+	########################################
+	#
+	# Declarations
+	#
+
 	typeattribute $1 sepgsql_client_type;

-	type_transition $1 sepgsql_db_t:db_table sepgsql_table_t;
-	type_transition $1 sepgsql_db_t:db_procedure sepgsql_proc_exec_t;
-	type_transition $1 sepgsql_db_t:db_blob sepgsql_blob_t;
+	########################################
+	#
+	# Client local policy
+	#

 	type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t;
 	allow $1 sepgsql_trusted_proc_t:process transition;
+
+	tunable_policy(`sepgsql_enable_users_ddl',`
+		allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr };
+		allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr };
+		allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete };
+	')
+
+	allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock };
+	allow $1 unpriv_sepgsql_table_t:db_column { getattr use select update insert };
+	allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
+	type_transition $1 sepgsql_database_type:db_table unpriv_sepgsql_table_t;
+
+	allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
+	type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
+
+	allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute };
+	type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
+
+	allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
+	type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
 ')

 ########################################
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@ -1,5 +1,5 @@

-policy_module(postgresql, 1.8.4)
+policy_module(postgresql, 1.8.5)

 gen_require(`
 	class db_database all_db_database_perms;
@ -97,6 +97,20 @@ domain_type(sepgsql_trusted_proc_t)
 postgresql_unconfined(sepgsql_trusted_proc_t)
 role system_r types sepgsql_trusted_proc_t;

+# Types for unprivileged client
+type unpriv_sepgsql_blob_t;
+postgresql_blob_object(unpriv_sepgsql_blob_t)
+
+type unpriv_sepgsql_proc_exec_t;
+postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)
+
+type unpriv_sepgsql_sysobj_t;
+postgresql_system_table_object(unpriv_sepgsql_sysobj_t)
+
+type unpriv_sepgsql_table_t;
+postgresql_table_object(unpriv_sepgsql_table_t)
+
+# Types for UBAC
 type user_sepgsql_blob_t;
 typealias user_sepgsql_blob_t alias { staff_sepgsql_blob_t sysadm_sepgsql_blob_t };
 typealias user_sepgsql_blob_t alias { auditadm_sepgsql_blob_t secadm_sepgsql_blob_t };