82c32d5cf4
The attached patch adds a few database object classes, as follows: * db_schema ------------ A schema object performs as a namespace in database; similar to directories in filesystem. It seems some of (but not all) database objects are stored within a certain schema logically. We can qualify these objects using schema name. For example, a table: "my_tbl" within a schema: "my_scm" is identified by "my_scm.my_tbl". This table is completely different from "your_scm.my_tbl" that it a table within a schema: "your_scm". Its characteristics is similar to a directory in filesystem, so it has similar permissions. The 'search' controls to resolve object name within a schema. The 'add_name' and 'remove_name' controls to add/remove an object to/from a schema. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createschema.html In the past discussion, a rubix folks concerned about no object class definition for schema and catalog which is an upper level namespace. Since I'm not certain whether we have a disadvantage when 'db_schema' class is applied on catalog class, I don't add this definition yet. Default security context of 'db_table' and 'db_procedure' classes get being computed using type_transition with 'db_schema' class, instead of 'db_database' class. It reflects logical hierarchy of database object more correctly. * db_view ---------- A view object performs as a virtual table. We can run SELECT statement on views, although it has no physical entities. The definition of views are expanded in run-time, so it allows us to describe complex queries with keeping readability. This object class uniquely provides 'expand' permission that controls whether user can expand this view, or not. The default security context shall be computed by type transition rule with a schema object that owning the view. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createview.html * db_sequence -------------- A sequence object is a sequential number generator. This object class uniquely provides 'get_value', 'next_value' and 'set_value' permissions. The 'get_value' controls to reference the sequence object. The 'next_value' controls to fetch and increment the value of sequence object. The 'set_value' controls to set an arbitrary value. The default security context shall be computed by type transition rule with a schema object that owning the sequence. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createsequence.html * db_language -------------- A language object is an installed engine to execute procedures. PostgreSQL supports to define SQL procedures using regular script languages; such as Perl, Tcl, not only SQL or binary modules. In addition, v9.0 or later supports DO statement. It allows us to execute a script statement on server side without defining a SQL procedure. It requires to control whether user can execute DO statement on this language, or not. This object class uniquely provides 'implement' and 'execute' permissions. The 'implement' controls whether a procedure can be implemented with this language, or not. So, it takes security context of the procedure as subject. The 'execute' controls to execute code block using DO statement. The default security context shall be computed by type transition rule with a database object, because it is not owned by a certain schema. In the default policy, we provide two types: 'sepgsql_lang_t' and 'sepgsql_safe_lang_t' that allows unpriv users to execute DO statement. The default is 'sepgsql_leng_t'. We assume newly installed language may be harm, so DBA has to relabel it explicitly, if he want user defined procedures using the language. See also, http://developer.postgresql.org/pgdocs/postgres/sql-createlanguage.html http://developer.postgresql.org/pgdocs/postgres/sql-do.html P.S) I found a bug in MCS. It didn't constraint 'relabelfrom' permission of 'db_procedure' class. IIRC, I fixed it before, but it might be only MLS side. Sorry. Thanks, -- KaiGai Kohei <kaigai@ak.jp.nec.com> policy/flask/access_vectors | 29 ++++++++ policy/flask/security_classes | 6 ++ policy/mcs | 16 ++++- policy/mls | 58 ++++++++++++++- policy/modules/kernel/kernel.if | 8 ++ policy/modules/services/postgresql.if | 125 +++++++++++++++++++++++++++++++-- policy/modules/services/postgresql.te | 116 +++++++++++++++++++++++++++++- 7 files changed, 342 insertions(+), 16 deletions(-)
848 lines
8.8 KiB
Plaintext
848 lines
8.8 KiB
Plaintext
#
|
|
# Define common prefixes for access vectors
|
|
#
|
|
# common common_name { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define a common prefix for file access vectors.
|
|
#
|
|
|
|
common file
|
|
{
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
unlink
|
|
link
|
|
rename
|
|
execute
|
|
swapon
|
|
quotaon
|
|
mounton
|
|
}
|
|
|
|
|
|
#
|
|
# Define a common prefix for socket access vectors.
|
|
#
|
|
|
|
common socket
|
|
{
|
|
# inherited from file
|
|
ioctl
|
|
read
|
|
write
|
|
create
|
|
getattr
|
|
setattr
|
|
lock
|
|
relabelfrom
|
|
relabelto
|
|
append
|
|
# socket-specific
|
|
bind
|
|
connect
|
|
listen
|
|
accept
|
|
getopt
|
|
setopt
|
|
shutdown
|
|
recvfrom
|
|
sendto
|
|
recv_msg
|
|
send_msg
|
|
name_bind
|
|
}
|
|
|
|
#
|
|
# Define a common prefix for ipc access vectors.
|
|
#
|
|
|
|
common ipc
|
|
{
|
|
create
|
|
destroy
|
|
getattr
|
|
setattr
|
|
read
|
|
write
|
|
associate
|
|
unix_read
|
|
unix_write
|
|
}
|
|
|
|
#
|
|
# Define a common prefix for userspace database object access vectors.
|
|
#
|
|
|
|
common database
|
|
{
|
|
create
|
|
drop
|
|
getattr
|
|
setattr
|
|
relabelfrom
|
|
relabelto
|
|
}
|
|
|
|
#
|
|
# Define a common prefix for pointer and keyboard access vectors.
|
|
#
|
|
|
|
common x_device
|
|
{
|
|
getattr
|
|
setattr
|
|
use
|
|
read
|
|
write
|
|
getfocus
|
|
setfocus
|
|
bell
|
|
force_cursor
|
|
freeze
|
|
grab
|
|
manage
|
|
list_property
|
|
get_property
|
|
set_property
|
|
add
|
|
remove
|
|
create
|
|
destroy
|
|
}
|
|
|
|
#
|
|
# Define the access vectors.
|
|
#
|
|
# class class_name [ inherits common_name ] { permission_name ... }
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for file-related objects.
|
|
#
|
|
|
|
class filesystem
|
|
{
|
|
mount
|
|
remount
|
|
unmount
|
|
getattr
|
|
relabelfrom
|
|
relabelto
|
|
transition
|
|
associate
|
|
quotamod
|
|
quotaget
|
|
}
|
|
|
|
class dir
|
|
inherits file
|
|
{
|
|
add_name
|
|
remove_name
|
|
reparent
|
|
search
|
|
rmdir
|
|
open
|
|
}
|
|
|
|
class file
|
|
inherits file
|
|
{
|
|
execute_no_trans
|
|
entrypoint
|
|
execmod
|
|
open
|
|
}
|
|
|
|
class lnk_file
|
|
inherits file
|
|
|
|
class chr_file
|
|
inherits file
|
|
{
|
|
execute_no_trans
|
|
entrypoint
|
|
execmod
|
|
open
|
|
}
|
|
|
|
class blk_file
|
|
inherits file
|
|
{
|
|
open
|
|
}
|
|
|
|
class sock_file
|
|
inherits file
|
|
{
|
|
open
|
|
}
|
|
|
|
class fifo_file
|
|
inherits file
|
|
{
|
|
open
|
|
}
|
|
|
|
class fd
|
|
{
|
|
use
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for network-related objects.
|
|
#
|
|
|
|
class socket
|
|
inherits socket
|
|
|
|
class tcp_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
node_bind
|
|
name_connect
|
|
}
|
|
|
|
class udp_socket
|
|
inherits socket
|
|
{
|
|
node_bind
|
|
}
|
|
|
|
class rawip_socket
|
|
inherits socket
|
|
{
|
|
node_bind
|
|
}
|
|
|
|
class node
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
enforce_dest
|
|
dccp_recv
|
|
dccp_send
|
|
recvfrom
|
|
sendto
|
|
}
|
|
|
|
class netif
|
|
{
|
|
tcp_recv
|
|
tcp_send
|
|
udp_recv
|
|
udp_send
|
|
rawip_recv
|
|
rawip_send
|
|
dccp_recv
|
|
dccp_send
|
|
ingress
|
|
egress
|
|
}
|
|
|
|
class netlink_socket
|
|
inherits socket
|
|
|
|
class packet_socket
|
|
inherits socket
|
|
|
|
class key_socket
|
|
inherits socket
|
|
|
|
class unix_stream_socket
|
|
inherits socket
|
|
{
|
|
connectto
|
|
newconn
|
|
acceptfrom
|
|
}
|
|
|
|
class unix_dgram_socket
|
|
inherits socket
|
|
|
|
#
|
|
# Define the access vector interpretation for process-related objects
|
|
#
|
|
|
|
class process
|
|
{
|
|
fork
|
|
transition
|
|
sigchld # commonly granted from child to parent
|
|
sigkill # cannot be caught or ignored
|
|
sigstop # cannot be caught or ignored
|
|
signull # for kill(pid, 0)
|
|
signal # all other signals
|
|
ptrace
|
|
getsched
|
|
setsched
|
|
getsession
|
|
getpgid
|
|
setpgid
|
|
getcap
|
|
setcap
|
|
share
|
|
getattr
|
|
setexec
|
|
setfscreate
|
|
noatsecure
|
|
siginh
|
|
setrlimit
|
|
rlimitinh
|
|
dyntransition
|
|
setcurrent
|
|
execmem
|
|
execstack
|
|
execheap
|
|
setkeycreate
|
|
setsockcreate
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for ipc-related objects
|
|
#
|
|
|
|
class ipc
|
|
inherits ipc
|
|
|
|
class sem
|
|
inherits ipc
|
|
|
|
class msgq
|
|
inherits ipc
|
|
{
|
|
enqueue
|
|
}
|
|
|
|
class msg
|
|
{
|
|
send
|
|
receive
|
|
}
|
|
|
|
class shm
|
|
inherits ipc
|
|
{
|
|
lock
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for the security server.
|
|
#
|
|
|
|
class security
|
|
{
|
|
compute_av
|
|
compute_create
|
|
compute_member
|
|
check_context
|
|
load_policy
|
|
compute_relabel
|
|
compute_user
|
|
setenforce # was avc_toggle in system class
|
|
setbool
|
|
setsecparam
|
|
setcheckreqprot
|
|
}
|
|
|
|
|
|
#
|
|
# Define the access vector interpretation for system operations.
|
|
#
|
|
|
|
class system
|
|
{
|
|
ipc_info
|
|
syslog_read
|
|
syslog_mod
|
|
syslog_console
|
|
module_request
|
|
}
|
|
|
|
#
|
|
# Define the access vector interpretation for controling capabilies
|
|
#
|
|
|
|
class capability
|
|
{
|
|
# The capabilities are defined in include/linux/capability.h
|
|
# Capabilities >= 32 are defined in the capability2 class.
|
|
# Care should be taken to ensure that these are consistent with
|
|
# those definitions. (Order matters)
|
|
|
|
chown
|
|
dac_override
|
|
dac_read_search
|
|
fowner
|
|
fsetid
|
|
kill
|
|
setgid
|
|
setuid
|
|
setpcap
|
|
linux_immutable
|
|
net_bind_service
|
|
net_broadcast
|
|
net_admin
|
|
net_raw
|
|
ipc_lock
|
|
ipc_owner
|
|
sys_module
|
|
sys_rawio
|
|
sys_chroot
|
|
sys_ptrace
|
|
sys_pacct
|
|
sys_admin
|
|
sys_boot
|
|
sys_nice
|
|
sys_resource
|
|
sys_time
|
|
sys_tty_config
|
|
mknod
|
|
lease
|
|
audit_write
|
|
audit_control
|
|
setfcap
|
|
}
|
|
|
|
class capability2
|
|
{
|
|
mac_override # unused by SELinux
|
|
mac_admin # unused by SELinux
|
|
}
|
|
|
|
#
|
|
# Define the access vector interpretation for controlling
|
|
# changes to passwd information.
|
|
#
|
|
class passwd
|
|
{
|
|
passwd # change another user passwd
|
|
chfn # change another user finger info
|
|
chsh # change another user shell
|
|
rootok # pam_rootok check (skip auth)
|
|
crontab # crontab on another user
|
|
}
|
|
|
|
#
|
|
# SE-X Windows stuff
|
|
#
|
|
class x_drawable
|
|
{
|
|
create
|
|
destroy
|
|
read
|
|
write
|
|
blend
|
|
getattr
|
|
setattr
|
|
list_child
|
|
add_child
|
|
remove_child
|
|
list_property
|
|
get_property
|
|
set_property
|
|
manage
|
|
override
|
|
show
|
|
hide
|
|
send
|
|
receive
|
|
}
|
|
|
|
class x_screen
|
|
{
|
|
getattr
|
|
setattr
|
|
hide_cursor
|
|
show_cursor
|
|
saver_getattr
|
|
saver_setattr
|
|
saver_hide
|
|
saver_show
|
|
}
|
|
|
|
class x_gc
|
|
{
|
|
create
|
|
destroy
|
|
getattr
|
|
setattr
|
|
use
|
|
}
|
|
|
|
class x_font
|
|
{
|
|
create
|
|
destroy
|
|
getattr
|
|
add_glyph
|
|
remove_glyph
|
|
use
|
|
}
|
|
|
|
class x_colormap
|
|
{
|
|
create
|
|
destroy
|
|
read
|
|
write
|
|
getattr
|
|
add_color
|
|
remove_color
|
|
install
|
|
uninstall
|
|
use
|
|
}
|
|
|
|
class x_property
|
|
{
|
|
create
|
|
destroy
|
|
read
|
|
write
|
|
append
|
|
getattr
|
|
setattr
|
|
}
|
|
|
|
class x_selection
|
|
{
|
|
read
|
|
write
|
|
getattr
|
|
setattr
|
|
}
|
|
|
|
class x_cursor
|
|
{
|
|
create
|
|
destroy
|
|
read
|
|
write
|
|
getattr
|
|
setattr
|
|
use
|
|
}
|
|
|
|
class x_client
|
|
{
|
|
destroy
|
|
getattr
|
|
setattr
|
|
manage
|
|
}
|
|
|
|
class x_device
|
|
inherits x_device
|
|
|
|
class x_server
|
|
{
|
|
getattr
|
|
setattr
|
|
record
|
|
debug
|
|
grab
|
|
manage
|
|
}
|
|
|
|
class x_extension
|
|
{
|
|
query
|
|
use
|
|
}
|
|
|
|
class x_resource
|
|
{
|
|
read
|
|
write
|
|
}
|
|
|
|
class x_event
|
|
{
|
|
send
|
|
receive
|
|
}
|
|
|
|
class x_synthetic_event
|
|
{
|
|
send
|
|
receive
|
|
}
|
|
|
|
#
|
|
# Extended Netlink classes
|
|
#
|
|
class netlink_route_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
|
|
class netlink_firewall_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
|
|
class netlink_tcpdiag_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
|
|
class netlink_nflog_socket
|
|
inherits socket
|
|
|
|
class netlink_xfrm_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
|
|
class netlink_selinux_socket
|
|
inherits socket
|
|
|
|
class netlink_audit_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
nlmsg_relay
|
|
nlmsg_readpriv
|
|
nlmsg_tty_audit
|
|
}
|
|
|
|
class netlink_ip6fw_socket
|
|
inherits socket
|
|
{
|
|
nlmsg_read
|
|
nlmsg_write
|
|
}
|
|
|
|
class netlink_dnrt_socket
|
|
inherits socket
|
|
|
|
# Define the access vector interpretation for controlling
|
|
# access and communication through the D-BUS messaging
|
|
# system.
|
|
#
|
|
class dbus
|
|
{
|
|
acquire_svc
|
|
send_msg
|
|
}
|
|
|
|
# Define the access vector interpretation for controlling
|
|
# access through the name service cache daemon (nscd).
|
|
#
|
|
class nscd
|
|
{
|
|
getpwd
|
|
getgrp
|
|
gethost
|
|
getstat
|
|
admin
|
|
shmempwd
|
|
shmemgrp
|
|
shmemhost
|
|
getserv
|
|
shmemserv
|
|
}
|
|
|
|
# Define the access vector interpretation for controlling
|
|
# access to IPSec network data by association
|
|
#
|
|
class association
|
|
{
|
|
sendto
|
|
recvfrom
|
|
setcontext
|
|
polmatch
|
|
}
|
|
|
|
# Updated Netlink class for KOBJECT_UEVENT family.
|
|
class netlink_kobject_uevent_socket
|
|
inherits socket
|
|
|
|
class appletalk_socket
|
|
inherits socket
|
|
|
|
class packet
|
|
{
|
|
send
|
|
recv
|
|
relabelto
|
|
flow_in # deprecated
|
|
flow_out # deprecated
|
|
forward_in
|
|
forward_out
|
|
}
|
|
|
|
class key
|
|
{
|
|
view
|
|
read
|
|
write
|
|
search
|
|
link
|
|
setattr
|
|
create
|
|
}
|
|
|
|
class context
|
|
{
|
|
translate
|
|
contains
|
|
}
|
|
|
|
class dccp_socket
|
|
inherits socket
|
|
{
|
|
node_bind
|
|
name_connect
|
|
}
|
|
|
|
class memprotect
|
|
{
|
|
mmap_zero
|
|
}
|
|
|
|
class db_database
|
|
inherits database
|
|
{
|
|
access
|
|
install_module
|
|
load_module
|
|
get_param # deprecated
|
|
set_param # deprecated
|
|
}
|
|
|
|
class db_table
|
|
inherits database
|
|
{
|
|
use # deprecated
|
|
select
|
|
update
|
|
insert
|
|
delete
|
|
lock
|
|
}
|
|
|
|
class db_procedure
|
|
inherits database
|
|
{
|
|
execute
|
|
entrypoint
|
|
install
|
|
}
|
|
|
|
class db_column
|
|
inherits database
|
|
{
|
|
use # deprecated
|
|
select
|
|
update
|
|
insert
|
|
}
|
|
|
|
class db_tuple
|
|
{
|
|
relabelfrom
|
|
relabelto
|
|
use # deprecated
|
|
select
|
|
update
|
|
insert
|
|
delete
|
|
}
|
|
|
|
class db_blob
|
|
inherits database
|
|
{
|
|
read
|
|
write
|
|
import
|
|
export
|
|
}
|
|
|
|
# network peer labels
|
|
class peer
|
|
{
|
|
recv
|
|
}
|
|
|
|
class x_application_data
|
|
{
|
|
paste
|
|
paste_after_confirm
|
|
copy
|
|
}
|
|
|
|
class kernel_service
|
|
{
|
|
use_as_override
|
|
create_files_as
|
|
}
|
|
|
|
class tun_socket
|
|
inherits socket
|
|
|
|
class x_pointer
|
|
inherits x_device
|
|
|
|
class x_keyboard
|
|
inherits x_device
|
|
|
|
class db_schema
|
|
inherits database
|
|
{
|
|
search
|
|
add_name
|
|
remove_name
|
|
}
|
|
|
|
class db_view
|
|
inherits database
|
|
{
|
|
expand
|
|
}
|
|
|
|
class db_sequence
|
|
inherits database
|
|
{
|
|
get_value
|
|
next_value
|
|
set_value
|
|
}
|
|
|
|
class db_language
|
|
inherits database
|
|
{
|
|
implement
|
|
execute
|
|
}
|