policy_module(sepgsql-regtest, 1.08) gen_require(` all_userspace_class_perms ') ## ##

## Allow to launch regression test of SE-PostgreSQL ## Don't switch to TRUE in normal cases ##

##
gen_tunable(sepgsql_regression_test_mode, false) # # Type definitions for regression test # type sepgsql_regtest_trusted_proc_exec_t; postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) type sepgsql_nosuch_trusted_proc_exec_t; postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t) type sepgsql_regtest_invisible_schema_t; postgresql_schema_object(sepgsql_regtest_invisible_schema_t); # # Test domains for self defined unconfined / superuser # role sepgsql_regtest_superuser_r; userdom_base_user_template(sepgsql_regtest_superuser) userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t) userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t) userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t) auth_read_passwd(sepgsql_regtest_superuser_t) optional_policy(` postgresql_stream_connect(sepgsql_regtest_superuser_t) postgresql_unconfined(sepgsql_regtest_superuser_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_superuser_t) unconfined_rw_pipes(sepgsql_regtest_superuser_t) ') optional_policy(` gen_require(` attribute sepgsql_client_type; ') allow sepgsql_regtest_superuser_t self : process { setcurrent }; allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition }; ') # Type transition rules allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; # # Test domains for database administrators # role sepgsql_regtest_dba_r; userdom_base_user_template(sepgsql_regtest_dba) userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) userdom_exec_user_home_content_files(sepgsql_regtest_dba_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) auth_read_passwd(sepgsql_regtest_dba_t) optional_policy(` postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) postgresql_stream_connect(sepgsql_regtest_dba_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_dba_t) unconfined_rw_pipes(sepgsql_regtest_dba_t) ') # Type transition rules allow sepgsql_regtest_dba_t self : process { setcurrent }; allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition }; # special rule for system columns optional_policy(` gen_require(` attribute sepgsql_table_type; type sepgsql_sysobj_t; ') type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax"; type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid"; ') # # Dummy domain for unpriv users # role sepgsql_regtest_user_r; userdom_base_user_template(sepgsql_regtest_user) userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) userdom_exec_user_home_content_files(sepgsql_regtest_user_t) userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) auth_read_passwd(sepgsql_regtest_user_t) optional_policy(` postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) postgresql_stream_connect(sepgsql_regtest_user_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_user_t) unconfined_rw_pipes(sepgsql_regtest_user_t) ') # Type transition rules allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; # # Dummy domain for (virtual) connection pooler software # # XXX - this test scenario assumes sepgsql_regtest_pool_t domain performs # as a typical connection pool server; that switches the client label of # this session prior to any user queries. The sepgsql_regtest_(foo|var)_t # is allowed to access its own table types, but not allowed to reference # other's one. # role sepgsql_regtest_pool_r; userdom_base_user_template(sepgsql_regtest_pool) userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) userdom_exec_user_home_content_files(sepgsql_regtest_pool_t) userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t) auth_read_passwd(sepgsql_regtest_pool_t) type sepgsql_regtest_foo_t; type sepgsql_regtest_var_t; type sepgsql_regtest_foo_table_t; type sepgsql_regtest_var_table_t; allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_table { getattr select update insert delete lock }; allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_column { getattr select update insert }; allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_tuple { select update insert delete }; allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_table { getattr select update insert delete lock }; allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_column { getattr select update insert }; allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_tuple { select update insert delete }; optional_policy(` gen_require(` class db_table { truncate }; ') allow sepgsql_regtest_superuser_t sepgsql_regtest_foo_table_t:db_table { truncate }; ') optional_policy(` gen_require(` role unconfined_r; ') postgresql_role(unconfined_r, sepgsql_regtest_foo_t) postgresql_role(unconfined_r, sepgsql_regtest_var_t) postgresql_table_object(sepgsql_regtest_foo_table_t) postgresql_table_object(sepgsql_regtest_var_table_t) ') optional_policy(` postgresql_stream_connect(sepgsql_regtest_pool_t) postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) ') optional_policy(` unconfined_stream_connect(sepgsql_regtest_pool_t) unconfined_rw_pipes(sepgsql_regtest_pool_t) ') # type transitions allow sepgsql_regtest_pool_t self:process { setcurrent }; allow sepgsql_regtest_pool_t sepgsql_regtest_dba_t:process { transition }; type_transition sepgsql_regtest_pool_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } self:process { setcurrent }; allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:process { dyntransition }; # # Dummy domain for non-exist users # role sepgsql_regtest_nosuch_r; userdom_base_user_template(sepgsql_regtest_nosuch) optional_policy(` postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t) ') # # Rules to launch psql in the dummy domains # optional_policy(` gen_require(` role unconfined_r; type unconfined_t; type sepgsql_trusted_proc_t; ') tunable_policy(`sepgsql_regression_test_mode',` allow unconfined_t self : process { setcurrent dyntransition }; allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition }; allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition }; allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition }; allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition }; ') role unconfined_r types sepgsql_regtest_dba_t; role unconfined_r types sepgsql_regtest_superuser_t; role unconfined_r types sepgsql_regtest_user_t; role unconfined_r types sepgsql_regtest_nosuch_t; role unconfined_r types sepgsql_trusted_proc_t; role unconfined_r types sepgsql_regtest_pool_t; role unconfined_r types sepgsql_regtest_foo_t; role unconfined_r types sepgsql_regtest_var_t; ') # # Rule to make MCS policy work on regression test # # NOTE: MCS (multi category security) policy was enabled by default, to # allow DAC style access control, in the previous selinux policy. # However, its definition was changed later, then a limited number of # applications are restricted by MCS policy, for container features # mainly. The rules below enables MCS policy for domains of regression # test also, even if base security policy does not apply. If base policy # is old and MCS is enabled in default, rules below does nothing. # optional_policy(` gen_require(` type sepgsql_trusted_proc_t; ') mcs_constrained(sepgsql_regtest_dba_t) mcs_constrained(sepgsql_regtest_superuser_t) mcs_constrained(sepgsql_regtest_user_t) mcs_constrained(sepgsql_regtest_nosuch_t) mcs_constrained(sepgsql_trusted_proc_t) mcs_constrained(sepgsql_regtest_pool_t) mcs_constrained(sepgsql_regtest_foo_t) mcs_constrained(sepgsql_regtest_var_t) ') # # Rule to execute original trusted procedures # # These rules intends to allow any valid client types to launch trusted- # procedures (including ones causes domain transition to invalid domain) # being labeled as sepgsql_regtest_trusted_proc_exec_t and # sepgsql_nosuch_trusted_proc_exec_t. # optional_policy(` gen_require(` attribute sepgsql_client_type; ') allow sepgsql_client_type { sepgsql_regtest_trusted_proc_exec_t sepgsql_nosuch_trusted_proc_exec_t }:db_procedure { getattr execute entrypoint }; ')