diff options
Diffstat (limited to '')
-rw-r--r-- | contrib/sepgsql/sepgsql-regtest.te | 261 |
1 files changed, 261 insertions, 0 deletions
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te new file mode 100644 index 0000000..569c4da --- /dev/null +++ b/contrib/sepgsql/sepgsql-regtest.te @@ -0,0 +1,261 @@ +policy_module(sepgsql-regtest, 1.08) + +gen_require(` + all_userspace_class_perms +') + +## <desc> +## <p> +## Allow to launch regression test of SE-PostgreSQL +## Don't switch to TRUE in normal cases +## </p> +## </desc> +gen_tunable(sepgsql_regression_test_mode, false) + +# +# Type definitions for regression test +# +type sepgsql_regtest_trusted_proc_exec_t; +postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) +type sepgsql_nosuch_trusted_proc_exec_t; +postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t) + +type sepgsql_regtest_invisible_schema_t; +postgresql_schema_object(sepgsql_regtest_invisible_schema_t); + +# +# Test domains for self defined unconfined / superuser +# +role sepgsql_regtest_superuser_r; +userdom_base_user_template(sepgsql_regtest_superuser) +userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t) +userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t) + +auth_read_passwd(sepgsql_regtest_superuser_t) + +optional_policy(` + postgresql_stream_connect(sepgsql_regtest_superuser_t) + postgresql_unconfined(sepgsql_regtest_superuser_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_superuser_t) + unconfined_rw_pipes(sepgsql_regtest_superuser_t) +') +optional_policy(` + gen_require(` + attribute sepgsql_client_type; + ') + allow sepgsql_regtest_superuser_t self : process { setcurrent }; + allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition }; +') + +# Type transition rules +allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; +type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; +type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; + +# +# Test domains for database administrators +# +role sepgsql_regtest_dba_r; +userdom_base_user_template(sepgsql_regtest_dba) +userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) +userdom_exec_user_home_content_files(sepgsql_regtest_dba_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) + +auth_read_passwd(sepgsql_regtest_dba_t) + +optional_policy(` + postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) + postgresql_stream_connect(sepgsql_regtest_dba_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_dba_t) + unconfined_rw_pipes(sepgsql_regtest_dba_t) +') + +# Type transition rules +allow sepgsql_regtest_dba_t self : process { setcurrent }; +allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition }; +allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition }; +allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition }; + +# special rule for system columns +optional_policy(` + gen_require(` + attribute sepgsql_table_type; + type sepgsql_sysobj_t; + ') + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax"; + type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid"; +') + +# +# Dummy domain for unpriv users +# +role sepgsql_regtest_user_r; +userdom_base_user_template(sepgsql_regtest_user) +userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) +userdom_exec_user_home_content_files(sepgsql_regtest_user_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) + +auth_read_passwd(sepgsql_regtest_user_t) + +optional_policy(` + postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) + postgresql_stream_connect(sepgsql_regtest_user_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_user_t) + unconfined_rw_pipes(sepgsql_regtest_user_t) +') +# Type transition rules +allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; +type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; +type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; + +# +# Dummy domain for (virtual) connection pooler software +# +# XXX - this test scenario assumes sepgsql_regtest_pool_t domain performs +# as a typical connection pool server; that switches the client label of +# this session prior to any user queries. The sepgsql_regtest_(foo|var)_t +# is allowed to access its own table types, but not allowed to reference +# other's one. +# +role sepgsql_regtest_pool_r; +userdom_base_user_template(sepgsql_regtest_pool) +userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) +userdom_exec_user_home_content_files(sepgsql_regtest_pool_t) +userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t) + +auth_read_passwd(sepgsql_regtest_pool_t) + +type sepgsql_regtest_foo_t; +type sepgsql_regtest_var_t; +type sepgsql_regtest_foo_table_t; +type sepgsql_regtest_var_table_t; + +allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_column { getattr select update insert }; +allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_tuple { select update insert delete }; + +allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_table { getattr select update insert delete lock }; +allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_column { getattr select update insert }; +allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_tuple { select update insert delete }; + +optional_policy(` + gen_require(` + class db_table { truncate }; + ') + + allow sepgsql_regtest_superuser_t sepgsql_regtest_foo_table_t:db_table { truncate }; +') + +optional_policy(` + gen_require(` + role unconfined_r; + ') + postgresql_role(unconfined_r, sepgsql_regtest_foo_t) + postgresql_role(unconfined_r, sepgsql_regtest_var_t) + postgresql_table_object(sepgsql_regtest_foo_table_t) + postgresql_table_object(sepgsql_regtest_var_table_t) +') +optional_policy(` + postgresql_stream_connect(sepgsql_regtest_pool_t) + postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) +') +optional_policy(` + unconfined_stream_connect(sepgsql_regtest_pool_t) + unconfined_rw_pipes(sepgsql_regtest_pool_t) +') +# type transitions +allow sepgsql_regtest_pool_t self:process { setcurrent }; +allow sepgsql_regtest_pool_t sepgsql_regtest_dba_t:process { transition }; +type_transition sepgsql_regtest_pool_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; + +allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } self:process { setcurrent }; +allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:process { dyntransition }; + +# +# Dummy domain for non-exist users +# +role sepgsql_regtest_nosuch_r; +userdom_base_user_template(sepgsql_regtest_nosuch) +optional_policy(` + postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t) +') + +# +# Rules to launch psql in the dummy domains +# +optional_policy(` + gen_require(` + role unconfined_r; + type unconfined_t; + type sepgsql_trusted_proc_t; + ') + tunable_policy(`sepgsql_regression_test_mode',` + allow unconfined_t self : process { setcurrent dyntransition }; + allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition }; + allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition }; + allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition }; + allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition }; + ') + role unconfined_r types sepgsql_regtest_dba_t; + role unconfined_r types sepgsql_regtest_superuser_t; + role unconfined_r types sepgsql_regtest_user_t; + role unconfined_r types sepgsql_regtest_nosuch_t; + role unconfined_r types sepgsql_trusted_proc_t; + + role unconfined_r types sepgsql_regtest_pool_t; + role unconfined_r types sepgsql_regtest_foo_t; + role unconfined_r types sepgsql_regtest_var_t; +') + +# +# Rule to make MCS policy work on regression test +# +# NOTE: MCS (multi category security) policy was enabled by default, to +# allow DAC style access control, in the previous selinux policy. +# However, its definition was changed later, then a limited number of +# applications are restricted by MCS policy, for container features +# mainly. The rules below enables MCS policy for domains of regression +# test also, even if base security policy does not apply. If base policy +# is old and MCS is enabled in default, rules below does nothing. +# +optional_policy(` + gen_require(` + type sepgsql_trusted_proc_t; + ') + mcs_constrained(sepgsql_regtest_dba_t) + mcs_constrained(sepgsql_regtest_superuser_t) + mcs_constrained(sepgsql_regtest_user_t) + mcs_constrained(sepgsql_regtest_nosuch_t) + mcs_constrained(sepgsql_trusted_proc_t) + + mcs_constrained(sepgsql_regtest_pool_t) + mcs_constrained(sepgsql_regtest_foo_t) + mcs_constrained(sepgsql_regtest_var_t) +') + +# +# Rule to execute original trusted procedures +# +# These rules intends to allow any valid client types to launch trusted- +# procedures (including ones causes domain transition to invalid domain) +# being labeled as sepgsql_regtest_trusted_proc_exec_t and +# sepgsql_nosuch_trusted_proc_exec_t. +# +optional_policy(` + gen_require(` + attribute sepgsql_client_type; + ') + allow sepgsql_client_type { sepgsql_regtest_trusted_proc_exec_t sepgsql_nosuch_trusted_proc_exec_t }:db_procedure { getattr execute entrypoint }; +') |