[4/4] Proposal of SE-PostgreSQL patches - Mailing list pgsql-patches
| From | Kohei KaiGai |
|---|---|
| Subject | [4/4] Proposal of SE-PostgreSQL patches |
| Date | |
| Msg-id | 47DDF40A.2050300@ak.jp.nec.com Whole thread Raw |
| List | pgsql-patches |
[4/4] - sepostgresql-policy-8.4devel-3.patch
This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
diff -rpNU3 pgace/contrib/sepgsql-policy/Makefile sepgsql/contrib/sepgsql-policy/Makefile
--- pgace/contrib/sepgsql-policy/Makefile 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/Makefile 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,20 @@
+# SE-PostgreSQL Security Policy
+#------------------------------
+
+SHAREDIR := /usr/share/selinux
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+SELINUX_POLICY := /usr/share/selinux
+
+all: sepostgresql.pp
+
+install: all
+ install -m 0644 sepostgresql.pp $(SELINUX_POLICY)/$(NAME)
+
+sepostgresql.pp: sepostgresql.te sepostgresql.if sepostgresql.fc
+ make -f $(SELINUX_POLICY)/devel/Makefile NAME=$(NAME)
+
+clean:
+ make -f $(SELINUX_POLICY)/devel/Makefile NAME=$(NAME) clean
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.fc sepgsql/contrib/sepgsql-policy/sepostgresql.fc
--- pgace/contrib/sepgsql-policy/sepostgresql.fc 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.fc 2008-03-13 10:21:48.000000000 +0900
@@ -0,0 +1,17 @@
+#
+# SE-PostgreSQL install path
+#
+/usr/bin/sepostgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb.sepgsql -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+#
+# For source installation
+#
+/usr/local/pgsql/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/local/pgsql/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/local/pgsql/bin/pg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.if sepgsql/contrib/sepgsql-policy/sepostgresql.if
--- pgace/contrib/sepgsql-policy/sepostgresql.if 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.if 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,88 @@
+########################################
+## <summary>
+## Marks the specified domain as SE-PostgreSQL server process.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be marked
+## </summary>
+## </param>
+#
+interface(`sepgsql_server_domain',`
+ gen_require(`
+ attribute sepgsql_server_type;
+ ')
+ typeattribute $1 sepgsql_server_type;
+')
+
+########################################
+## <summary>
+## Allow the specified domain unconfined accesses to any database objects
+## managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sepgsql_unconfined_domain',`
+ gen_require(`
+ attribute sepgsql_unconfined_type;
+ attribute sepgsql_client_type;
+ ')
+ typeattribute $1 sepgsql_unconfined_type;
+ typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+## Allow the specified domain unprivileged accesses to any database objects
+## managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sepgsql_client_domain',`
+ gen_require(`
+ attribute sepgsql_client_type;
+ ')
+ typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+## Allow the specified role to invoke trusted procedures
+## </summary>
+## <param name="role">
+## <summary>
+## The role associated with the domain.
+## </summary>
+## </param>
+#
+interface(`sepgsql_trusted_procedure_role',`
+ gen_require(`
+ type sepgsql_trusted_domain_t;
+ ')
+ role $1 types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+## Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+## <summary>
+## Type marked as a database object type.
+## </summary>
+## </param>
+#
+interface(`sepgsql_loadable_module',`
+ gen_require(`
+ attribute sepgsql_module_type;
+ ')
+ typeattribute $1 sepgsql_module_type;
+')
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.te sepgsql/contrib/sepgsql-policy/sepostgresql.te
--- pgace/contrib/sepgsql-policy/sepostgresql.te 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.te 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,353 @@
+policy_module(sepostgresql, 3.01)
+
+gen_require(`
+ class db_database all_db_database_perms;
+ class db_table all_db_table_perms;
+ class db_procedure all_db_procedure_perms;
+ class db_column all_db_column_perms;
+ class db_tuple all_db_tuple_perms;
+ class db_blob all_db_blob_perms;
+
+ type postgresql_t, unlabeled_t;
+ attribute domain, file_type;
+
+ role system_r;
+')
+
+#################################
+#
+# SE-PostgreSQL Boolean declarations
+#
+
+## <desc>
+## <p>
+## Allow to enable unconfined domains
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_unconfined, true)
+
+## <desc>
+## <p>
+## Allow to generate auditallow logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditallow, false)
+
+## <desc>
+## <p>
+## Allow to generate auditdeny logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditdeny, true)
+
+## <desc>
+## <p>
+## Allow to generate audit(allow|deny) logs for tuples
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_audittuple, false)
+
+## <desc>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl, true)
+
+#################################
+#
+# SE-PostgreSQL Type/Attribute declarations
+#
+
+# database subjects
+attribute sepgsql_server_type;
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t, sepgsql_database_type;
+
+type sepgsql_table_t, sepgsql_table_type;
+type sepgsql_sysobj_t, sepgsql_table_type;
+type sepgsql_secret_table_t, sepgsql_table_type;
+type sepgsql_ro_table_t, sepgsql_table_type;
+type sepgsql_fixed_table_t, sepgsql_table_type;
+
+type sepgsql_proc_t, sepgsql_procedure_type;
+type sepgsql_user_proc_t, sepgsql_procedure_type;
+type sepgsql_trusted_proc_t, sepgsql_procedure_type;
+
+type sepgsql_blob_t, sepgsql_blob_type;
+type sepgsql_ro_blob_t, sepgsql_blob_type;
+type sepgsql_secret_blob_t, sepgsql_blob_type;
+
+typeattribute unlabeled_t sepgsql_database_type;
+typeattribute unlabeled_t sepgsql_table_type;
+typeattribute unlabeled_t sepgsql_procedure_type;
+typeattribute unlabeled_t sepgsql_blob_type;
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+# (sepgsql_server_type)
+allow sepgsql_server_type self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(sepgsql_server_type)
+selinux_get_enforce_mode(sepgsql_server_type)
+selinux_validate_context(sepgsql_server_type)
+selinux_compute_access_vector(sepgsql_server_type)
+selinux_compute_create_context(sepgsql_server_type)
+selinux_compute_relabel_context(sepgsql_server_type)
+
+allow sepgsql_server_type sepgsql_database_type : db_database *;
+allow sepgsql_server_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_server_type sepgsql_table_type : { db_table db_column db_tuple } *;
+allow sepgsql_server_type sepgsql_procedure_type : db_procedure *;
+allow sepgsql_server_type sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition sepgsql_server_type sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition sepgsql_server_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+
+########################################
+#
+# SE-PostgreSQL Administrative domain local policy
+# (sepgsql_unconfined_type)
+
+tunable_policy(`sepgsql_enable_unconfined',`
+ allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+ allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+ allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+ allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
+ allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom
relabelto};
+ allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+ allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+ type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure
sepgsql_proc_t;
+',`
+ type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure
sepgsql_user_proc_t;
+')
+
+########################################
+#
+# SE-PostgreSQL Users domain local policy
+# (sepgsql_client_type)
+
+allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select };
+tunable_policy(`sepgsql_enable_users_ddl',`
+ allow sepgsql_client_type sepgsql_table_t : db_table { create drop setattr };
+ allow sepgsql_client_type sepgsql_table_t : db_column { create drop setattr };
+ allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { update insert delete };
+')
+
+allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow { sepgsql_client_type - sepgsql_unconfined_type } sepgsql_user_proc_t : db_procedure { create drop getattr
setattrexecute };
+allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+# call trusted procedure
+type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
+
+# type transitions for rest of domains
+type_transition domain domain : db_database sepgsql_db_t;
+type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
+type_transition { domain - sepgsql_server_type - sepgsql_unconfined_type } sepgsql_database_type : db_procedure
sepgsql_user_proc_t;
+type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+sepgsql_unconfined_domain(sepgsql_trusted_domain_t)
+
+# The following permissions are allowed, even if sepgsql_enable_unconfined is disabled.
+allow sepgsql_trusted_domain_t sepgsql_database_type : db_database { getattr setattr access get_param set_param};
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_table { getattr use select update insert delete lock };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_column { getattr use select update insert };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_tuple { use select update insert delete };
+
+allow sepgsql_trusted_domain_t { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure { getattr execute };
+allow sepgsql_trusted_domain_t sepgsql_user_proc_t : db_procedure { getattr };
+allow sepgsql_trusted_domain_t sepgsql_blob_type : db_blob { getattr setattr read write };
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+
+########################################
+#
+# SE-PostgreSQL audit switch
+#
+tunable_policy(`sepgsql_enable_auditallow',`
+ auditallow domain sepgsql_database_type : db_database all_db_database_perms;
+ auditallow domain sepgsql_table_type : db_table all_db_table_perms;
+ auditallow domain sepgsql_table_type : db_column all_db_column_perms;
+ auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
+ auditallow domain sepgsql_blob_type : db_blob all_db_blob_perms;
+ auditallow domain sepgsql_server_type : db_blob { import export };
+ auditallow domain sepgsql_module_type : db_database { install_module };
+')
+tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
+ auditallow domain sepgsql_table_type : db_tuple all_db_tuple_perms;
+')
+tunable_policy(`! sepgsql_enable_auditdeny',`
+ dontaudit domain sepgsql_database_type : db_database all_db_database_perms;
+ dontaudit domain sepgsql_table_type : db_table all_db_table_perms;
+ dontaudit domain sepgsql_table_type : db_column all_db_column_perms;
+ dontaudit domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
+ dontaudit domain sepgsql_blob_type : db_blob all_db_blob_perms;
+ dontaudit domain sepgsql_server_type : db_blob { import export };
+ dontaudit domain sepgsql_module_type : db_database { install_module };
+')
+tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
+ dontaudit domain sepgsql_table_type : db_tuple all_db_tuple_perms;
+')
+########################################
+#
+# Allow permission to external domains
+#
+
+# server domains
+optional_policy(`
+ gen_require(`
+ type postgresql_t;
+ ')
+ sepgsql_server_domain(postgresql_t)
+')
+
+# unconfined client domain
+optional_policy(`
+ gen_require(`
+ type unconfined_t;
+ ')
+ sepgsql_unconfined_domain(unconfined_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type sysadm_t;
+ ')
+ sepgsql_unconfined_domain(sysadm_t)
+')
+
+# generic client domain
+optional_policy(`
+ gen_require(`
+ type user_t;
+ role user_r;
+ ')
+ sepgsql_client_domain(user_t)
+ sepgsql_trusted_procedure_role(user_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type staff_t;
+ role staff_r;
+ ')
+ sepgsql_client_domain(staff_t)
+ sepgsql_trusted_procedure_role(staff_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_t;
+ role user_r;
+ ')
+ sepgsql_client_domain(user_t)
+ sepgsql_trusted_procedure_role(user_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type guest_t;
+ role guest_r;
+ ')
+ sepgsql_client_domain(guest_t)
+ sepgsql_trusted_procedure_role(guest_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type xguest_t;
+ role xguest_r;
+ ')
+ sepgsql_client_domain(xguest_t)
+ sepgsql_trusted_procedure_role(xguest_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+ sepgsql_client_domain(httpd_sys_script_t)
+')
+
+# RBAC
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+ sepgsql_trusted_procedure_role(unconfined_r)
+')
+
+# loadable module types
+optional_policy(`
+ gen_require(`
+ type lib_t;
+ ')
+ sepgsql_loadable_module(lib_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type textrel_shlib_t;
+ ')
+ sepgsql_loadable_module(textrel_shlib_t)
+')
+
+########################################
+#
+# Hotfixes for labeled networking
+#
+# NOTE: These changes are to be merged in the later releases.
+corenet_tcp_recvfrom_labeled(sepgsql_server_type, sepgsql_client_type)
+optional_policy(`
+ ipsec_match_default_spd(sepgsql_server_type)
+ ipsec_match_default_spd(sepgsql_client_type)
+')
pgsql-patches by date: