1policy_module(sepgsql-regtest, 1.08) 2 3gen_require(` 4 all_userspace_class_perms 5') 6 7## <desc> 8## <p> 9## Allow to launch regression test of SE-PostgreSQL 10## Don't switch to TRUE in normal cases 11## </p> 12## </desc> 13gen_tunable(sepgsql_regression_test_mode, false) 14 15# 16# Type definitions for regression test 17# 18type sepgsql_regtest_trusted_proc_exec_t; 19postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t) 20type sepgsql_nosuch_trusted_proc_exec_t; 21postgresql_procedure_object(sepgsql_nosuch_trusted_proc_exec_t) 22 23type sepgsql_regtest_invisible_schema_t; 24postgresql_schema_object(sepgsql_regtest_invisible_schema_t); 25 26# 27# Test domains for self defined unconfined / superuser 28# 29role sepgsql_regtest_superuser_r; 30userdom_base_user_template(sepgsql_regtest_superuser) 31userdom_manage_home_role(sepgsql_regtest_superuser_r, sepgsql_regtest_superuser_t) 32userdom_exec_user_home_content_files(sepgsql_regtest_superuser_t) 33userdom_write_user_tmp_sockets(sepgsql_regtest_superuser_t) 34 35auth_read_passwd(sepgsql_regtest_superuser_t) 36 37optional_policy(` 38 postgresql_stream_connect(sepgsql_regtest_superuser_t) 39 postgresql_unconfined(sepgsql_regtest_superuser_t) 40') 41optional_policy(` 42 unconfined_stream_connect(sepgsql_regtest_superuser_t) 43 unconfined_rw_pipes(sepgsql_regtest_superuser_t) 44') 45optional_policy(` 46 gen_require(` 47 attribute sepgsql_client_type; 48 ') 49 allow sepgsql_regtest_superuser_t self : process { setcurrent }; 50 allow sepgsql_regtest_superuser_t { self sepgsql_client_type } : process { dyntransition }; 51') 52 53# Type transition rules 54allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; 55type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; 56type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; 57 58# 59# Test domains for database administrators 60# 61role sepgsql_regtest_dba_r; 62userdom_base_user_template(sepgsql_regtest_dba) 63userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t) 64userdom_exec_user_home_content_files(sepgsql_regtest_dba_t) 65userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) 66 67auth_read_passwd(sepgsql_regtest_dba_t) 68 69optional_policy(` 70 postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r) 71 postgresql_stream_connect(sepgsql_regtest_dba_t) 72') 73optional_policy(` 74 unconfined_stream_connect(sepgsql_regtest_dba_t) 75 unconfined_rw_pipes(sepgsql_regtest_dba_t) 76') 77 78# Type transition rules 79allow sepgsql_regtest_dba_t self : process { setcurrent }; 80allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition }; 81allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition }; 82allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition }; 83 84# special rule for system columns 85optional_policy(` 86 gen_require(` 87 attribute sepgsql_table_type; 88 type sepgsql_sysobj_t; 89 ') 90 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid"; 91 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid"; 92 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin"; 93 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax"; 94 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin"; 95 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax"; 96 type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid"; 97') 98 99# 100# Dummy domain for unpriv users 101# 102role sepgsql_regtest_user_r; 103userdom_base_user_template(sepgsql_regtest_user) 104userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) 105userdom_exec_user_home_content_files(sepgsql_regtest_user_t) 106userdom_write_user_tmp_sockets(sepgsql_regtest_user_t) 107 108auth_read_passwd(sepgsql_regtest_user_t) 109 110optional_policy(` 111 postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t) 112 postgresql_stream_connect(sepgsql_regtest_user_t) 113') 114optional_policy(` 115 unconfined_stream_connect(sepgsql_regtest_user_t) 116 unconfined_rw_pipes(sepgsql_regtest_user_t) 117') 118# Type transition rules 119allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; 120type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; 121type_transition sepgsql_regtest_user_t sepgsql_nosuch_trusted_proc_exec_t:process sepgsql_regtest_nosuch_t; 122 123# 124# Dummy domain for (virtual) connection pooler software 125# 126# XXX - this test scenario assumes sepgsql_regtest_pool_t domain performs 127# as a typical connection pool server; that switches the client label of 128# this session prior to any user queries. The sepgsql_regtest_(foo|var)_t 129# is allowed to access its own table types, but not allowed to reference 130# other's one. 131# 132role sepgsql_regtest_pool_r; 133userdom_base_user_template(sepgsql_regtest_pool) 134userdom_manage_home_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) 135userdom_exec_user_home_content_files(sepgsql_regtest_pool_t) 136userdom_write_user_tmp_sockets(sepgsql_regtest_pool_t) 137 138auth_read_passwd(sepgsql_regtest_pool_t) 139 140type sepgsql_regtest_foo_t; 141type sepgsql_regtest_var_t; 142type sepgsql_regtest_foo_table_t; 143type sepgsql_regtest_var_table_t; 144 145allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_table { getattr select update insert delete lock }; 146allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_column { getattr select update insert }; 147allow sepgsql_regtest_foo_t sepgsql_regtest_foo_table_t:db_tuple { select update insert delete }; 148 149allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_table { getattr select update insert delete lock }; 150allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_column { getattr select update insert }; 151allow sepgsql_regtest_var_t sepgsql_regtest_var_table_t:db_tuple { select update insert delete }; 152 153optional_policy(` 154 gen_require(` 155 role unconfined_r; 156 ') 157 postgresql_role(unconfined_r, sepgsql_regtest_foo_t) 158 postgresql_role(unconfined_r, sepgsql_regtest_var_t) 159 postgresql_table_object(sepgsql_regtest_foo_table_t) 160 postgresql_table_object(sepgsql_regtest_var_table_t) 161') 162optional_policy(` 163 postgresql_stream_connect(sepgsql_regtest_pool_t) 164 postgresql_role(sepgsql_regtest_pool_r, sepgsql_regtest_pool_t) 165') 166optional_policy(` 167 unconfined_stream_connect(sepgsql_regtest_pool_t) 168 unconfined_rw_pipes(sepgsql_regtest_pool_t) 169') 170# type transitions 171allow sepgsql_regtest_pool_t self:process { setcurrent }; 172allow sepgsql_regtest_pool_t sepgsql_regtest_dba_t:process { transition }; 173type_transition sepgsql_regtest_pool_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; 174 175allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } self:process { setcurrent }; 176allow { sepgsql_regtest_foo_t sepgsql_regtest_var_t } sepgsql_regtest_pool_t:process { dyntransition }; 177 178# 179# Dummy domain for non-exist users 180# 181role sepgsql_regtest_nosuch_r; 182userdom_base_user_template(sepgsql_regtest_nosuch) 183optional_policy(` 184 postgresql_role(sepgsql_regtest_nosuch_r, sepgsql_regtest_nosuch_t) 185') 186 187# 188# Rules to launch psql in the dummy domains 189# 190optional_policy(` 191 gen_require(` 192 role unconfined_r; 193 type unconfined_t; 194 type sepgsql_trusted_proc_t; 195 ') 196 tunable_policy(`sepgsql_regression_test_mode',` 197 allow unconfined_t self : process { setcurrent dyntransition }; 198 allow unconfined_t sepgsql_regtest_dba_t : process { transition dyntransition }; 199 allow unconfined_t sepgsql_regtest_superuser_t : process { transition dyntransition }; 200 allow unconfined_t sepgsql_regtest_user_t : process { transition dyntransition }; 201 allow unconfined_t sepgsql_regtest_pool_t : process { transition dyntransition }; 202 ') 203 role unconfined_r types sepgsql_regtest_dba_t; 204 role unconfined_r types sepgsql_regtest_superuser_t; 205 role unconfined_r types sepgsql_regtest_user_t; 206 role unconfined_r types sepgsql_regtest_nosuch_t; 207 role unconfined_r types sepgsql_trusted_proc_t; 208 209 role unconfined_r types sepgsql_regtest_pool_t; 210 role unconfined_r types sepgsql_regtest_foo_t; 211 role unconfined_r types sepgsql_regtest_var_t; 212') 213 214# 215# Rule to make MCS policy work on regression test 216# 217# NOTE: MCS (multi category security) policy was enabled by default, to 218# allow DAC style access control, in the previous selinux policy. 219# However, its definition was changed later, then a limited number of 220# applications are restricted by MCS policy, for container features 221# mainly. The rules below enables MCS policy for domains of regression 222# test also, even if base security policy does not apply. If base policy 223# is old and MCS is enabled in default, rules below does nothing. 224# 225optional_policy(` 226 gen_require(` 227 type sepgsql_trusted_proc_t; 228 ') 229 mcs_constrained(sepgsql_regtest_dba_t) 230 mcs_constrained(sepgsql_regtest_superuser_t) 231 mcs_constrained(sepgsql_regtest_user_t) 232 mcs_constrained(sepgsql_regtest_nosuch_t) 233 mcs_constrained(sepgsql_trusted_proc_t) 234 235 mcs_constrained(sepgsql_regtest_pool_t) 236 mcs_constrained(sepgsql_regtest_foo_t) 237 mcs_constrained(sepgsql_regtest_var_t) 238') 239 240# 241# Rule to execute original trusted procedures 242# 243# These rules intends to allow any valid client types to launch trusted- 244# procedures (including ones causes domain transition to invalid domain) 245# being labeled as sepgsql_regtest_trusted_proc_exec_t and 246# sepgsql_nosuch_trusted_proc_exec_t. 247# 248optional_policy(` 249 gen_require(` 250 attribute sepgsql_client_type; 251 ') 252 allow sepgsql_client_type { sepgsql_regtest_trusted_proc_exec_t sepgsql_nosuch_trusted_proc_exec_t }:db_procedure { getattr execute entrypoint }; 253') 254