From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Thu, 21 May 2009 07:49:32 -0400
Subject: [refpolicy] [RFC] Security policy reworks for SE-PostgreSQL
In-Reply-To: <4A03AF73.4040407@ak.jp.nec.com>
References: <49D1DA85.1030902@ak.jp.nec.com>
	<49D4743C.2010000@ak.jp.nec.com>	<49D4CB6E.1090900@manicmethod.com>
	<1238684951.32379.311.camel@gorn.columbia.tresys.com>
	<49D563A9.1000607@ak.jp.nec.com> <49D965CA.4030908@ak.jp.nec.com>
	<1240258044.19211.767.camel@gorn.columbia.tresys.com>
	<49ED04DF.8050306@ak.jp.nec.com>
	<1241699079.19211.1251.camel@gorn.columbia.tresys.com>
	<4A03AD55.8020207@ak.jp.nec.com>  <4A03AF73.4040407@ak.jp.nec.com>
Message-ID: <1242906572.26262.464.camel@gorn.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, 2009-05-08 at 13:05 +0900, KaiGai Kohei wrote:
> The attached patch fixes incorrect behavior in
> sepgsql_enable_users_ddl.
> 
> The current policy allows users/unprivs to run ALTER TABLE statement
> unconditionally, because db_table/db_column:{setattr} is allowed
> outside
> of the boolean. It should be moved to conditional section.
> 
> In addition, they are also allowed to db_procedure:{create drop
> setattr}
> for xxxx_sepgsql_proc_exec_t, but it means we allows them to create,
> drop
> or alter definition of the functions unconditionally. So, it also
> should
> be moved to conditional section.
> 
> The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
> and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
> it should not be allowed.

Merged.  I fixed the user section which removed the unconditional
getattr instead of the unconditional setattr.

> KaiGai Kohei wrote:
> >>>>> - rework: All the newly created database objects by unprivileged
> >>>>>   clients are prefixed with "user_", and these are controled via
> >>>>>   sepgsql_enable_users_ddl.
> >>>> I don't think we should be mixing user content with other unpriv
> >>>> clients.
> >>> I would like to discriminate between a procedure declared by
> unpriv
> >>> client and by administrative client, because the policy allows the
> >>> unprefixed "sepgsql_proc_exec_t" to be installed as a system
> internal
> >>> component, but it is undesirable to install unpriv-user defined
> >>> procedures as is.
> >>>
> >>> If the "user_" prefix is unpreferable, how do you think other
> prefixes
> >>> something like "anon_", "unpriv_" and so on?
> >> I think we should go with unpriv_ for now.
> > 
> > OK, the attached patch adds the following types for unprivileged
> clients.
> >  - unpriv_sepgsql_table_t
> >  - unpriv_sepgsql_sysobj_t
> >  - unpriv_sepgsql_proc_exec_t
> >  - unpriv_sepgsql_blob_t
> > 
> > These types are the default for unprivileged and unprefixed domains,
> > such as httpd_t and others.
> > 
> > In addition, TYPE_TRANSITION rules are moved to outside of tunable
> > of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
> > tunable because UBAC domains (user_t and so on) were allowed to
> > create sepgsql_table_t, and its default was pointed to this type
> > when sepgsql_enable_users_ddl is disabled.
> > However, it has different meanings now, so the TYPE_TRANSITION rules
> > should be unconditional.
> > 
> > Thanks,
> -- 
> OSS Platform Development Division, NEC
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> 
> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (refpolicy-sepgsql-2-correct-sepgsql_enable_users_ddl.patch)
> 
> --- policy/modules/services/postgresql.if       2009-05-08
> 12:32:51.000000000 +0900
> +++ policy/modules/services/postgresql.if.2     2009-05-08
> 11:58:46.000000000 +0900
> @@ -46,20 +46,21 @@
>         #
>  
>         tunable_policy(`sepgsql_enable_users_ddl',`
> -               allow $2 user_sepgsql_table_t:db_table { create
> drop };
> -               allow $2 user_sepgsql_table_t:db_column { create
> drop };
> +               allow $2 user_sepgsql_table_t:db_table { create drop
> setattr };
> +               allow $2 user_sepgsql_table_t:db_column { create drop
> setattr };
>                 allow $2 user_sepgsql_sysobj_t:db_tuple { update
> insert delete };
> +               allow $2 user_sepgsql_proc_exec_t:db_procedure
> { create drop setattr };
>         ')
>  
> -       allow $2 user_sepgsql_table_t:db_table  { getattr setattr use
> select update insert delete lock };
> -       allow $2 user_sepgsql_table_t:db_column { getattr setattr use
> select update insert };
> +       allow $2 user_sepgsql_table_t:db_table  { setattr use select
> update insert delete lock };
> +       allow $2 user_sepgsql_table_t:db_column { setattr use select
> update insert };
>         allow $2 user_sepgsql_table_t:db_tuple  { use select update
> insert delete };
>         type_transition $2 sepgsql_database_type:db_table
> user_sepgsql_table_t;
>  
>         allow $2 user_sepgsql_sysobj_t:db_tuple { use select };
>         type_transition $2 sepgsql_sysobj_table_type:db_tuple
> user_sepgsql_sysobj_t;
>  
> -       allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop
> getattr setattr execute };
> +       allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr
> execute };
>         type_transition $2 sepgsql_database_type:db_procedure
> user_sepgsql_proc_exec_t;
>  
>         allow $2 user_sepgsql_blob_t:db_blob { create drop getattr
> setattr read write };
> @@ -346,6 +347,7 @@
>                 allow $1 unpriv_sepgsql_table_t:db_table { create drop
> setattr };
>                 allow $1 unpriv_sepgsql_table_t:db_column { create
> drop setattr };
>                 allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update
> insert delete };
> +               allow $1 unpriv_sepgsql_proc_exec_t:db_procedure
> { create drop setattr };
>         ')
>  
>         allow $1 unpriv_sepgsql_table_t:db_table { getattr use select
> update insert delete lock };
> @@ -356,7 +358,7 @@
>         allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select };
>         type_transition $1 sepgsql_sysobj_table_type:db_tuple
> unpriv_sepgsql_sysobj_t;
>  
> -       allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop
> getattr setattr execute };
> +       allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr
> execute };
>         type_transition $1 sepgsql_database_type:db_procedure
> unpriv_sepgsql_proc_exec_t;
>  
>         allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr
> setattr read write };
> --- policy/modules/services/postgresql.te       2009-05-08
> 12:38:30.000000000 +0900
> +++ policy/modules/services/postgresql.te.2     2009-05-08
> 12:39:10.000000000 +0900
> @@ -338,12 +338,6 @@
>  # Therefore, the following rule is applied for any domains which can
> connect SE-PostgreSQL.
>  dontaudit { postgresql_t sepgsql_client_type
> sepgsql_unconfined_type } { sepgsql_table_type
> -sepgsql_sysobj_table_type }:db_tuple { use select update insert
> delete };
>  
> -tunable_policy(`sepgsql_enable_users_ddl',`
> -       allow sepgsql_client_type sepgsql_table_t:db_table { create
> drop setattr };
> -       allow sepgsql_client_type sepgsql_table_t:db_column { create
> drop setattr };
> -       allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update
> insert delete };
> -')
> -
>  ########################################
>  #
>  # Unconfined access to this module
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150