From: kaigai@kaigai.gr.jp (Kohei KaiGai) Date: Sun, 25 Mar 2012 23:15:11 +0200 Subject: [refpolicy] [2/4] sepgsql - foreign data wrapper support Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This patch enables to transmit security label of the client to the foreign database servers behalf on the primary server being connected by the client process. FDW (foreign data wrapper) is a feature that allows to define virtual tables connected to remote servers, and handle queries to the remote servers via the virtual table as if local queries. If and when the virtual relation (managed by a particular connector module; like pgsql_fdw, oracle_fdw, ...) is referenced, pgsql gives a control to the connector module, then it opens the connection to remote server to run a query. This patch (conditionally) allows postgresql_t domain to set sockcreate attribute, and it eventually enables to transmit security label of the original client process to the remote node. It is necessary feature to stack multiple sepgsql servers using FDW. Thanks, Signed-off-by: KaiGai Kohei -- policy/modules/services/postgresql.te | 10 ++++++++++ 1 files changed, 10 insertions(+), 0 deletions(-) diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index 2457d10..add0cd6 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -32,6 +32,13 @@ gen_tunable(sepgsql_enable_users_ddl, true) ## gen_tunable(sepgsql_unconfined_dbadm, true) +## +##

+## Allow transmit client label to foreign database +##

+## +gen_tunable(sepgsql_transmit_client_label, false) + type postgresql_t; type postgresql_exec_t; init_daemon_domain(postgresql_t, postgresql_exec_t) @@ -231,6 +238,9 @@ allow postgresql_t self:udp_socket create_stream_socket_perms; allow postgresql_t self:unix_dgram_socket create_socket_perms; allow postgresql_t self:unix_stream_socket create_stream_socket_perms; allow postgresql_t self:netlink_selinux_socket create_socket_perms; +tunable_policy(`sepgsql_transmit_client_label',` + allow postgresql_t self:process { setsockcreate }; +') allow postgresql_t sepgsql_database_type:db_database *; type_transition postgresql_t postgresql_t:db_database sepgsql_db_t; # deprecated -- KaiGai Kohei