From: kaigai@kaigai.gr.jp (Kohei KaiGai) Date: Fri, 11 May 2012 15:17:11 +0200 Subject: [refpolicy] [4/4] sepgsql -redefinition of use permission onto system objects In-Reply-To: <4FABB8BF.2070201@tresys.com> References: <4FA3FAE4.8010803@tresys.com> <4FABB8BF.2070201@tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com 2012/5/10 Christopher J. PeBenito : > On 05/04/12 13:24, Kohei KaiGai wrote: >> 2012/5/4 Christopher J. PeBenito : >>> On 05/04/12 09:33, Kohei KaiGai wrote: >>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly. >>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system >>>> objects. >>>> >>>> Please check the newer version. Thanks, >>> >>> Looks like the revised patch is missing. >>> >> Sorry, it is the attached one. >> >> Thanks, > > This one doesn't apply, the last hunk fails. ?I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too. > Sorry, I generated the series of patches based on the latest refpolicy and contrib tree. And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during regression test efforts. MCS rules are defined twice for db_language class in spite of db_schema being forgotten, and "entrypoint" permission was not restricted at both of MCS / MLS policy. Here is no updates on part-1 ~ part-4 except for patch rebasing. Thanks, >>>> 2012/3/25 Kohei KaiGai : >>>>> This patch might be arguable. It redefines the "use" permission on db_tuple >>>>> class that has marked deprecated for a few years, to control usage of system >>>>> objects but without individual object classes. >>>>> >>>>> We didn't try to port all the supported database object types in PostgreSQL >>>>> into SELinux policy model, because its variation is too large to port and >>>>> less priority in comparison with "major" object classes such as tables. >>>>> >>>>> So, we handle permissions to create, drop and alter these objects as >>>>> permissions to insert, delete or update of system catalogs; labeled as >>>>> sepgsql_sysobj_t, and so on. >>>>> >>>>> On the other hand, some of system objects requires to check permission >>>>> when user "use" these objects, such as data types, tablespaces, >>>>> operators and so on. >>>>> I don't think it is reasonable approach to define individual object classes >>>>> for each object types reflects to PostgreSQL. However, it is preferable >>>>> to have double checks by selinux on strategic points. >>>>> >>>>> So, I try to redefine "use" permission on db_tuple class; that means >>>>> permission to "use" this object when the tuple is an entry of system >>>>> catalog corresponding to a particular database object but don't have >>>>> a particular object class like tables. >>>>> >>>>> The deprecated permissions and rules are not in use for a few years, >>>>> so, it is a time to be utilized or eliminated. >>>>> >>>>> Thanks, >>>>> >>>>> ?Signed-off-by: KaiGai Kohei >>>>> -- >>>>> ?policy/flask/access_vectors ? ? ? ? ? | ? ?4 +--- >>>>> ?policy/modules/services/postgresql.if | ? 16 ++++++---------- >>>>> ?policy/modules/services/postgresql.te | ? 31 +++++++++++-------------------- >>>>> ?3 files changed, 18 insertions(+), 33 deletions(-) >>>>> >>>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors >>>>> index bf24160..f462e95 100644 >>>>> --- a/policy/flask/access_vectors >>>>> +++ b/policy/flask/access_vectors >>>>> @@ -761,7 +761,6 @@ inherits database >>>>> ?class db_table >>>>> ?inherits database >>>>> ?{ >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> @@ -780,7 +779,6 @@ inherits database >>>>> ?class db_column >>>>> ?inherits database >>>>> ?{ >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> @@ -790,7 +788,7 @@ class db_tuple >>>>> ?{ >>>>> ? ? ? ?relabelfrom >>>>> ? ? ? ?relabelto >>>>> - ? ? ? use ? ? ? ? ? ? # deprecated >>>>> + ? ? ? use >>>>> ? ? ? ?select >>>>> ? ? ? ?update >>>>> ? ? ? ?insert >>>>> diff --git a/policy/modules/services/postgresql.if >>>>> b/policy/modules/services/postgresql.if >>>>> index 56fc5fa..71f2572 100644 >>>>> --- a/policy/modules/services/postgresql.if >>>>> +++ b/policy/modules/services/postgresql.if >>>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',` >>>>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t; >>>>> ? ? ? ?type_transition $2 sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr use select update >>>>> insert delete lock }; >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; >>>>> - ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ use select update insert delete }; >>>>> - ? ? ? type_transition $2 sepgsql_database_type:db_table >>>>> user_sepgsql_table_t; ? ? ? ? ? # deprecated >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_table ?{ getattr select update >>>>> insert delete lock }; >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + ? ? ? allow $2 user_sepgsql_table_t:db_tuple ?{ select update insert delete }; >>>>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t; >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',` >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t; >>>>> >>>>> ? ? ? ?allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - ? ? ? type_transition $2 sepgsql_database_type:db_procedure >>>>> user_sepgsql_proc_exec_t; ? ? ? # deprecated >>>>> ? ? ? ?type_transition $2 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t; >>>>> ? ? ? ?type_transition $2 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',` >>>>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t; >>>>> ? ? ? ?type_transition $1 sepgsql_database_type:db_schema >>>>> unpriv_sepgsql_schema_t "pg_temp"; >>>>> >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update >>>>> insert delete lock }; >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr use select >>>>> update insert }; >>>>> - ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete }; >>>>> - ? ? ? type_transition $1 sepgsql_database_type:db_table >>>>> unpriv_sepgsql_table_t; # deprecated >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_table { getattr select update >>>>> insert delete lock }; >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert }; >>>>> + ? ? ? allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete }; >>>>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t; >>>>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t; >>>>> >>>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',` >>>>> ? ? ? ?type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; >>>>> >>>>> ? ? ? ?allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; >>>>> - ? ? ? type_transition $1 sepgsql_database_type:db_procedure >>>>> unpriv_sepgsql_proc_exec_t; # deprecated >>>>> ? ? ? ?type_transition $1 {sepgsql_schema_type - >>>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t; >>>>> ? ? ? ?type_transition $1 sepgsql_temp_schema_t:db_procedure >>>>> sepgsql_temp_proc_exec_t; >>>>> >>>>> diff --git a/policy/modules/services/postgresql.te >>>>> b/policy/modules/services/postgresql.te >>>>> index 8a3c2bd..92d6e66 100644 >>>>> --- a/policy/modules/services/postgresql.te >>>>> +++ b/policy/modules/services/postgresql.te >>>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',` >>>>> ?') >>>>> >>>>> ?allow postgresql_t sepgsql_database_type:db_database *; >>>>> -type_transition postgresql_t postgresql_t:db_database >>>>> sepgsql_db_t; ? ? ? ? ? # deprecated >>>>> >>>>> ?allow postgresql_t sepgsql_module_type:db_database install_module; >>>>> ?# Database/Loadable module >>>>> @@ -270,7 +269,6 @@ type_transition postgresql_t >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> ?type_transition postgresql_t sepgsql_database_type:db_schema >>>>> sepgsql_temp_schema_t "pg_temp"; >>>>> >>>>> ?allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_table >>>>> sepgsql_sysobj_t; ? ? ? # deprecated >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t; >>>>> >>>>> ?allow postgresql_t sepgsql_sequence_type:db_sequence *; >>>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *; >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t; >>>>> >>>>> ?allow postgresql_t sepgsql_procedure_type:db_procedure *; >>>>> -type_transition postgresql_t sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; ? ?# deprecated >>>>> ?type_transition postgresql_t sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> ?allow postgresql_t sepgsql_blob_type:db_blob *; >>>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type >>>>> sepgsql_client_type:db_database sepgsql_db_t >>>>> >>>>> ?allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> use select insert lock }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> use select insert }; >>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr >>>>> select insert lock }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr >>>>> select insert }; >>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use >>>>> select update insert delete lock }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use >>>>> select update insert }; >>>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select >>>>> update insert delete }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select >>>>> update insert delete lock }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select >>>>> update insert }; >>>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update >>>>> insert delete }; >>>>> >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select }; >>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select }; >>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select }; >>>>> >>>>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr; >>>>> ?allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr; >>>>> >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use >>>>> select lock }; >>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock }; >>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select }; >>>>> ?allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; >>>>> >>>>> ?allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto >>>>> relabelfrom }; >>>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',` >>>>> ?# >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_database_type:db_database { create >>>>> drop getattr setattr relabelfrom relabelto access }; >>>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database >>>>> sepgsql_db_t; ? ? ? ? ? # deprecated >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop >>>>> getattr setattr relabelfrom relabelto search add_name remove_name }; >>>>> ?type_transition sepgsql_admin_type sepgsql_database_type:db_schema >>>>> sepgsql_schema_t; >>>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type >>>>> sepgsql_table_type:db_table { create drop getattr setat >>>>> ?allow sepgsql_admin_type sepgsql_table_type:db_column { create drop >>>>> getattr setattr relabelfrom relabelto }; >>>>> ?allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { >>>>> relabelfrom relabelto select update insert delete }; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table >>>>> sepgsql_table_t; ? ? ? ?# deprecated >>>>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create >>>>> drop getattr setattr relabelfrom relabelto get_value next_value >>>>> set_value }; >>>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type >>>>> sepgsql_schema_type:db_view sepgsql_view_t; >>>>> ?allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create >>>>> drop getattr relabelfrom relabelto }; >>>>> ?allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute; >>>>> >>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure >>>>> sepgsql_proc_exec_t; ? ?# deprecated >>>>> ?type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure >>>>> sepgsql_proc_exec_t; >>>>> >>>>> ?allow sepgsql_admin_type sepgsql_language_type:db_language { create >>>>> drop getattr setattr relabelfrom relabelto execute }; >>>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',` >>>>> ?# >>>>> >>>>> ?allow sepgsql_unconfined_type sepgsql_database_type:db_database *; >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_unconfined_type:db_database sepgsql_db_t; ? ? ? # deprecated >>>>> >>>>> ?allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp"; >>>>> >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_table sepgsql_table_t; ? ? ? ? # deprecated >>>>> -type_transition sepgsql_unconfined_type >>>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated >>>>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table >>>>> sepgsql_table_t; >>>>> ?type_transition sepgsql_unconfined_type >>>>> sepgsql_schema_type:db_sequence sepgsql_seq_t; >>>>> ?type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view >>>>> sepgsql_view_t; > > -- > Chris PeBenito > Tresys Technology, LLC > www.tresys.com | oss.tresys.com -- KaiGai Kohei -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-4of4-redefine-use-permission.20120511.patch Type: application/octet-stream Size: 12182 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0005.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-3of4-temp-database-objects.20120511.patch Type: application/octet-stream Size: 6131 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0006.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-2of4-foreign-data-wrapper.20120511.patch Type: application/octet-stream Size: 1202 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0007.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-1of4-connection-pooling-support.20120511.patch Type: application/octet-stream Size: 7029 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0008.obj -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-0of4-fixbug-mcs-mls.20120511.patch Type: application/octet-stream Size: 1553 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120511/e5aef2e1/attachment-0009.obj