From: mad-proffessor@hotmail.com (george Nopicture) Date: Sat, 5 Apr 2014 22:43:47 +0300 Subject: [refpolicy] sepostgres module Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi fellas. i recently installed sepostgres db module and wanted to write some selinux policy to allow my httpd and sysadm_t access to the data base.Since there was no policy module available i wrote some and thought that it could be useful to the selinux community. Maybe you could make a module or/and a boolean to be ported to selinux-targeted-policy. Case study: Someone loads the sepostgres module to the db and sets the defined sepostgres security labels to the db,tables,schema etc. I am attaching the file here -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140405/69c71d3d/attachment.html -------------- next part -------------- # ===== START POLICY =====# module secpostgres 1.0; require { type unlabeled_t; type httpd_t; type sysadm_t; type sepgsql_table_t; type sepgsql_db_t; type sepgsql_schema_t; class db_tuple { insert select}; class db_table { getattr select lock }; class db_database { access }; class db_column{ select }; class db_schema { search drop }; class db_procedure { execute }; class db_sequence { get_value set_value next_value }; } allow httpd_t sepgsql_db_t : db_column{ select }; allow httpd_t sepgsql_db_t : db_database { access }; allow httpd_t sepgsql_db_t : db_tuple { insert select }; allow httpd_t sepgsql_table_t : db_table { getattr select lock }; allow httpd_t sepgsql_schema_t : db_schema { search }; #one should set security labels on all unlabeled data objects. The following two rules should have valid sepostgres labels allow httpd_t unlabeled_t: db_procedure { execute }; allow httpd_t unlabeled_t: db_sequence { get_value set_value next_value }; #allow sysadm_t(or change to the type your sudo transitions to) to access objects allow sysadm_t sepgsql_db_t : db_database { access }; allow sysadm_t sepgsql_table_t : db_table { getattr select lock }; allow sysadm_t sepgsql_db_t : db_tuple { insert select }; allow sysadm_t sepgsql_db_t : db_column{ select }; allow sysadm_t unlabeled_t : db_schema { search drop }; #do not allow apache search on public unlabeled schemas and tables; #remember to relabel(or more precisely set security labels from postgres cli) on publicly allowed dbs,tables,schemas; ##======END POLICY========##