2014-04-05 19:43:47

by mad-proffessor

[permalink] [raw]
Subject: [refpolicy] sepostgres module

Hi fellas.

i recently installed sepostgres db module and wanted to write some selinux
policy to allow my httpd and sysadm_t access to the data base.Since
there was no policy module available i wrote some and thought that it
could be useful to the selinux community. Maybe you could make a
module or/and a boolean to be ported to selinux-targeted-policy.
Case study:
Someone loads the sepostgres module to the db and sets the defined sepostgres security labels to the db,tables,schema etc.

I am attaching the file here
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20140405/69c71d3d/attachment.html
-------------- next part --------------
# ===== START POLICY =====#
module secpostgres 1.0;



require {
type unlabeled_t;
type httpd_t;
type sysadm_t;
type sepgsql_table_t;
type sepgsql_db_t;
type sepgsql_schema_t;
class db_tuple { insert select};
class db_table { getattr select lock };
class db_database { access };
class db_column{ select };
class db_schema { search drop };
class db_procedure { execute };
class db_sequence { get_value set_value next_value };
}
allow httpd_t sepgsql_db_t : db_column{ select };
allow httpd_t sepgsql_db_t : db_database { access };
allow httpd_t sepgsql_db_t : db_tuple { insert select };
allow httpd_t sepgsql_table_t : db_table { getattr select lock };
allow httpd_t sepgsql_schema_t : db_schema { search };
#one should set security labels on all unlabeled data objects. The following two rules should have valid sepostgres labels
allow httpd_t unlabeled_t: db_procedure { execute };
allow httpd_t unlabeled_t: db_sequence { get_value set_value next_value };
#allow sysadm_t(or change to the type your sudo transitions to) to access objects
allow sysadm_t sepgsql_db_t : db_database { access };
allow sysadm_t sepgsql_table_t : db_table { getattr select lock };
allow sysadm_t sepgsql_db_t : db_tuple { insert select };
allow sysadm_t sepgsql_db_t : db_column{ select };
allow sysadm_t unlabeled_t : db_schema { search drop };

#do not allow apache search on public unlabeled schemas and tables;
#remember to relabel(or more precisely set security labels from postgres cli) on publicly allowed dbs,tables,schemas;
##======END POLICY========##