[selinux-policy: 2384/3172] Add dbadm, from KaiGai Kohei.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:31:38 UTC 2010 

commit 22a2874dbf1e1069e2ecc40a343d4226c6089144
Author: Chris PeBenito <pebenito at gentoo.org>
Date:   Mon Feb 8 10:34:08 2010 -0500

    Add dbadm, from KaiGai Kohei.

 Changelog                             |    2 +
 policy/modules/roles/dbadm.fc         |    1 +
 policy/modules/roles/dbadm.if         |   50 ++++++++++++++++++++++++++++++++
 policy/modules/roles/dbadm.te         |   33 +++++++++++++++++++++
 policy/modules/roles/staff.te         |    6 +++-
 policy/modules/roles/unprivuser.te    |    6 +++-
 policy/modules/services/postgresql.fc |    1 +
 policy/modules/services/postgresql.if |   51 +++++++++++++++++++++++++++++++++
 policy/modules/services/postgresql.te |   48 +++++++++++++++++++++++++++++-
 policy/modules/system/userdomain.if   |    4 --
 policy/modules/system/userdomain.te   |    2 +-
 11 files changed, 195 insertions(+), 9 deletions(-)
---
diff --git a/Changelog b/Changelog
index 0171860..5818f9e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,6 @@
 - X object manager revisions from Eamon Walsh.
+- Added modules:
+	dbadm (KaiGai Kohei)
 
 * Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
 - Add separate x_pointer and x_keyboard classes inheriting from x_device. 
diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc
new file mode 100644
index 0000000..e6aa2fb
--- /dev/null
+++ b/policy/modules/roles/dbadm.fc
@@ -0,0 +1 @@
+# No dbadm file contexts
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
new file mode 100644
index 0000000..14adfea
--- /dev/null
+++ b/policy/modules/roles/dbadm.if
@@ -0,0 +1,50 @@
+## <summary>Database administrator role</summary>
+
+########################################
+## <summary>
+##	Change to the database administrator role.
+## </summary>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change',`
+	get_require(`
+		role dbadm_r'
+	')
+
+	allow $1 dbadm_r;
+')
+
+########################################
+## <summary>
+##	Change from the database administrator role.
+## </summary>
+## <desc>
+##	<p>
+##	Change from the web administrator role to
+##	the specified role.
+##	</p>
+##	<p>
+##	This is an interface to support third party modules
+##	and its use is not allowed in upstream reference
+##	policy.
+##	</p>
+## </desc>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change_to',`
+	gen_require(`
+		role dbadm_r;
+	')
+
+	allow dbadm_r $1;
+')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
new file mode 100644
index 0000000..055eda8
--- /dev/null
+++ b/policy/modules/roles/dbadm.te
@@ -0,0 +1,33 @@
+
+policy_module(dbadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role dbadm_r;
+
+userdom_unpriv_user_template(dbadm)
+
+########################################
+#
+# database admin local policy
+#
+
+optional_policy(`
+	mysql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+	postgresql_admin(dbadm_t, dbadm_r)
+')
+
+# For starting up daemon processes
+optional_policy(`
+	su_role_template(dbadm, dbadm_r, dbadm_t)
+')
+
+optional_policy(`
+	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 7433ca0..3fd227b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,5 +1,5 @@
 
-policy_module(staff, 2.0.0)
+policy_module(staff, 2.0.1)
 
 ########################################
 #
@@ -101,6 +101,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
 	pyzor_role(staff_r, staff_t)
 ')
 
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 2183644..b0be6d2 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
 
-policy_module(unprivuser, 2.0.0)
+policy_module(unprivuser, 2.0.1)
 
 # this module should be named user, but that is
 # a compile error since user is a keyword.
@@ -95,6 +95,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	postgresql_role(user_r, user_t)
+')
+
+optional_policy(`
 	pyzor_role(user_r, user_t)
 ')
 
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index ac18bee..d91cd03 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -2,6 +2,7 @@
 # /etc
 #
 /etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
 
 #
 # /usr
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index f74c731..54ea709 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -384,3 +384,54 @@ interface(`postgresql_unconfined',`
 
 	typeattribute $1 sepgsql_unconfined_type;
 ')
+
+########################################
+## <summary>
+##	All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	The role to be allowed to manage the postgresql domain.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+	gen_require(`
+		attribute sepgsql_admin_type;
+		attribute sepgsql_client_type;
+
+		type postgresql_t, postgresql_var_run_t;
+		type postgresql_tmp_t, postgresql_db_t;
+		type postgresql_etc_t, postgresql_log_t;
+		type postgresql_initrc_exec_t;
+	')
+
+	typeattribute $1 sepgsql_admin_type;
+
+	allow $1 postgresql_t:process { ptrace signal_perms };
+	ps_process_pattern($1, postgresql_t)
+
+	init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+	domain_system_change_exemption($1)
+	role_transition $2 postgresql_initrc_exec_t system_r;
+	allow $2 system_r;
+
+	admin_pattern($1, postgresql_var_run_t)
+
+	admin_pattern($1, postgresql_db_t)
+
+	admin_pattern($1, postgresql_etc_t)
+
+	admin_pattern($1, postgresql_log_t)
+
+	admin_pattern($1, postgresql_tmp_t)
+
+	postgresql_tcp_connect($1)
+	postgresql_stream_connect($1)
+')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index bfefe36..0b3eda9 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
 
-policy_module(postgresql, 1.9.0)
+policy_module(postgresql, 1.10.0)
 
 gen_require(`
 	class db_database all_db_database_perms;
@@ -22,6 +22,13 @@ gen_require(`
 ## </desc>
 gen_tunable(sepgsql_enable_users_ddl, true)
 
+## <desc>
+## <p>
+## Allow database admins to execute DML statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_unconfined_dbadm, true)
+
 type postgresql_t;
 type postgresql_exec_t;
 init_daemon_domain(postgresql_t, postgresql_exec_t)
@@ -32,6 +39,9 @@ files_type(postgresql_db_t)
 type postgresql_etc_t;
 files_config_file(postgresql_etc_t)
 
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
 type postgresql_lock_t;
 files_lock_file(postgresql_lock_t)
 
@@ -45,6 +55,7 @@ type postgresql_var_run_t;
 files_pid_file(postgresql_var_run_t)
 
 # database clients attribute
+attribute sepgsql_admin_type;
 attribute sepgsql_client_type;
 attribute sepgsql_unconfined_type;
 
@@ -336,7 +347,40 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
 # to access classified tuples and can make a audit record.
 #
 # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
-dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
+
+########################################
+#
+# Rules common to administrator clients
+#
+
+allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
+type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
+
+allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
+allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+
+allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+
+allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+
+allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+tunable_policy(`sepgsql_unconfined_dbadm',`
+	allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+	allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
+	allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+	allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+')
 
 ########################################
 #
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f209ccf..d6198c5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -994,10 +994,6 @@ template(`userdom_unpriv_user_template', `
 		netutils_run_traceroute_cond($1_t,$1_r)
 	')
 
-	optional_policy(`
-		postgresql_role($1_r,$1_t)
-	')
-
 	# Run pppd in pppd_t by default for user
 	optional_policy(`
 		ppp_run_cond($1_t,$1_r)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7b7d709..c01f7ae 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
 
-policy_module(userdomain, 4.3.0)
+policy_module(userdomain, 4.3.1)
 
 ########################################
 #

More information about the scm-commits mailing list