[selinux-policy: 2384/3172] Add dbadm, from KaiGai Kohei.
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:31:38 UTC 2010
commit 22a2874dbf1e1069e2ecc40a343d4226c6089144
Author: Chris PeBenito <pebenito at gentoo.org>
Date: Mon Feb 8 10:34:08 2010 -0500
Add dbadm, from KaiGai Kohei.
Changelog | 2 +
policy/modules/roles/dbadm.fc | 1 +
policy/modules/roles/dbadm.if | 50 ++++++++++++++++++++++++++++++++
policy/modules/roles/dbadm.te | 33 +++++++++++++++++++++
policy/modules/roles/staff.te | 6 +++-
policy/modules/roles/unprivuser.te | 6 +++-
policy/modules/services/postgresql.fc | 1 +
policy/modules/services/postgresql.if | 51 +++++++++++++++++++++++++++++++++
policy/modules/services/postgresql.te | 48 +++++++++++++++++++++++++++++-
policy/modules/system/userdomain.if | 4 --
policy/modules/system/userdomain.te | 2 +-
11 files changed, 195 insertions(+), 9 deletions(-)
---
diff --git a/Changelog b/Changelog
index 0171860..5818f9e 100644
--- a/Changelog
+++ b/Changelog
@@ -1,4 +1,6 @@
- X object manager revisions from Eamon Walsh.
+- Added modules:
+ dbadm (KaiGai Kohei)
* Tue Nov 17 2009 Chris PeBenito <selinux at tresys.com> - 2.20091117
- Add separate x_pointer and x_keyboard classes inheriting from x_device.
diff --git a/policy/modules/roles/dbadm.fc b/policy/modules/roles/dbadm.fc
new file mode 100644
index 0000000..e6aa2fb
--- /dev/null
+++ b/policy/modules/roles/dbadm.fc
@@ -0,0 +1 @@
+# No dbadm file contexts
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
new file mode 100644
index 0000000..14adfea
--- /dev/null
+++ b/policy/modules/roles/dbadm.if
@@ -0,0 +1,50 @@
+## <summary>Database administrator role</summary>
+
+########################################
+## <summary>
+## Change to the database administrator role.
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change',`
+ get_require(`
+ role dbadm_r'
+ ')
+
+ allow $1 dbadm_r;
+')
+
+########################################
+## <summary>
+## Change from the database administrator role.
+## </summary>
+## <desc>
+## <p>
+## Change from the web administrator role to
+## the specified role.
+## </p>
+## <p>
+## This is an interface to support third party modules
+## and its use is not allowed in upstream reference
+## policy.
+## </p>
+## </desc>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`dbadm_role_change_to',`
+ gen_require(`
+ role dbadm_r;
+ ')
+
+ allow dbadm_r $1;
+')
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
new file mode 100644
index 0000000..055eda8
--- /dev/null
+++ b/policy/modules/roles/dbadm.te
@@ -0,0 +1,33 @@
+
+policy_module(dbadm, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+role dbadm_r;
+
+userdom_unpriv_user_template(dbadm)
+
+########################################
+#
+# database admin local policy
+#
+
+optional_policy(`
+ mysql_admin(dbadm_t, dbadm_r)
+')
+
+optional_policy(`
+ postgresql_admin(dbadm_t, dbadm_r)
+')
+
+# For starting up daemon processes
+optional_policy(`
+ su_role_template(dbadm, dbadm_r, dbadm_t)
+')
+
+optional_policy(`
+ sudo_role_template(dbadm, dbadm_r, dbadm_t)
+')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 7433ca0..3fd227b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -1,5 +1,5 @@
-policy_module(staff, 2.0.0)
+policy_module(staff, 2.0.1)
########################################
#
@@ -101,6 +101,10 @@ optional_policy(`
')
optional_policy(`
+ postgresql_role(staff_r, staff_t)
+')
+
+optional_policy(`
pyzor_role(staff_r, staff_t)
')
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 2183644..b0be6d2 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -1,5 +1,5 @@
-policy_module(unprivuser, 2.0.0)
+policy_module(unprivuser, 2.0.1)
# this module should be named user, but that is
# a compile error since user is a keyword.
@@ -95,6 +95,10 @@ optional_policy(`
')
optional_policy(`
+ postgresql_role(user_r, user_t)
+')
+
+optional_policy(`
pyzor_role(user_r, user_t)
')
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index ac18bee..d91cd03 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -2,6 +2,7 @@
# /etc
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
#
# /usr
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index f74c731..54ea709 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -384,3 +384,54 @@ interface(`postgresql_unconfined',`
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ attribute sepgsql_admin_type;
+ attribute sepgsql_client_type;
+
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_initrc_exec_t;
+ ')
+
+ typeattribute $1 sepgsql_admin_type;
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_initrc_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+
+ postgresql_tcp_connect($1)
+ postgresql_stream_connect($1)
+')
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index bfefe36..0b3eda9 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql, 1.9.0)
+policy_module(postgresql, 1.10.0)
gen_require(`
class db_database all_db_database_perms;
@@ -22,6 +22,13 @@ gen_require(`
## </desc>
gen_tunable(sepgsql_enable_users_ddl, true)
+## <desc>
+## <p>
+## Allow database admins to execute DML statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_unconfined_dbadm, true)
+
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t, postgresql_exec_t)
@@ -32,6 +39,9 @@ files_type(postgresql_db_t)
type postgresql_etc_t;
files_config_file(postgresql_etc_t)
+type postgresql_initrc_exec_t;
+init_script_file(postgresql_initrc_exec_t)
+
type postgresql_lock_t;
files_lock_file(postgresql_lock_t)
@@ -45,6 +55,7 @@ type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
# database clients attribute
+attribute sepgsql_admin_type;
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
@@ -336,7 +347,40 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;
# to access classified tuples and can make a audit record.
#
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
-dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete };
+
+
+########################################
+#
+# Rules common to administrator clients
+#
+
+allow sepgsql_admin_type sepgsql_database_type:db_database { create drop getattr setattr relabelfrom relabelto access };
+type_transition sepgsql_admin_type sepgsql_admin_type:db_database sepgsql_db_t;
+
+allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setattr relabelfrom relabelto lock };
+allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+
+allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+
+allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+
+allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
+
+kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
+
+tunable_policy(`sepgsql_unconfined_dbadm',`
+ allow sepgsql_admin_type sepgsql_database_type:db_database *;
+
+ allow sepgsql_admin_type sepgsql_table_type:{ db_table db_column db_tuple } *;
+
+ allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *;
+ allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install;
+ allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ execute install };
+
+ allow sepgsql_admin_type sepgsql_blob_type:db_blob *;
+')
########################################
#
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index f209ccf..d6198c5 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -994,10 +994,6 @@ template(`userdom_unpriv_user_template', `
netutils_run_traceroute_cond($1_t,$1_r)
')
- optional_policy(`
- postgresql_role($1_r,$1_t)
- ')
-
# Run pppd in pppd_t by default for user
optional_policy(`
ppp_run_cond($1_t,$1_r)
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 7b7d709..c01f7ae 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -1,5 +1,5 @@
-policy_module(userdomain, 4.3.0)
+policy_module(userdomain, 4.3.1)
########################################
#
More information about the scm-commits
mailing list