[refpolicy] [RFC] Security policy reworks for SE-PostgreSQL

Christopher J. PeBenito cpebenito at tresys.com
Fri May 22 08:38:12 CDT 2009


On Fri, 2009-05-08 at 13:12 +0900, KaiGai Kohei wrote:
> The attached patch allows unprivileged clients to export from or
> import
> to the largeobject owned by themselves.
> 
> The current security policy does not allow them to import/export any
> largeobjects without any clear reason.
> 
> NOTE: Export of the largeobject means that it dumps whole of the
> largeobject into a local file, so SE-PostgreSQL checks both of
> db_blob:{read export} on the largeobject and file:{write} on the
> local file. Import is a reversal behavior.

Merged.

> KaiGai Kohei wrote:
> >>>>> - rework: All the newly created database objects by unprivileged
> >>>>>   clients are prefixed with "user_", and these are controled via
> >>>>>   sepgsql_enable_users_ddl.
> >>>> I don't think we should be mixing user content with other unpriv
> >>>> clients.
> >>> I would like to discriminate between a procedure declared by
> unpriv
> >>> client and by administrative client, because the policy allows the
> >>> unprefixed "sepgsql_proc_exec_t" to be installed as a system
> internal
> >>> component, but it is undesirable to install unpriv-user defined
> >>> procedures as is.
> >>>
> >>> If the "user_" prefix is unpreferable, how do you think other
> prefixes
> >>> something like "anon_", "unpriv_" and so on?
> >> I think we should go with unpriv_ for now.
> > 
> > OK, the attached patch adds the following types for unprivileged
> clients.
> >  - unpriv_sepgsql_table_t
> >  - unpriv_sepgsql_sysobj_t
> >  - unpriv_sepgsql_proc_exec_t
> >  - unpriv_sepgsql_blob_t
> > 
> > These types are the default for unprivileged and unprefixed domains,
> > such as httpd_t and others.
> > 
> > In addition, TYPE_TRANSITION rules are moved to outside of tunable
> > of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
> > tunable because UBAC domains (user_t and so on) were allowed to
> > create sepgsql_table_t, and its default was pointed to this type
> > when sepgsql_enable_users_ddl is disabled.
> > However, it has different meanings now, so the TYPE_TRANSITION rules
> > should be unconditional.
> > 

> 
> 
> 
> 
> 
> 
> differences
> between files
> attachment
> (refpolicy-sepgsql-3-db_blob-import-export.patch)
> 
> --- policy/modules/services/postgresql.if.2     2009-05-08 11:58:46.000000000 +0900
> +++ policy/modules/services/postgresql.if.3     2009-05-08 11:59:28.000000000 +0900
> @@ -63,7 +63,7 @@
>         allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
>         type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
>  
> -       allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
> +       allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
>         type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
>  
>         allow $2 sepgsql_trusted_proc_t:process transition;
> @@ -361,7 +361,7 @@
>         allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
>         type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
>  
> -       allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
> +       allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
>         type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
>  ')
>  
> 
-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150



More information about the refpolicy mailing list