Re: [4/4] sepgsql -redefinition of use permission onto system objects

Kohei KaiGai <kaigai@xxxxxxxxxxxx> · Fri, 11 May 2012 15:17:11 +0200

2012/5/10 Christopher J. PeBenito <cpebenito@xxxxxxxxxx>:
> On 05/04/12 13:24, Kohei KaiGai wrote:
>> 2012/5/4 Christopher J. PeBenito <cpebenito@xxxxxxxxxx>:
>>> On 05/04/12 09:33, Kohei KaiGai wrote:
>>>> The patch 3 of 4 also required the 4 of 4 being refreshed to apply correctly.
>>>> In addition, I forgot to allow sepgsql_admin_type to allow to "use" system
>>>> objects.
>>>>
>>>> Please check the newer version. Thanks,
>>>
>>> Looks like the revised patch is missing.
>>>
>> Sorry, it is the attached one.
>>
>> Thanks,
>
> This one doesn't apply, the last hunk fails.  I also had a problem with the 3rd patch, as the contrib hunk stopped it from applying too.
>
Sorry, I generated the series of patches based on the latest refpolicy and
contrib tree.

And, I added "0of4" patch that fixes bugs in MLS/MCS that I noticed during
regression test efforts. MCS rules are defined twice for db_language class
in spite of db_schema being forgotten, and "entrypoint" permission was not
restricted at both of MCS / MLS policy.

Here is no updates on part-1 ~ part-4 except for patch rebasing.

Thanks,

>>>> 2012/3/25 Kohei KaiGai <kaigai@xxxxxxxxxxxx>:
>>>>> This patch might be arguable. It redefines the "use" permission on db_tuple
>>>>> class that has marked deprecated for a few years, to control usage of system
>>>>> objects but without individual object classes.
>>>>>
>>>>> We didn't try to port all the supported database object types in PostgreSQL
>>>>> into SELinux policy model, because its variation is too large to port and
>>>>> less priority in comparison with "major" object classes such as tables.
>>>>>
>>>>> So, we handle permissions to create, drop and alter these objects as
>>>>> permissions to insert, delete or update of system catalogs; labeled as
>>>>> sepgsql_sysobj_t, and so on.
>>>>>
>>>>> On the other hand, some of system objects requires to check permission
>>>>> when user "use" these objects, such as data types, tablespaces,
>>>>> operators and so on.
>>>>> I don't think it is reasonable approach to define individual object classes
>>>>> for each object types reflects to PostgreSQL. However, it is preferable
>>>>> to have double checks by selinux on strategic points.
>>>>>
>>>>> So, I try to redefine "use" permission on db_tuple class; that means
>>>>> permission to "use" this object when the tuple is an entry of system
>>>>> catalog corresponding to a particular database object but don't have
>>>>> a particular object class like tables.
>>>>>
>>>>> The deprecated permissions and rules are not in use for a few years,
>>>>> so, it is a time to be utilized or eliminated.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>  Signed-off-by: KaiGai Kohei <kohei.kaigai@xxxxxxxxxxxx>
>>>>> --
>>>>>  policy/flask/access_vectors           |    4 +---
>>>>>  policy/modules/services/postgresql.if |   16 ++++++----------
>>>>>  policy/modules/services/postgresql.te |   31 +++++++++++--------------------
>>>>>  3 files changed, 18 insertions(+), 33 deletions(-)
>>>>>
>>>>> diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
>>>>> index bf24160..f462e95 100644
>>>>> --- a/policy/flask/access_vectors
>>>>> +++ b/policy/flask/access_vectors
>>>>> @@ -761,7 +761,6 @@ inherits database
>>>>>  class db_table
>>>>>  inherits database
>>>>>  {
>>>>> -       use             # deprecated
>>>>>        select
>>>>>        update
>>>>>        insert
>>>>> @@ -780,7 +779,6 @@ inherits database
>>>>>  class db_column
>>>>>  inherits database
>>>>>  {
>>>>> -       use             # deprecated
>>>>>        select
>>>>>        update
>>>>>        insert
>>>>> @@ -790,7 +788,7 @@ class db_tuple
>>>>>  {
>>>>>        relabelfrom
>>>>>        relabelto
>>>>> -       use             # deprecated
>>>>> +       use
>>>>>        select
>>>>>        update
>>>>>        insert
>>>>> diff --git a/policy/modules/services/postgresql.if
>>>>> b/policy/modules/services/postgresql.if
>>>>> index 56fc5fa..71f2572 100644
>>>>> --- a/policy/modules/services/postgresql.if
>>>>> +++ b/policy/modules/services/postgresql.if
>>>>> @@ -70,10 +70,9 @@ interface(`postgresql_role',`
>>>>>        type_transition $2 sepgsql_database_type:db_schema user_sepgsql_schema_t;
>>>>>        type_transition $2 sepgsql_database_type:db_schema
>>>>> sepgsql_temp_schema_t "pg_temp";
>>>>>
>>>>> -       allow $2 user_sepgsql_table_t:db_table  { getattr use select update
>>>>> insert delete lock };
>>>>> -       allow $2 user_sepgsql_table_t:db_column { getattr use select update insert };
>>>>> -       allow $2 user_sepgsql_table_t:db_tuple  { use select update insert delete };
>>>>> -       type_transition $2 sepgsql_database_type:db_table
>>>>> user_sepgsql_table_t;           # deprecated
>>>>> +       allow $2 user_sepgsql_table_t:db_table  { getattr select update
>>>>> insert delete lock };
>>>>> +       allow $2 user_sepgsql_table_t:db_column { getattr select update insert };
>>>>> +       allow $2 user_sepgsql_table_t:db_tuple  { select update insert delete };
>>>>>        type_transition $2 {sepgsql_schema_type -
>>>>> sepgsql_temp_schema_t}:db_table user_sepgsql_table_t;
>>>>>        type_transition $2 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
>>>>>
>>>>> @@ -89,7 +88,6 @@ interface(`postgresql_role',`
>>>>>        type_transition $2 sepgsql_temp_schema_t:db_view sepgsql_temp_view_t;
>>>>>
>>>>>        allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
>>>>> -       type_transition $2 sepgsql_database_type:db_procedure
>>>>> user_sepgsql_proc_exec_t;       # deprecated
>>>>>        type_transition $2 {sepgsql_schema_type -
>>>>> sepgsql_temp_schema_t}:db_procedure user_sepgsql_proc_exec_t;
>>>>>        type_transition $2 sepgsql_temp_schema_t:db_procedure
>>>>> sepgsql_temp_proc_exec_t;
>>>>>
>>>>> @@ -513,10 +511,9 @@ interface(`postgresql_unpriv_client',`
>>>>>        type_transition $1 sepgsql_database_type:db_schema unpriv_sepgsql_schema_t;
>>>>>        type_transition $1 sepgsql_database_type:db_schema
>>>>> unpriv_sepgsql_schema_t "pg_temp";
>>>>>
>>>>> -       allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update
>>>>> insert delete lock };
>>>>> -       allow $1 unpriv_sepgsql_table_t:db_column { getattr use select
>>>>> update insert };
>>>>> -       allow $1 unpriv_sepgsql_table_t:db_tuple { use select update insert delete };
>>>>> -       type_transition $1 sepgsql_database_type:db_table
>>>>> unpriv_sepgsql_table_t; # deprecated
>>>>> +       allow $1 unpriv_sepgsql_table_t:db_table { getattr select update
>>>>> insert delete lock };
>>>>> +       allow $1 unpriv_sepgsql_table_t:db_column { getattr select update insert };
>>>>> +       allow $1 unpriv_sepgsql_table_t:db_tuple { select update insert delete };
>>>>>        type_transition $1 {sepgsql_schema_type -
>>>>> sepgsql_temp_schema_t}:db_table unpriv_sepgsql_table_t;
>>>>>        type_transition $1 sepgsql_temp_schema_t:db_table sepgsql_temp_table_t;
>>>>>
>>>>> @@ -532,7 +529,6 @@ interface(`postgresql_unpriv_client',`
>>>>>        type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t;
>>>>>
>>>>>        allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
>>>>> -       type_transition $1 sepgsql_database_type:db_procedure
>>>>> unpriv_sepgsql_proc_exec_t; # deprecated
>>>>>        type_transition $1 {sepgsql_schema_type -
>>>>> sepgsql_temp_schema_t}:db_procedure unpriv_sepgsql_proc_exec_t;
>>>>>        type_transition $1 sepgsql_temp_schema_t:db_procedure
>>>>> sepgsql_temp_proc_exec_t;
>>>>>
>>>>> diff --git a/policy/modules/services/postgresql.te
>>>>> b/policy/modules/services/postgresql.te
>>>>> index 8a3c2bd..92d6e66 100644
>>>>> --- a/policy/modules/services/postgresql.te
>>>>> +++ b/policy/modules/services/postgresql.te
>>>>> @@ -259,7 +259,6 @@ tunable_policy(`sepgsql_transmit_client_label',`
>>>>>  ')
>>>>>
>>>>>  allow postgresql_t sepgsql_database_type:db_database *;
>>>>> -type_transition postgresql_t postgresql_t:db_database
>>>>> sepgsql_db_t;           # deprecated
>>>>>
>>>>>  allow postgresql_t sepgsql_module_type:db_database install_module;
>>>>>  # Database/Loadable module
>>>>> @@ -270,7 +269,6 @@ type_transition postgresql_t
>>>>> sepgsql_database_type:db_schema sepgsql_schema_t;
>>>>>  type_transition postgresql_t sepgsql_database_type:db_schema
>>>>> sepgsql_temp_schema_t "pg_temp";
>>>>>
>>>>>  allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
>>>>> -type_transition postgresql_t sepgsql_database_type:db_table
>>>>> sepgsql_sysobj_t;       # deprecated
>>>>>  type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t;
>>>>>
>>>>>  allow postgresql_t sepgsql_sequence_type:db_sequence *;
>>>>> @@ -280,7 +278,6 @@ allow postgresql_t sepgsql_view_type:db_view *;
>>>>>  type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t;
>>>>>
>>>>>  allow postgresql_t sepgsql_procedure_type:db_procedure *;
>>>>> -type_transition postgresql_t sepgsql_database_type:db_procedure
>>>>> sepgsql_proc_exec_t;    # deprecated
>>>>>  type_transition postgresql_t sepgsql_schema_type:db_procedure
>>>>> sepgsql_proc_exec_t;
>>>>>
>>>>>  allow postgresql_t sepgsql_blob_type:db_blob *;
>>>>> @@ -431,23 +428,23 @@ type_transition sepgsql_client_type
>>>>> sepgsql_client_type:db_database sepgsql_db_t
>>>>>
>>>>>  allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };
>>>>>
>>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr
>>>>> use select insert lock };
>>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr
>>>>> use select insert };
>>>>> -allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { use select insert };
>>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr
>>>>> select insert lock };
>>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr
>>>>> select insert };
>>>>> +allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { select insert };
>>>>>
>>>>> -allow sepgsql_client_type sepgsql_table_t:db_table { getattr use
>>>>> select update insert delete lock };
>>>>> -allow sepgsql_client_type sepgsql_table_t:db_column { getattr use
>>>>> select update insert };
>>>>> -allow sepgsql_client_type sepgsql_table_t:db_tuple { use select
>>>>> update insert delete };
>>>>> +allow sepgsql_client_type sepgsql_table_t:db_table { getattr select
>>>>> update insert delete lock };
>>>>> +allow sepgsql_client_type sepgsql_table_t:db_column { getattr select
>>>>> update insert };
>>>>> +allow sepgsql_client_type sepgsql_table_t:db_tuple { select update
>>>>> insert delete };
>>>>>
>>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr use
>>>>> select lock };
>>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr use select };
>>>>> -allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { use select };
>>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr select lock };
>>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select };
>>>>> +allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select };
>>>>>
>>>>>  allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
>>>>>  allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;
>>>>>
>>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use
>>>>> select lock };
>>>>> -allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select };
>>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr select lock };
>>>>> +allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select };
>>>>>  allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
>>>>>
>>>>>  allow sepgsql_client_type sepgsql_temp_table_t:db_table ~{ relabelto
>>>>> relabelfrom };
>>>>> @@ -503,7 +500,6 @@ tunable_policy(`sepgsql_enable_users_ddl',`
>>>>>  #
>>>>>
>>>>>  allow sepgsql_admin_type sepgsql_database_type:db_database { create
>>>>> drop getattr setattr relabelfrom relabelto access };
>>>>> -type_transition sepgsql_admin_type sepgsql_admin_type:db_database
>>>>> sepgsql_db_t;           # deprecated
>>>>>
>>>>>  allow sepgsql_admin_type sepgsql_schema_type:db_schema { create drop
>>>>> getattr setattr relabelfrom relabelto search add_name remove_name };
>>>>>  type_transition sepgsql_admin_type sepgsql_database_type:db_schema
>>>>> sepgsql_schema_t;
>>>>> @@ -513,7 +509,6 @@ allow sepgsql_admin_type
>>>>> sepgsql_table_type:db_table { create drop getattr setat
>>>>>  allow sepgsql_admin_type sepgsql_table_type:db_column { create drop
>>>>> getattr setattr relabelfrom relabelto };
>>>>>  allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple {
>>>>> relabelfrom relabelto select update insert delete };
>>>>>
>>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_table
>>>>> sepgsql_table_t;        # deprecated
>>>>>  type_transition sepgsql_admin_type sepgsql_schema_type:db_table
>>>>> sepgsql_table_t;
>>>>>
>>>>>  allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create
>>>>> drop getattr setattr relabelfrom relabelto get_value next_value
>>>>> set_value };
>>>>> @@ -527,7 +522,6 @@ type_transition sepgsql_admin_type
>>>>> sepgsql_schema_type:db_view sepgsql_view_t;
>>>>>  allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create
>>>>> drop getattr relabelfrom relabelto };
>>>>>  allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
>>>>>
>>>>> -type_transition sepgsql_admin_type sepgsql_database_type:db_procedure
>>>>> sepgsql_proc_exec_t;    # deprecated
>>>>>  type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure
>>>>> sepgsql_proc_exec_t;
>>>>>
>>>>>  allow sepgsql_admin_type sepgsql_language_type:db_language { create
>>>>> drop getattr setattr relabelfrom relabelto execute };
>>>>> @@ -566,14 +560,11 @@ tunable_policy(`sepgsql_unconfined_dbadm',`
>>>>>  #
>>>>>
>>>>>  allow sepgsql_unconfined_type sepgsql_database_type:db_database *;
>>>>> -type_transition sepgsql_unconfined_type
>>>>> sepgsql_unconfined_type:db_database sepgsql_db_t;       # deprecated
>>>>>
>>>>>  allow sepgsql_unconfined_type sepgsql_schema_type:db_schema *;
>>>>>  type_transition sepgsql_unconfined_type
>>>>> sepgsql_database_type:db_schema sepgsql_schema_t;
>>>>>  type_transition sepgsql_unconfined_type
>>>>> sepgsql_database_type:db_schema sepgsql_schema_t "pg_temp";
>>>>>
>>>>> -type_transition sepgsql_unconfined_type
>>>>> sepgsql_database_type:db_table sepgsql_table_t;         # deprecated
>>>>> -type_transition sepgsql_unconfined_type
>>>>> sepgsql_database_type:db_procedure sepgsql_proc_exec_t; # deprecated
>>>>>  type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table
>>>>> sepgsql_table_t;
>>>>>  type_transition sepgsql_unconfined_type
>>>>> sepgsql_schema_type:db_sequence sepgsql_seq_t;
>>>>>  type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view
>>>>> sepgsql_view_t;
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com

-- 
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
Attachment:
refpolicy-sepgsql-4of4-redefine-use-permission.20120511.patch

Description: Binary data
Attachment:
refpolicy-sepgsql-3of4-temp-database-objects.20120511.patch

Description: Binary data
Attachment:
refpolicy-sepgsql-2of4-foreign-data-wrapper.20120511.patch

Description: Binary data
Attachment:
refpolicy-sepgsql-1of4-connection-pooling-support.20120511.patch

Description: Binary data
Attachment:
refpolicy-sepgsql-0of4-fixbug-mcs-mls.20120511.patch

Description: Binary data