## PostgreSQL relational database
#######################################
##
## Role access for SE-PostgreSQL.
##
##
##
## The role associated with the user domain.
##
##
##
##
## The type of the user domain.
##
##
#
interface(`postgresql_role',`
gen_require(`
attribute sepgsql_client_type;
type sepgsql_trusted_proc_t;
type sepgsql_ranged_proc_t;
')
typeattribute $2 sepgsql_client_type;
role $1 types sepgsql_trusted_proc_t;
role $1 types sepgsql_ranged_proc_t;
')
########################################
##
## Execute the postgresql program in the postgresql domain.
##
##
##
## Domain allowed to transition.
##
##
##
##
## The role to allow the postgresql domain.
##
##
##
#
interface(`postgresql_run',`
gen_require(`
type postgresql_t;
')
postgresql_domtrans($1)
role $2 types postgresql_t;
')
########################################
##
## Marks as a SE-PostgreSQL loadable shared library module
##
##
##
## Type marked as a database object type.
##
##
#
interface(`postgresql_loadable_module',`
gen_require(`
attribute sepgsql_module_type;
')
typeattribute $1 sepgsql_module_type;
')
########################################
##
## Marks as a SE-PostgreSQL database object type
##
##
##
## Type marked as a database object type.
##
##
#
interface(`postgresql_database_object',`
gen_require(`
attribute sepgsql_database_type;
')
typeattribute $1 sepgsql_database_type;
')
########################################
##
## Marks as a SE-PostgreSQL schema object type
##
##
##
## Type marked as a schema object type.
##
##
#
interface(`postgresql_schema_object',`
gen_require(`
attribute sepgsql_schema_type;
')
typeattribute $1 sepgsql_schema_type;
')
########################################
##
## Marks as a SE-PostgreSQL table/column/tuple object type
##
##
##
## Type marked as a table/column/tuple object type.
##
##
#
interface(`postgresql_table_object',`
gen_require(`
attribute sepgsql_table_type;
')
typeattribute $1 sepgsql_table_type;
')
########################################
##
## Marks as a SE-PostgreSQL system table/column/tuple object type
##
##
##
## Type marked as a table/column/tuple object type.
##
##
#
interface(`postgresql_system_table_object',`
gen_require(`
attribute sepgsql_table_type, sepgsql_sysobj_table_type;
')
typeattribute $1 sepgsql_table_type;
typeattribute $1 sepgsql_sysobj_table_type;
')
########################################
##
## Marks as a SE-PostgreSQL sequence type
##
##
##
## Type marked as a sequence type.
##
##
#
interface(`postgresql_sequence_object',`
gen_require(`
attribute sepgsql_sequence_type;
')
typeattribute $1 sepgsql_sequence_type;
')
########################################
##
## Marks as a SE-PostgreSQL view object type
##
##
##
## Type marked as a view object type.
##
##
#
interface(`postgresql_view_object',`
gen_require(`
attribute sepgsql_view_type;
')
typeattribute $1 sepgsql_view_type;
')
########################################
##
## Marks as a SE-PostgreSQL procedure object type
##
##
##
## Type marked as a procedure object type.
##
##
#
interface(`postgresql_procedure_object',`
gen_require(`
attribute sepgsql_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
')
########################################
##
## Marks as a SE-PostgreSQL trusted procedure object type
##
##
##
## Type marked as a trusted procedure object type.
##
##
#
interface(`postgresql_trusted_procedure_object',`
gen_require(`
attribute sepgsql_procedure_type;
attribute sepgsql_trusted_procedure_type;
')
typeattribute $1 sepgsql_procedure_type;
typeattribute $1 sepgsql_trusted_procedure_type;
')
########################################
##
## Marks as a SE-PostgreSQL procedural language object type
##
##
##
## Type marked as a procedural language object type.
##
##
#
interface(`postgresql_language_object',`
gen_require(`
attribute sepgsql_language_type;
')
typeattribute $1 sepgsql_language_type;
')
########################################
##
## Marks as a SE-PostgreSQL binary large object type
##
##
##
## Type marked as a database binary large object type.
##
##
#
interface(`postgresql_blob_object',`
gen_require(`
attribute sepgsql_blob_type;
')
typeattribute $1 sepgsql_blob_type;
')
########################################
##
## Allow the specified domain to search postgresql's database directory.
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_search_db',`
gen_require(`
type postgresql_db_t;
')
allow $1 postgresql_db_t:dir search_dir_perms;
')
########################################
##
## Allow the specified domain to manage postgresql's database.
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_manage_db',`
gen_require(`
type postgresql_db_t;
')
files_search_var_lib($1)
manage_dirs_pattern($1, postgresql_db_t, postgresql_db_t)
manage_files_pattern($1, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern($1, postgresql_db_t, postgresql_db_t)
')
########################################
##
## Execute postgresql in the postgresql domain.
##
##
##
## Domain allowed to transition.
##
##
#
interface(`postgresql_domtrans',`
gen_require(`
type postgresql_t, postgresql_exec_t;
')
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
')
######################################
##
## Execute Postgresql in the caller domain.
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_exec',`
gen_require(`
type postgresql_exec_t;
')
can_exec($1, postgresql_exec_t)
')
######################################
##
## Allow domain to signal postgresql
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_signal',`
gen_require(`
type postgresql_t;
')
allow $1 postgresql_t:process signal;
')
######################################
##
## Allow domain to signull postgresql
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_signull',`
gen_require(`
type postgresql_t;
')
allow $1 postgresql_t:process signull;
')
########################################
##
## Allow the specified domain to read postgresql's etc.
##
##
##
## Domain allowed access.
##
##
##
#
interface(`postgresql_read_config',`
gen_require(`
type postgresql_etc_t;
')
files_search_etc($1)
allow $1 postgresql_etc_t:dir list_dir_perms;
allow $1 postgresql_etc_t:file read_file_perms;
allow $1 postgresql_etc_t:lnk_file read_lnk_file_perms;
')
########################################
##
## Allow the specified domain to connect to postgresql with a tcp socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_tcp_connect',`
gen_require(`
type postgresql_t;
')
corenet_tcp_recvfrom_labeled($1, postgresql_t)
corenet_tcp_sendrecv_postgresql_port($1)
corenet_tcp_connect_postgresql_port($1)
corenet_sendrecv_postgresql_client_packets($1)
')
########################################
##
## Allow the specified domain to connect to postgresql with a unix socket.
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_stream_connect',`
gen_require(`
type postgresql_t, postgresql_var_run_t, postgresql_tmp_t;
')
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
files_search_pids($1)
files_search_tmp($1)
stream_connect_pattern($1, { postgresql_var_run_t postgresql_tmp_t }, { postgresql_var_run_t postgresql_tmp_t }, postgresql_t)
')
########################################
##
## Allow the specified domain unprivileged accesses to unifined database objects
## managed by SE-PostgreSQL,
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_unpriv_client',`
gen_require(`
attribute sepgsql_client_type;
')
typeattribute $1 sepgsql_client_type;
')
########################################
##
## Allow the specified domain unconfined accesses to any database objects
## managed by SE-PostgreSQL,
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_unconfined',`
gen_require(`
attribute sepgsql_unconfined_type;
')
typeattribute $1 sepgsql_unconfined_type;
')
########################################
##
## Transition to postgresql named content
##
##
##
## Domain allowed access.
##
##
#
interface(`postgresql_filetrans_named_content',`
gen_require(`
type postgresql_db_t;
type postgresql_log_t;
')
files_var_lib_filetrans($1, postgresql_db_t, dir, "postgresql")
files_var_lib_filetrans($1, postgresql_db_t, dir, "postgres")
files_var_lib_filetrans($1, postgresql_db_t, dir, "pgsql")
filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "logfile")
filetrans_pattern($1, postgresql_db_t, postgresql_log_t, dir, "pg_log")
')
########################################
##
## All of the rules required to administrate an postgresql environment
##
##
##
## Domain allowed access.
##
##
##
##
## The role to be allowed to manage the postgresql domain.
##
##
##
#
interface(`postgresql_admin',`
gen_require(`
attribute sepgsql_admin_type, sepgsql_client_type;
type postgresql_t, postgresql_var_run_t, postgresql_initrc_exec_t;
type postgresql_tmp_t, postgresql_db_t, postgresql_log_t;
type postgresql_etc_t;
')
typeattribute $1 sepgsql_admin_type;
allow $1 postgresql_t:process signal_perms;
ps_process_pattern($1, postgresql_t)
tunable_policy(`deny_ptrace',`',`
allow $1 postgresql_t:process ptrace;
')
init_labeled_script_domtrans($1, postgresql_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 postgresql_initrc_exec_t system_r;
allow $2 system_r;
files_list_pids($1)
admin_pattern($1, postgresql_var_run_t)
files_list_var_lib($1)
admin_pattern($1, postgresql_db_t)
files_list_etc($1)
admin_pattern($1, postgresql_etc_t)
logging_list_logs($1)
admin_pattern($1, postgresql_log_t)
files_list_tmp($1)
admin_pattern($1, postgresql_tmp_t)
postgresql_tcp_connect($1)
postgresql_stream_connect($1)
postgresql_filetrans_named_content($1)
')