contrib/sepgsql/expected/alter.out | 4 -- contrib/sepgsql/expected/ddl.out | 10 ---- contrib/sepgsql/expected/label.out | 100 ++++++++++++++++++------------------- contrib/sepgsql/sepgsql-regtest.te | 11 ++-- contrib/sepgsql/sql/label.sql | 18 +++---- 5 files changed, 67 insertions(+), 76 deletions(-) diff --git a/contrib/sepgsql/expected/alter.out b/contrib/sepgsql/expected/alter.out index 124f862..79c3391 100644 --- a/contrib/sepgsql/expected/alter.out +++ b/contrib/sepgsql/expected/alter.out @@ -143,13 +143,9 @@ ALTER TABLE regtest_table ALTER b SET STORAGE PLAIN; LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table.b" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.b" ALTER TABLE regtest_table ADD CONSTRAINT test_fk FOREIGN KEY (a) REFERENCES regtest_table_3(x); -- not supported -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column a" diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out index 08cd6d5..a94e0e3 100644 --- a/contrib/sepgsql/expected/ddl.out +++ b/contrib/sepgsql/expected/ddl.out @@ -46,11 +46,6 @@ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LINE 1: CREATE TABLE regtest_table (x serial primary key, y text); - ^ -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" @@ -156,11 +151,6 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.y" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.z" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" -LINE 1: CREATE TABLE regtest_table_4 (x int primary key, y int, z in... - ^ -LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_4" CREATE INDEX regtest_index_tbl4_y ON regtest_table_4(y); diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out index 9d1f904..8d0b60a 100644 --- a/contrib/sepgsql/expected/label.out +++ b/contrib/sepgsql/expected/label.out @@ -175,138 +175,138 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re -- -- validation of transaction aware dynamic-transition SELECT sepgsql_getcon(); -- confirm client privilege - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c25 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c25 (1 row) -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15 (1 row) SELECT sepgsql_setcon(NULL); -- failed to reset ERROR: SELinux: security policy violation SELECT sepgsql_getcon(); - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15 (1 row) BEGIN; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c12 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12 (1 row) SAVEPOINT svpt_1; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c9 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9 (1 row) SAVEPOINT svpt_2; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c6 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6 (1 row) SAVEPOINT svpt_3; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c3 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3 (1 row) ROLLBACK TO SAVEPOINT svpt_2; SELECT sepgsql_getcon(); -- should be 's0:c0.c9' - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c9 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9 (1 row) ROLLBACK TO SAVEPOINT svpt_1; SELECT sepgsql_getcon(); -- should be 's0:c0.c12' - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c12 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12 (1 row) ABORT; SELECT sepgsql_getcon(); -- should be 's0:c0.c15' - sepgsql_getcon --------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 + sepgsql_getcon +----------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15 (1 row) BEGIN; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c8 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8 (1 row) SAVEPOINT svpt_1; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4'); sepgsql_setcon ---------------- t (1 row) SELECT sepgsql_getcon(); - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c4 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4 (1 row) ROLLBACK TO SAVEPOINT svpt_1; SELECT sepgsql_getcon(); -- should be 's0:c0.c8' - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c8 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8 (1 row) -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6'); sepgsql_setcon ---------------- t @@ -314,9 +314,9 @@ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6'); COMMIT; SELECT sepgsql_getcon(); -- should be 's0:c0.c6' - sepgsql_getcon -------------------------------------------------- - unconfined_u:unconfined_r:unconfined_t:s0:c0.c6 + sepgsql_getcon +---------------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6 (1 row) -- sepgsql_regtest_user_t is not available dynamic-transition, diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te index 8727523..244a40a 100644 --- a/contrib/sepgsql/sepgsql-regtest.te +++ b/contrib/sepgsql/sepgsql-regtest.te @@ -1,4 +1,4 @@ -policy_module(sepgsql-regtest, 1.07) +policy_module(sepgsql-regtest, 1.08) gen_require(` all_userspace_class_perms @@ -39,9 +39,11 @@ optional_policy(` unconfined_stream_connect(sepgsql_regtest_dba_t) unconfined_rw_pipes(sepgsql_regtest_dba_t) ') - +optional_policy(` + mcs_constrained(sepgsql_regtest_dba_t) +') # Type transition rules -allow sepgsql_regtest_dba_t self : process { setcurrent }; +allow sepgsql_regtest_dba_t self : process { setcurrent dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition }; allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition }; @@ -77,6 +79,9 @@ optional_policy(` unconfined_stream_connect(sepgsql_regtest_user_t) unconfined_rw_pipes(sepgsql_regtest_user_t) ') +optional_policy(` + mcs_constrained(sepgsql_regtest_user_t) +') # Type transition rules allow sepgsql_regtest_user_t sepgsql_regtest_dba_t : process { transition }; type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t; diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql index 7a05c24..602852e 100644 --- a/contrib/sepgsql/sql/label.sql +++ b/contrib/sepgsql/sql/label.sql @@ -110,27 +110,27 @@ SELECT sepgsql_getcon(); -- client's label must be restored -- -- validation of transaction aware dynamic-transition --- @SECURITY-CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0:c0.c25 -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15'); +-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c25 +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c15'); SELECT sepgsql_getcon(); SELECT sepgsql_setcon(NULL); -- failed to reset SELECT sepgsql_getcon(); BEGIN; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c12'); SELECT sepgsql_getcon(); SAVEPOINT svpt_1; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c9'); SELECT sepgsql_getcon(); SAVEPOINT svpt_2; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6'); SELECT sepgsql_getcon(); SAVEPOINT svpt_3; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c3'); SELECT sepgsql_getcon(); ROLLBACK TO SAVEPOINT svpt_2; @@ -143,16 +143,16 @@ ABORT; SELECT sepgsql_getcon(); -- should be 's0:c0.c15' BEGIN; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c8'); SELECT sepgsql_getcon(); SAVEPOINT svpt_1; -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c4'); SELECT sepgsql_getcon(); ROLLBACK TO SAVEPOINT svpt_1; SELECT sepgsql_getcon(); -- should be 's0:c0.c8' -SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6'); +SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0:c0.c6'); COMMIT; SELECT sepgsql_getcon(); -- should be 's0:c0.c6'