aboutsummaryrefslogtreecommitdiff
blob: be3e10126c77190c9b67ff15aa142ddae4ccfdbb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
policy_module(postgresql)

gen_require(`
	class db_database all_db_database_perms;
	class db_table all_db_table_perms;
	class db_procedure all_db_procedure_perms;
	class db_column all_db_column_perms;
	class db_tuple all_db_tuple_perms;
	class db_blob all_db_blob_perms;
	class db_schema all_db_schema_perms;
	class db_view all_db_view_perms;
	class db_sequence all_db_sequence_perms;
	class db_language all_db_language_perms;
')

#################################
#
# Declarations
#

## <desc>
## <p>
## Allow postgresql to map memory regions as both executable and writable (e.g. for JIT).
## </p>
## </desc>
gen_tunable(psql_allow_execmem, false)

## <desc>
## <p>
## Allow unprived users to execute DDL statement
## </p>
## </desc>
gen_tunable(sepgsql_enable_users_ddl, false)

## <desc>
## <p>
## Allow transmit client label to foreign database
## </p>
## </desc>
gen_tunable(sepgsql_transmit_client_label, false)

## <desc>
## <p>
## Allow database admins to execute DML statement
## </p>
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, false)

type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t, postgresql_exec_t)

type postgresql_db_t;
files_type(postgresql_db_t)

type postgresql_etc_t;
files_config_file(postgresql_etc_t)

type postgresql_initrc_exec_t;
init_script_file(postgresql_initrc_exec_t)

type postgresql_lock_t;
files_lock_file(postgresql_lock_t)

type postgresql_log_t;
logging_log_file(postgresql_log_t)

type postgresql_runtime_t alias postgresql_var_run_t;
files_runtime_file(postgresql_runtime_t)
init_daemon_runtime_file(postgresql_runtime_t, dir, "postgresql")

type postgresql_tmp_t;
files_tmp_file(postgresql_tmp_t)

type postgresql_tmpfs_t;
files_tmpfs_file(postgresql_tmpfs_t)

type postgresql_unit_t;
init_unit_file(postgresql_unit_t)

# database clients attribute
attribute sepgsql_admin_type;
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;

# database objects attribute
attribute sepgsql_database_type;
attribute sepgsql_schema_type;
attribute sepgsql_table_type;
attribute sepgsql_sysobj_table_type;
attribute sepgsql_sequence_type;
attribute sepgsql_view_type;
attribute sepgsql_procedure_type;
attribute sepgsql_trusted_procedure_type;
attribute sepgsql_language_type;
attribute sepgsql_blob_type;
attribute sepgsql_module_type;

# database object types
type sepgsql_blob_t;
postgresql_blob_object(sepgsql_blob_t)

type sepgsql_db_t;
postgresql_database_object(sepgsql_db_t)

type sepgsql_fixed_table_t;
postgresql_table_object(sepgsql_fixed_table_t)

type sepgsql_lang_t;
postgresql_language_object(sepgsql_lang_t)

type sepgsql_priv_lang_t;
postgresql_language_object(sepgsql_priv_lang_t)

type sepgsql_proc_exec_t;
postgresql_procedure_object(sepgsql_proc_exec_t)

type sepgsql_ro_blob_t;
postgresql_blob_object(sepgsql_ro_blob_t)

type sepgsql_ro_table_t;
postgresql_table_object(sepgsql_ro_table_t)

type sepgsql_safe_lang_t;
postgresql_language_object(sepgsql_safe_lang_t)

type sepgsql_schema_t;
postgresql_schema_object(sepgsql_schema_t)

type sepgsql_secret_blob_t;
postgresql_blob_object(sepgsql_secret_blob_t)

type sepgsql_secret_table_t;
postgresql_table_object(sepgsql_secret_table_t)

type sepgsql_seq_t;
postgresql_sequence_object(sepgsql_seq_t)

type sepgsql_sysobj_t;
postgresql_system_table_object(sepgsql_sysobj_t)

type sepgsql_table_t;
postgresql_table_object(sepgsql_table_t)

type sepgsql_trusted_proc_exec_t;
postgresql_trusted_procedure_object(sepgsql_trusted_proc_exec_t)

# Ranged Trusted Procedure Domain
type sepgsql_ranged_proc_t;
domain_type(sepgsql_ranged_proc_t)
role system_r types sepgsql_ranged_proc_t;

type sepgsql_ranged_proc_exec_t;
postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t)

# Types for temporary objects
#
# XXX - All the temporary objects are eliminated at end of database session
# and invisible from other sessions, so it is unnecessary to restrict users
# operations on temporary object. For policy simplification, only one type
# is defined for temporary objects under the "pg_temp" schema.
type sepgsql_temp_object_t;
postgresql_table_object(sepgsql_temp_object_t)
postgresql_sequence_object(sepgsql_temp_object_t)
postgresql_view_object(sepgsql_temp_object_t)
postgresql_procedure_object(sepgsql_temp_object_t)

# Trusted Procedure Domain
type sepgsql_trusted_proc_t;
domain_type(sepgsql_trusted_proc_t)
postgresql_unconfined(sepgsql_trusted_proc_t)
role system_r types sepgsql_trusted_proc_t;

type sepgsql_view_t;
postgresql_view_object(sepgsql_view_t)

# Types for unprivileged client
type unpriv_sepgsql_blob_t;
postgresql_blob_object(unpriv_sepgsql_blob_t)

type unpriv_sepgsql_proc_exec_t;
postgresql_procedure_object(unpriv_sepgsql_proc_exec_t)

type unpriv_sepgsql_schema_t;
postgresql_schema_object(unpriv_sepgsql_schema_t)

type unpriv_sepgsql_seq_t;
postgresql_sequence_object(unpriv_sepgsql_seq_t)

type unpriv_sepgsql_sysobj_t;
postgresql_system_table_object(unpriv_sepgsql_sysobj_t)

type unpriv_sepgsql_table_t;
postgresql_table_object(unpriv_sepgsql_table_t)

type unpriv_sepgsql_view_t;
postgresql_view_object(unpriv_sepgsql_view_t)

# Types for UBAC
type user_sepgsql_blob_t;
postgresql_blob_object(user_sepgsql_blob_t)

type user_sepgsql_proc_exec_t;
postgresql_procedure_object(user_sepgsql_proc_exec_t)

type user_sepgsql_schema_t;
postgresql_schema_object(user_sepgsql_schema_t)

type user_sepgsql_seq_t;
postgresql_sequence_object(user_sepgsql_seq_t)

type user_sepgsql_sysobj_t;
postgresql_system_table_object(user_sepgsql_sysobj_t)

type user_sepgsql_table_t;
postgresql_table_object(user_sepgsql_table_t)

type user_sepgsql_view_t;
postgresql_view_object(user_sepgsql_view_t)

########################################
#
# postgresql Local policy
#
allow postgresql_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_admin sys_nice sys_tty_config };
dontaudit postgresql_t self:capability { sys_admin sys_tty_config };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
allow postgresql_t self:file read_inherited_file_perms;
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
allow postgresql_t self:udp_socket create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
tunable_policy(`sepgsql_transmit_client_label',`
	allow postgresql_t self:process { setsockcreate };
')

allow postgresql_t sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr };

allow postgresql_t sepgsql_module_type:db_database install_module;
# Database/Loadable module
allow sepgsql_database_type sepgsql_module_type:db_database load_module;

allow postgresql_t {sepgsql_schema_type sepgsql_temp_object_t}:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr } ;
type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_schema_t;
type_transition postgresql_t sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";

allow postgresql_t sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update };
allow postgresql_t sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update };
allow postgresql_t sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use };
type_transition postgresql_t sepgsql_schema_type:db_table sepgsql_sysobj_t;

allow postgresql_t sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr };
type_transition postgresql_t sepgsql_schema_type:db_sequence sepgsql_seq_t;

allow postgresql_t sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr };
type_transition postgresql_t sepgsql_schema_type:db_view sepgsql_view_t;

allow postgresql_t sepgsql_procedure_type:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr };
type_transition postgresql_t sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;

allow postgresql_t sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write };
type_transition postgresql_t sepgsql_database_type:db_blob sepgsql_blob_t;

manage_dirs_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_lnk_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_fifo_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
manage_sock_files_pattern(postgresql_t, postgresql_db_t, postgresql_db_t)
files_var_lib_filetrans(postgresql_t, postgresql_db_t, { dir file lnk_file sock_file fifo_file })

allow postgresql_t postgresql_etc_t:dir list_dir_perms;
read_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)
read_lnk_files_pattern(postgresql_t, postgresql_etc_t, postgresql_etc_t)

allow postgresql_t postgresql_exec_t:lnk_file read_lnk_file_perms;
can_exec(postgresql_t, postgresql_exec_t )

allow postgresql_t postgresql_lock_t:file manage_file_perms;
files_lock_filetrans(postgresql_t, postgresql_lock_t, file)

manage_files_pattern(postgresql_t, postgresql_log_t, postgresql_log_t)
logging_log_filetrans(postgresql_t, postgresql_log_t, { file dir })

allow postgresql_t postgresql_tmp_t:file map;
manage_dirs_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_lnk_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t)
files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file })
fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir lnk_file sock_file fifo_file })

allow postgresql_t postgresql_tmpfs_t:file map;
manage_files_pattern(postgresql_t, postgresql_tmpfs_t, postgresql_tmpfs_t)
fs_tmpfs_filetrans(postgresql_t, postgresql_tmpfs_t, { file })

manage_dirs_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
manage_sock_files_pattern(postgresql_t, postgresql_runtime_t, postgresql_runtime_t)
files_runtime_filetrans(postgresql_t, postgresql_runtime_t, { dir file })

kernel_read_kernel_sysctls(postgresql_t)
kernel_read_system_state(postgresql_t)
kernel_list_proc(postgresql_t)
kernel_read_all_sysctls(postgresql_t)
kernel_read_proc_symlinks(postgresql_t)

corenet_all_recvfrom_netlabel(postgresql_t)
corenet_tcp_sendrecv_generic_if(postgresql_t)
corenet_udp_sendrecv_generic_if(postgresql_t)
corenet_tcp_sendrecv_generic_node(postgresql_t)
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)

dev_read_sysfs(postgresql_t)
dev_read_urand(postgresql_t)

fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
fs_mmap_rw_hugetlbfs_files(postgresql_t)

selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
selinux_compute_access_vector(postgresql_t)
selinux_compute_create_context(postgresql_t)
selinux_compute_relabel_context(postgresql_t)

term_use_controlling_term(postgresql_t)

corecmd_exec_bin(postgresql_t)
corecmd_exec_shell(postgresql_t)

domain_dontaudit_list_all_domains_state(postgresql_t)
domain_use_interactive_fds(postgresql_t)

files_dontaudit_search_home(postgresql_t)
files_manage_etc_files(postgresql_t)
files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)

auth_use_pam(postgresql_t)

init_read_utmp(postgresql_t)

logging_send_syslog_msg(postgresql_t)
logging_send_audit_msgs(postgresql_t)

miscfiles_read_generic_tls_privkey(postgresql_t)
miscfiles_read_localization(postgresql_t)

seutil_libselinux_linked(postgresql_t)
seutil_read_default_contexts(postgresql_t)

userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
userdom_dontaudit_search_user_home_dirs(postgresql_t)
userdom_dontaudit_use_user_terminals(postgresql_t)

optional_policy(`
	mta_getattr_spool(postgresql_t)
')

tunable_policy(`allow_execmem || psql_allow_execmem',`
	allow postgresql_t self:process execmem;
')

optional_policy(`
	consoletype_exec(postgresql_t)
')

optional_policy(`
	cron_search_spool(postgresql_t)
	cron_system_entry(postgresql_t, postgresql_exec_t)
')

optional_policy(`
	hostname_exec(postgresql_t)
')

optional_policy(`
	ipsec_match_default_spd(postgresql_t)
')

optional_policy(`
	kerberos_use(postgresql_t)
')

optional_policy(`
	seutil_sigchld_newrole(postgresql_t)
')

########################################
#
# Ranged Trusted Procedure Domain
#
# XXX - the purpose of this domain is to switch security context of
# the database client using dynamic domain transition; typically,
# used for connection pooling software that shall assign a security
# context at beginning of the user session based on the credentials
# being invisible from unprivileged domains.
#
allow sepgsql_ranged_proc_t self:process setcurrent;

domain_dyntrans_type(sepgsql_ranged_proc_t)

mcs_process_set_categories(sepgsql_ranged_proc_t)

mls_process_set_level(sepgsql_ranged_proc_t)

postgresql_unconfined(sepgsql_ranged_proc_t)

########################################
#
# Rules common to all clients
#

allow sepgsql_client_type sepgsql_db_t:db_database { access get_param getattr set_param };
type_transition sepgsql_client_type sepgsql_client_type:db_database sepgsql_db_t;

allow sepgsql_client_type sepgsql_schema_t:db_schema { getattr search };

allow sepgsql_client_type sepgsql_fixed_table_t:db_table { getattr insert lock select };
allow sepgsql_client_type sepgsql_fixed_table_t:db_column { getattr insert select };
allow sepgsql_client_type sepgsql_fixed_table_t:db_tuple { insert select };

allow sepgsql_client_type sepgsql_table_t:db_table { delete getattr insert lock select update };
allow sepgsql_client_type sepgsql_table_t:db_column { getattr insert select update };
allow sepgsql_client_type sepgsql_table_t:db_tuple { delete insert select update };

allow sepgsql_client_type sepgsql_ro_table_t:db_table { getattr lock select };
allow sepgsql_client_type sepgsql_ro_table_t:db_column { getattr select };
allow sepgsql_client_type sepgsql_ro_table_t:db_tuple { select };

allow sepgsql_client_type sepgsql_secret_table_t:db_table getattr;
allow sepgsql_client_type sepgsql_secret_table_t:db_column getattr;

allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr lock select };
allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr select };
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { select use };

allow sepgsql_client_type sepgsql_seq_t:db_sequence { get_value getattr next_value };

allow sepgsql_client_type sepgsql_view_t:db_view { expand getattr };

allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { execute getattr install };
allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure { entrypoint execute getattr };

allow sepgsql_client_type sepgsql_lang_t:db_language { getattr };
allow sepgsql_client_type sepgsql_safe_lang_t:db_language { execute getattr };

# Only DBA can implement SQL procedures using `unsafe' procedural languages.
# The `unsafe' one provides a capability to access internal data structure,
# so we don't allow user-defined function being implemented using `unsafe' one.
allow sepgsql_proc_exec_t sepgsql_lang_t:db_language { implement };
allow sepgsql_procedure_type sepgsql_safe_lang_t:db_language { implement };

allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr read setattr write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr;

# The purpose of the dontaudit rule in row-level access control is to prevent a flood of logs.
# If a client tries to SELECT a table including violated tuples, these are filtered from
# the result set as if not exist, but its access denied longs can be recorded within log files.
# In generally, the number of tuples are much larger than the number of columns, tables and so on.
# So, it makes a flood of logs when many tuples are violated.
#
# The default policy does not prevent anything for sepgsql_client_type sepgsql_unconfined_type,
# so we don't need "dontaudit" rules in Type-Enforcement. However, MLS/MCS can prevent them
# to access classified tuples and can make a audit record.
#
# Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL.
dontaudit { postgresql_t sepgsql_admin_type sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { delete insert select update use };

# It is always allowed to operate temporary objects for any database client.
allow sepgsql_client_type sepgsql_temp_object_t:db_schema { add_name create drop getattr remove_name search setattr };
allow sepgsql_client_type sepgsql_temp_object_t:db_table { create delete drop getattr insert lock select setattr update };
allow sepgsql_client_type sepgsql_temp_object_t:db_column { create drop getattr insert select setattr update };
allow sepgsql_client_type sepgsql_temp_object_t:db_tuple { delete insert select update use };
allow sepgsql_client_type sepgsql_temp_object_t:db_sequence { create drop get_value getattr next_value set_value setattr };
allow sepgsql_client_type sepgsql_temp_object_t:db_view { create drop expand getattr setattr };
allow sepgsql_client_type sepgsql_temp_object_t:db_procedure { create drop entrypoint execute getattr install setattr };

# Note that permission of creation/deletion are eventually controlled by
# create or drop permission of individual objects within shared schemas.
# So, it just allows to create/drop user specific types.
tunable_policy(`sepgsql_enable_users_ddl',`
	allow sepgsql_client_type sepgsql_schema_t:db_schema { add_name remove_name };
')

########################################
#
# Rules common to administrator clients
#

allow sepgsql_admin_type sepgsql_database_type:db_database { access create drop getattr relabelfrom relabelto setattr };

allow sepgsql_admin_type sepgsql_schema_type:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr };
type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_schema_t;
type_transition sepgsql_admin_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";

allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr lock relabelfrom relabelto setattr };
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr relabelfrom relabelto setattr };
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { delete insert relabelfrom relabelto select update use };

type_transition sepgsql_admin_type sepgsql_schema_type:db_table sepgsql_table_t;

allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr };

type_transition sepgsql_admin_type sepgsql_schema_type:db_sequence sepgsql_seq_t;

allow sepgsql_admin_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr };

type_transition sepgsql_admin_type sepgsql_schema_type:db_view sepgsql_view_t;

allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;

type_transition sepgsql_admin_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;

allow sepgsql_admin_type sepgsql_temp_object_t:db_schema { add_name create drop getattr remove_name search setattr };
allow sepgsql_admin_type sepgsql_temp_object_t:db_table { create delete drop getattr insert lock select setattr update };
allow sepgsql_admin_type sepgsql_temp_object_t:db_column { create drop getattr insert select setattr update };
allow sepgsql_admin_type sepgsql_temp_object_t:db_tuple { delete insert select update use };
allow sepgsql_admin_type sepgsql_temp_object_t:db_sequence { create drop get_value getattr next_value set_value setattr };
allow sepgsql_admin_type sepgsql_temp_object_t:db_view { create drop expand getattr setattr };
allow sepgsql_admin_type sepgsql_temp_object_t:db_procedure { create drop entrypoint execute getattr install setattr };

allow sepgsql_admin_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr };

type_transition sepgsql_admin_type sepgsql_database_type:db_language sepgsql_lang_t;

allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr relabelfrom relabelto setattr };

type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;

allow sepgsql_admin_type sepgsql_module_type:db_database install_module;

kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)

tunable_policy(`sepgsql_unconfined_dbadm',`
	allow sepgsql_admin_type sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr };

	allow sepgsql_admin_type sepgsql_schema_type:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr };

	allow sepgsql_admin_type sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update };
	allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update };
	allow sepgsql_admin_type sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use };
	allow sepgsql_admin_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr };
	allow sepgsql_admin_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr };

	allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr };
	allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure { create drop entrypoint execute getattr relabelfrom relabelto setattr };
	allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop entrypoint getattr relabelfrom relabelto setattr };

	allow sepgsql_admin_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr };

	allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write };
')

########################################
#
# Unconfined access to this module
#

allow sepgsql_unconfined_type sepgsql_database_type:db_database { access create drop get_param getattr install_module load_module relabelfrom relabelto set_param setattr };

allow sepgsql_unconfined_type { sepgsql_schema_type sepgsql_temp_object_t }:db_schema { add_name create drop getattr relabelfrom relabelto remove_name search setattr };
type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_schema_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_schema sepgsql_temp_object_t "pg_temp";

type_transition sepgsql_unconfined_type sepgsql_schema_type:db_table sepgsql_table_t;
type_transition sepgsql_unconfined_type sepgsql_schema_type:db_sequence sepgsql_seq_t;
type_transition sepgsql_unconfined_type sepgsql_schema_type:db_view sepgsql_view_t;
type_transition sepgsql_unconfined_type sepgsql_schema_type:db_procedure sepgsql_proc_exec_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_language sepgsql_lang_t;
type_transition sepgsql_unconfined_type sepgsql_database_type:db_blob sepgsql_blob_t;

allow sepgsql_unconfined_type sepgsql_table_type:db_table { create delete drop getattr insert lock relabelfrom relabelto select setattr update };
allow sepgsql_unconfined_type sepgsql_table_type:db_column { create drop getattr insert relabelfrom relabelto select setattr update };
allow sepgsql_unconfined_type sepgsql_table_type:db_tuple { delete insert relabelfrom relabelto select update use };
allow sepgsql_unconfined_type sepgsql_sequence_type:db_sequence { create drop get_value getattr next_value relabelfrom relabelto set_value setattr };
allow sepgsql_unconfined_type sepgsql_view_type:db_view { create drop expand getattr relabelfrom relabelto setattr };

# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure { create drop entrypoint execute getattr install relabelfrom relabelto setattr };
allow sepgsql_unconfined_type sepgsql_trusted_procedure_type:db_procedure { create drop entrypoint execute getattr relabelfrom relabelto setattr };
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop entrypoint getattr relabelfrom relabelto setattr };

allow sepgsql_unconfined_type sepgsql_language_type:db_language { create drop execute getattr relabelfrom relabelto setattr };

allow sepgsql_unconfined_type sepgsql_blob_type:db_blob { create drop export getattr import read relabelfrom relabelto setattr write };

allow sepgsql_unconfined_type sepgsql_module_type:db_database install_module;

kernel_relabelfrom_unlabeled_database(sepgsql_unconfined_type)