1
policy_module(sepgsql-regtest, 1.02)
4
all_userspace_class_perms
9
## Allow to launch regression test of SE-PostgreSQL
10
## Don't switch to TRUE in normal cases
13
gen_tunable(sepgsql_regression_test_mode, false)
16
# Type definitions for regression test
18
type sepgsql_regtest_trusted_proc_exec_t;
19
postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
22
# Test domains for database administrators
24
role sepgsql_regtest_dba_r;
25
userdom_base_user_template(sepgsql_regtest_dba)
26
userdom_manage_home_role(sepgsql_regtest_dba_r, sepgsql_regtest_dba_t)
27
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
29
postgresql_admin(sepgsql_regtest_dba_t, sepgsql_regtest_dba_r)
30
postgresql_stream_connect(sepgsql_regtest_dba_t)
33
unconfined_stream_connect(sepgsql_regtest_dba_t)
34
unconfined_rw_pipes(sepgsql_regtest_dba_t)
38
# Dummy domain for unpriv users
40
role sepgsql_regtest_user_r;
41
userdom_base_user_template(sepgsql_regtest_user)
42
userdom_manage_home_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
43
userdom_write_user_tmp_sockets(sepgsql_regtest_user_t)
45
postgresql_role(sepgsql_regtest_user_r, sepgsql_regtest_user_t)
46
postgresql_stream_connect(sepgsql_regtest_user_t)
49
unconfined_stream_connect(sepgsql_regtest_user_t)
50
unconfined_rw_pipes(sepgsql_regtest_user_t)
54
# Rules to launch psql in the dummy domains
60
type sepgsql_trusted_proc_t;
62
tunable_policy(`sepgsql_regression_test_mode',`
63
allow unconfined_t sepgsql_regtest_dba_t : process { transition };
64
allow unconfined_t sepgsql_regtest_user_t : process { transition };
66
role unconfined_r types sepgsql_regtest_dba_t;
67
role unconfined_r types sepgsql_regtest_user_t;
68
role unconfined_r types sepgsql_trusted_proc_t;
75
# These rules intends sepgsql_regtest_user_t domain to translate
76
# sepgsql_regtest_dba_t on execution of procedures labeled as
77
# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
78
# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
81
attribute sepgsql_client_type;
83
allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
84
type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;