diff --git a/Changelog b/Changelog index 63055c9..bfef4a9 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Add db_procedure install permission from KaiGai Kohei. - Add support for network interfaces with access controlled by a Boolean from the CLIP project. - Several fixes from the CLIP project. diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors index ec763b2..e4b702a 100644 --- a/policy/flask/access_vectors +++ b/policy/flask/access_vectors @@ -739,6 +739,7 @@ inherits database { execute entrypoint + install } class db_column diff --git a/policy/mcs b/policy/mcs index 99d66c2..b8c37ab 100644 --- a/policy/mcs +++ b/policy/mcs @@ -123,7 +123,7 @@ mlsconstrain db_column { drop setattr relabelfrom select update insert use } mlsconstrain db_tuple { relabelfrom select update delete use } ( h1 dom h2 ); -mlsconstrain db_procedure { execute } +mlsconstrain db_procedure { execute install } ( h1 dom h2 ); mlsconstrain db_blob { drop setattr relabelfrom read write } diff --git a/policy/mls b/policy/mls index 040c1c6..80b3a43 100644 --- a/policy/mls +++ b/policy/mls @@ -664,7 +664,7 @@ mlsconstrain { db_table db_column } { getattr use select } ( t1 == mlsdbread ) or ( t2 == mlstrustedobject )); -mlsconstrain { db_procedure } { getattr execute } +mlsconstrain { db_procedure } { getattr execute install } (( l1 dom l2 ) or (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or ( t1 == mlsdbread ) or diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index b5ea273..9d292c3 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql, 1.8.2) +policy_module(postgresql, 1.8.3) gen_require(` class db_database all_db_database_perms; @@ -303,7 +303,7 @@ allow sepgsql_client_type sepgsql_sysobj_t:db_table { getattr use select }; allow sepgsql_client_type sepgsql_sysobj_t:db_column { getattr use select }; allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select }; -allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute }; +allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute install }; allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint }; allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };