diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if index 646c251..7a5d677 100644 --- a/policy/modules/services/postgresql.if +++ b/policy/modules/services/postgresql.if @@ -46,21 +46,22 @@ interface(`postgresql_role',` # tunable_policy(`sepgsql_enable_users_ddl',` - allow $2 user_sepgsql_table_t:db_table { create drop }; - allow $2 user_sepgsql_table_t:db_column { create drop }; + allow $2 user_sepgsql_table_t:db_table { create drop setattr }; + allow $2 user_sepgsql_table_t:db_column { create drop setattr }; allow $2 user_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ') - allow $2 user_sepgsql_table_t:db_table { getattr setattr use select update insert delete lock }; - allow $2 user_sepgsql_table_t:db_column { getattr setattr use select update insert }; + allow $2 user_sepgsql_table_t:db_table { getattr use select update insert delete lock }; + allow $2 user_sepgsql_table_t:db_column { getattr use select update insert }; allow $2 user_sepgsql_table_t:db_tuple { use select update insert delete }; type_transition $2 sepgsql_database_type:db_table user_sepgsql_table_t; allow $2 user_sepgsql_sysobj_t:db_tuple { use select }; type_transition $2 sepgsql_sysobj_table_type:db_tuple user_sepgsql_sysobj_t; - allow $2 user_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; + allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute }; type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t; allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; @@ -347,6 +348,7 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; allow $1 unpriv_sepgsql_table_t:db_column { create drop setattr }; allow $1 unpriv_sepgsql_sysobj_t:db_tuple { update insert delete }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop setattr }; ') allow $1 unpriv_sepgsql_table_t:db_table { getattr use select update insert delete lock }; @@ -357,7 +359,7 @@ interface(`postgresql_unpriv_client',` allow $1 unpriv_sepgsql_sysobj_t:db_tuple { use select }; type_transition $1 sepgsql_sysobj_table_type:db_tuple unpriv_sepgsql_sysobj_t; - allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { create drop getattr setattr execute }; + allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute }; type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t; allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write }; diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te index e922f6f..2c32bdc 100644 --- a/policy/modules/services/postgresql.te +++ b/policy/modules/services/postgresql.te @@ -1,5 +1,5 @@ -policy_module(postgresql, 1.8.5) +policy_module(postgresql, 1.8.6) gen_require(` class db_database all_db_database_perms; @@ -338,12 +338,6 @@ allow sepgsql_client_type sepgsql_secret_blob_t:db_blob getattr; # Therefore, the following rule is applied for any domains which can connect SE-PostgreSQL. dontaudit { postgresql_t sepgsql_client_type sepgsql_unconfined_type } { sepgsql_table_type -sepgsql_sysobj_table_type }:db_tuple { use select update insert delete }; -tunable_policy(`sepgsql_enable_users_ddl',` - allow sepgsql_client_type sepgsql_table_t:db_table { create drop setattr }; - allow sepgsql_client_type sepgsql_table_t:db_column { create drop setattr }; - allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { update insert delete }; -') - ######################################## # # Unconfined access to this module