SEPostgreSQL Permissions
From PostgreSQL wiki
(Difference between revisions)
(→History of Updates) |
(→List of object classes and permissions) |
||
| Line 31: | Line 31: | ||
| access || to be checked when session is connected to the database. It is an equivalent check with DATABASE CONNECT permission in database acl. | | access || to be checked when session is connected to the database. It is an equivalent check with DATABASE CONNECT permission in database acl. | ||
|- | |- | ||
| - | |||
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_schema class | ! colspan="2"|db_schema class | ||
| Line 43: | Line 42: | ||
! colspan="2"|db_table class | ! colspan="2"|db_table class | ||
|- | |- | ||
| - | | select || | + | | select || to be checked when client tries to reference tables. |
|- | |- | ||
| - | | update || | + | | update || to be checked when client tries to update rows of tables. |
|- | |- | ||
| - | | insert || | + | | insert || to be checked when client tries to insert rows into table. |
|- | |- | ||
| - | | delete || | + | | delete || to be checked when client tries to delete rows of table, including case of TRUNCATE command. |
|- | |- | ||
| - | | lock || | + | | lock || to be checked when explicit LOCK command that takes neither read nor write operations. |
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_sequence class | ! colspan="2"|db_sequence class | ||
|- | |- | ||
| - | | get_value || | + | | get_value || to be checked when client tries to get current value of a sequence |
|- | |- | ||
| - | | next_value || | + | | next_value || to be checked when client tries to increment value of a sequence. |
|- | |- | ||
| - | | set_value || | + | | set_value || to be checked when client tries to set arbitrary value onto a sequence. |
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_view class | ! colspan="2"|db_view class | ||
|- | |- | ||
| - | | expand || | + | | expand || to be checked when client references a view in the query. |
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_procedure class | ! colspan="2"|db_procedure class | ||
|- | |- | ||
| - | | execute || | + | | execute || to be checked when client tries to invoke a procedure |
|- | |- | ||
| - | | entrypoint || | + | | entrypoint || to be checked when procedure performs as an entry-point of trusted procedure. |
|- | |- | ||
| - | | install || | + | | install || to be checked when an object is constructed that takes procedures being invoked internally with no permission checks. Like type input/output functions. |
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_column class | ! colspan="2"|db_column class | ||
|- | |- | ||
| - | | select || | + | | select || to be checked when value of column is referenced |
|- | |- | ||
| - | | update || | + | | update || to be checked when value of column is updated |
|- | |- | ||
| - | | | + | | insert || to be checked when a particular value is given to the column on insertion of new row |
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
! colspan="2"|db_tuple class | ! colspan="2"|db_tuple class | ||
| Line 112: | Line 111: | ||
|- | |- | ||
| export || | | export || | ||
| + | |- | ||
| + | |- bgcolor="lightgray" align="center" | ||
| + | ! colspan="2"|db_materialized_view class | ||
| + | |- | ||
| + | | select || | ||
| + | |- | ||
| + | | update || | ||
| + | |- | ||
| + | | insert || | ||
| + | |- | ||
| + | | delete || | ||
| + | |- | ||
| + | | lock || | ||
| + | |- | ||
| + | | refresh || | ||
|- | |- | ||
|- bgcolor="lightgray" align="center" | |- bgcolor="lightgray" align="center" | ||
Revision as of 20:19, 12 February 2013
Contents |
Overview
History of Updates
The initial description of the definition of object classes are permissions are based on SELinux community's reference policy 20120725 revision. In case of newer policy adds or redefines them, we at least add a notation which revision is the minimum valid policy towards this description.
- 20120725
- The initial description of the definition of object classes are permissions.
- 2013xxxx
- db_materialized_view object class will be added.
List of object classes and permissions
| common database | |
|---|---|
| create | to be checked when a new object is created |
| drop | to be checked when an existing object is dropped |
| getattr | to be checked when properties of a particular object is referenced |
| setattr | to be checked when properties of a particular object is modified |
| relabelfrom | to be checked on the older one when security label of a particular object is changed |
| relabelto | to be checked on the newer one when security label of a particular object is changed |
| db_database class | |
| access | to be checked when session is connected to the database. It is an equivalent check with DATABASE CONNECT permission in database acl. |
| db_schema class | |
| search | to be checked when client tries to solve object name underlying the schema. It is an equivalent check with SCHEMA USE permission in database acl. |
| add_name | to be checked when client tries to add an object name entry into a particular schema, due to object creation, rename or set schema |
| remove_name | to be checked when client tries to remove an object name entry into a particular schema, due to object deletion, rename or set schema |
| db_table class | |
| select | to be checked when client tries to reference tables. |
| update | to be checked when client tries to update rows of tables. |
| insert | to be checked when client tries to insert rows into table. |
| delete | to be checked when client tries to delete rows of table, including case of TRUNCATE command. |
| lock | to be checked when explicit LOCK command that takes neither read nor write operations. |
| db_sequence class | |
| get_value | to be checked when client tries to get current value of a sequence |
| next_value | to be checked when client tries to increment value of a sequence. |
| set_value | to be checked when client tries to set arbitrary value onto a sequence. |
| db_view class | |
| expand | to be checked when client references a view in the query. |
| db_procedure class | |
| execute | to be checked when client tries to invoke a procedure |
| entrypoint | to be checked when procedure performs as an entry-point of trusted procedure. |
| install | to be checked when an object is constructed that takes procedures being invoked internally with no permission checks. Like type input/output functions. |
| db_column class | |
| select | to be checked when value of column is referenced |
| update | to be checked when value of column is updated |
| insert | to be checked when a particular value is given to the column on insertion of new row |
| db_tuple class | |
| (*) Note that db_tuple does not inherits common database permissions | |
| relabelfrom | |
| relabelto | |
| select | |
| update | |
| insert | |
| delete | |
| db_language class | |
| implement | |
| execute | |
| db_blob class | |
| read | |
| write | |
| import | |
| export | |
| db_materialized_view class | |
| select | |
| update | |
| insert | |
| delete | |
| lock | |
| refresh | |
| (operating system) process class | |
| transition | |
| dyntransition | |
| setcurrent | |
| (operating system) file class | |
| (*) Note that object class may be either of dir, lnk_file, chr_file, blk_file, sock_file or filo_file, instead of file, depending on the type of file node being referenced. | |
| read | |
| write | |
| create | |
| getattr | |
| unlink | |
| rename | |
common database
introduction
Several permissions are common for any database object classes, expect for db_tuple class that represent rows in user tables.
permissions
- create
- It shall be checked when user's operation tries to create a new database object being classified according to database object class.
- A default security label shall be assigned on the new database object, then create permission shall be checked on the default label.
- drop
- It shall be checked when user's operation tries to drop an existing database object being classified according to database object class.
- Unlike DAC checks, it shall be also applied on database objects being dropped in cascade.
- getattr
- It shall be checked when user's operation tries to read one or more properties of a particular database object being classified according to database object class.
- Note that it does not intends to control operations that consumes all the referenced properties without disclosure. In other words, it needs to be checked on SELECT FROM system catalogs, but internal syscache reference is not a case, for example.
- setattr
- It shall be checked when user's operation tries to modify one or more properties of a particular database object being classified according to database object class.
- relabelfrom
- It shall be checked towards the older security label when user's operation tries to change security label of a particular database object being classified according to database object class.
- relabelto
- It shall be checked towards the newder security label when user's operation tries to change security label of a particular database object being classified according to database object class.
