SEPostgreSQL Permissions
Overview
History of Updates
The initial description of the definition of object classes are permissions are based on SELinux community's reference policy 20120725 revision. In case of newer policy adds or redefines them, we at least add a notation which revision is the minimum valid policy towards this description.
- 20120725
- The initial description of the definition of object classes are permissions.
- 2013xxxx
- db_materialized_view object class will be added.
List of object classes and permissions
| List of object classes and permissions | |
|---|---|
| common database | create, drop, getattr, setattr, relabelfrom, relabelto |
| db_database | common permissions and access |
| db_schema | common permissions and search, add_name, remove_name |
| db_table | common permissions and select, update, insert, delete, lock |
| db_sequence | common permissions and get_value, next_value, set_value |
| db_view | common permissions and expand |
| db_procedure | common permissions and execute, entrypoint, install |
| db_column | common permissions and select, update, insert |
| db_tuple | relabelfrom, relabelto, select, update, insert, delete |
| db_language | common permissions and implement, execute |
| db_blob | common permissions and read, write |
| db_materialized_view | common permissions and select, update, insert, delete, lock, refresh |
| (OS) process | transition, dyntransition, setcurrent |
| (OS) file | read, write, create, getattr, unlink, rename |
common database
Several basic permissions are common for any database object classes, expect for db_tuple class that represent rows in user tables. Please also see the section of individual object classes regarding to definition of object class.
permissions
- create
- It shall be checked when user's operation tries to create a new database object being classified according to database object class.
- A default security label shall be assigned on the new database object, then create permission shall be checked on the default label.
- drop
- It shall be checked when user's operation tries to drop an existing database object being classified according to database object class.
- Unlike DAC checks, it shall be also applied on database objects being dropped in cascade.
- getattr
- It shall be checked when user's operation tries to read one or more properties of a particular database object being classified according to database object class.
- Note that it does not intends to control operations that consumes all the referenced properties without disclosure. In other words, it needs to be checked on SELECT FROM system catalogs, but internal syscache reference is not a case, for example.
- setattr
- It shall be checked when user's operation tries to modify one or more properties of database object being classified according to database object class.
- relabelfrom
- It shall be checked towards the older security label when user's operation tries to change security label of a particular database object being classified according to database object class.
- relabelto
- It shall be checked towards the newder security label when user's operation tries to change security label of a particular database object being classified according to database object class.
db_database class
An object of db_database class represents an entry of pg_database system catalog. Its default security label shall inherit the label being assigned on the database used as template of new one, unless type_transition rule did not here.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- access
- It shall be checked when client tries to connect to the database. It is an equivalent check with DATABASE CONNECT permission in database acl.
db_schema class
An object of db_schema class represents an entry of pg_namespace system catalog. Its default security label shall inherit the label being assigned on the database that owns the schema, unless type_transition rule didn't here.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- search
- It shall be checked when client tries to solve object name underlying the schema.
- It is an equivalent check with SCHEMA USE permission in database acl, thus client cannot lookup any object underlying the schema without this permission.
- add_name
- It shall be checked when client tries to add an object name entry into a particular schema, due to object creation, rename or set schema
- remove_name
- It shall be checked when client tries to remove an object name entry into a particular schema, due to object deletion, rename or set schema
db_table class
An object of db_table class represents an entry of pg_class system catalog with RELKIND_RELATION. Its default security label shall inherit the label being assigned on the schema that owns the table, unless type_transition rule didn't here.
Some other catalogs that save properties of relations externally, like pg_trigger, pg_index and so on, are dealt as properties of the table being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- select
- It shall be checked when client tries to reference the table. Not only SELECT command, it requires any operations that may read contents of tables, such as WHERE clause of DELETE, reference as a part of new value in UPDATE, and so on.
- Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.
- update
- It shall be checked when client tries to update rows of tables.
- Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.
- insert
- It shall be checked when client tries to insert new rows into tables.
- delete
- It shall be checked when client tries to delete rows of tables, including case of TRUNCATE command.
- Unlike database acl, it shall be also checked on child relation when inheritance parent is accessed.
- lock
- It shall be checked when client tries to acquire table locks with neither read nor write contents of table.
db_sequence class
An object of db_sequence class represents an entry of pg_class system catalog with RELKIND_SEQUENCE. Its default security label shall inherit the label being assigned on the schema that owns the sequence, unless type_transition rule didn't here.
Some other catalogs that save properties of relations externally, like pg_trigger, pg_index and so on, are dealt as properties of the table being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- get_value
- It shall be checked when client tries to get current value of a sequence.
- next_value
- It shall be checked when client tries to increment value of a sequence.
- set_value
- It shall be checked when client tries to set arbitrary value onto a sequence.
db_view class
An object of db_view class represents an entry of pg_class system catalog with RELKIND_VIEW. Its default security label shall inherit the label being assigned on the schema that owns the view, unless type_transition rule didn't here. Some other catalogs that save properties of relations externally, like pg_trigger, pg_index and so on, are dealt as properties of the table being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- expand
- It shall be checked when client tries to access view, thus its underlying query got expanded.
db_procedure class
An object of db_procedure class represents an entry of pg_proc system catalog. Its default security label shall inherit the label being assigned on the schema that owns the table, unless type_transition rule didn't here.
Some other catalogs that save properties of procedures externally, like pg_aggregate, are dealt as properties of the procedure being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- execute
- It shall be checked when client tries to execute a procedure. It is an equivalent check with FUNCTION EXECUTE permission in database acl.
- Please note that some functions being installed as an internal stuff, like type input / output method, are not checked on execution time. The install permission should be checked when user define a relevant object.
- entrypoint
- It shall be checked when a procedure performs as an entry-point of trusted procedure, in addition to execute permission.
- install
- It shall be checked when an object is constructed that may invoke specified procedures as internal stuff without permission checks on run-time, such as type input/output functions.
db_column class
An object of db_column class represents an entry of pg_attribute system catalog owned by db_table or db_materialized_view object. Its default security label shall inherit the label being assigned on the relation that owns the column, unless type_transition rule didn't here.
Some other catalogs that save properties of columns externally, like pg_attrdef, are dealt as properties of the column being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the column on creation or deletion of these entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- select
- It shall be checked when column is referenced.
- update
- It shall be checked when column is specified as target of update.
- insert
- It shall be checked when column is specified as target of insert.
db_tuple class
Db_tuple class represents rows that does not belong to any other specific object classes. It is not only rows in user defined tables, but rows in system catalog that is not associated with a particular object class also.
Its default security label shall inherit the label being assigned on the table that owns the row, unless type_transition rule did not here.
permissions
- relabelfrom
- It shall be checked on the older one when security label of row is changed
- relabelto
- It shall be checked on the newer one when security label of row is changed
- select
- It shall be checked when row is selected
- update
- It shall be checked when row is updated
- insert
- It shall be checked when row is inserted
- delete
- It shall be checked when row is deleted
db_language class
An object of db_language class represents an entry of pg_language system catalog. Its default security label shall inherit the label being assigned on the database, unless type_transition rulw didn't here.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- implement
- It shall be checked when a procedure is constructed on this procedural language.
- execute
- It shall be checked when DO command run a script without procedure definition.
db_blob class
An object of db_blob class represents an entry of pg_largeobject_metadata system catalog. Its default security label shall inherit the label being assigned on the database that owns the large object, unless type_transition rule didn't here.
Chunks in pg_largeobject catalog is considered as contents of db_blob object, thus, it does not have its security label, and sepgsql checks write permission of relevant db_blob object on insertion or deletion of pg_largeobject entries.
permissions
- common permissions
- This object class also has common permissions: create, drop, getattr, setattr, relabelfrom and relabelto.
- read
- It shall be checked when contents of large object is read
- write
- It shall be checked when contents of large object is written; updated, appended, removed or truncated
db_materialized_view class
An object of db_table class represents an entry of pg_class system catalog with RELKIND_MATVIEW. Its default security label shall inherit the label being assigned on the schema that owns the materialized-view, unless type_transition rule didn't here.
Some other catalogs that save properties of relations externally, like pg_rule, pg_index and so on, are dealt as properties of the materialized-view being associated, thus it does not have its own security label, and sepgsql checks setattr permission of the relation on creation or deletion of these entries.
This object class is supported selinux policy 2013xxxx, or later.
permissions
- common permissions
- This object class also has common permissions
- create, drop, getattr, setattr, relabelfrom and relabelto.
- select
- It shall be checked when client tries to reference materialized view
- update
- It shall be checked when client tries to update rows of materialized view (in the future)
- insert
- It shall be checked when client tries to insert rows into materialized view (in the future)
- delete
- It shall be checked when client tries to delete rows of materialized view (in the future)
- lock
- It shall be checked when explicit LOCK command that takes neither read nor write operations
- refresh
- It shall be checked when client tries to refresh materialized view into the latest status
(OS) process class
The process class represents current privilege set of the database client. Usually, sepgsql fetch security label of the peer process on the incoming connection. In addition, security label of the client may change on execution of trusted procedure, or sepgsql_setcon() operationg. Sepgsql ports a few permission set on operating system to control (dynamic) domain transition.
permissions
- transition
- It shall be checked when client's label is switched via trusted procedure
- dyntransition
- It shall be checked between older and newer label of client when its label is switched via sepgsql_setcon()
- setcurrent
- It shall be checked on the current label of client when its label is switched via sepgsql_setcon()
(OS) file class
Sepgsql ports several permissions to be checked by operating system on accessed to filesystem object, to control accesses onto local filesystem object according to user's request, such as lo_export() or lo_import().
Identical permissions are defined on some other object classes, either of dir, lnk_file, chr_file, blk_file, sock_file or filo_file depending on actual type of filesystem object. In case of filesystem object is not a regular file, an alternative object class is applied for checks, but permissions are common.
permissions
- read
- It shall be checked when user's operation requires to read contents of a particular file on local file-system
- write
- It shall be checked when user's operation requires to write contents of a particular file on local file-system
- create
- It shall be checked when user's operation requires to create a particular file on local file-system
- getattr
- It shall be checked when user's operation requires to reference properties of a particular file on local file-system
- unlink
- It shall be checked when user's operation requires to unlink a particular file on local file-system
- rename
- It shall be checked when user's operation requires to rename a particular file on local file-system
