@@ -26,7 +26,33 @@ CREATE FUNCTION f4 () RETURNS text
2626 AS 'SELECT sepgsql_getcon()'
2727 LANGUAGE sql;
2828SECURITY LABEL ON FUNCTION f4()
29+ IS 'system_u:object_r:sepgsql_nosuch_trusted_proc_exec_t:s0';
30+ CREATE FUNCTION f5 (text) RETURNS bool
31+ AS 'SELECT sepgsql_setcon($1)'
32+ LANGUAGE sql;
33+ SECURITY LABEL ON FUNCTION f5(text)
34+ IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
35+ CREATE TABLE auth_tbl(uname text, credential text, label text);
36+ INSERT INTO auth_tbl
37+ VALUES ('foo', 'acbd18db4cc2f85cedef654fccc4a4d8', 'sepgsql_regtest_foo_t:s0'),
38+ ('var', 'b2145aac704ce76dbe1ac7adac535b23', 'sepgsql_regtest_var_t:s0'),
39+ ('baz', 'b2145aac704ce76dbe1ac7adac535b23', 'sepgsql_regtest_baz_t:s0');
40+ SECURITY LABEL ON TABLE auth_tbl
41+ IS 'system_u:object_r:sepgsql_secret_table_t:s0';
42+ CREATE FUNCTION auth_func(text, text) RETURNS bool
43+ LANGUAGE sql
44+ AS 'SELECT sepgsql_setcon(regexp_replace(sepgsql_getcon(), ''_r:.*$'', ''_r:'' || label))
45+ FROM auth_tbl WHERE uname = $1 AND credential = $2';
46+ SECURITY LABEL ON FUNCTION auth_func(text,text)
2947 IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
48+ CREATE TABLE foo_tbl(a int, b text);
49+ INSERT INTO foo_tbl VALUES (1, 'aaa'), (2,'bbb'), (3,'ccc'), (4,'ddd');
50+ SECURITY LABEL ON TABLE foo_tbl
51+ IS 'system_u:object_r:sepgsql_regtest_foo_table_t:s0';
52+ CREATE TABLE var_tbl(x int, y text);
53+ INSERT INTO var_tbl VALUES (2,'xxx'), (3,'yyy'), (4,'zzz'), (5,'xyz');
54+ SECURITY LABEL ON TABLE var_tbl
55+ IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0';
3056--
3157-- Tests for default labeling behavior
3258--
@@ -99,6 +125,325 @@ SELECT sepgsql_getcon();-- client's label must be restored
99125 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
100126(1 row)
101127
128+ --
129+ -- Test for Dynamic Domain Transition
130+ --
131+ -- validation of transaction aware dynamic-transition
132+ SELECT sepgsql_getcon();-- confirm client privilege
133+ sepgsql_getcon
134+ --------------------------------------------------
135+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c25
136+ (1 row)
137+
138+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
139+ sepgsql_setcon
140+ ----------------
141+ t
142+ (1 row)
143+
144+ SELECT sepgsql_getcon();
145+ sepgsql_getcon
146+ --------------------------------------------------
147+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
148+ (1 row)
149+
150+ SELECT sepgsql_setcon(NULL);-- failed to reset
151+ ERROR: SELinux: security policy violation
152+ SELECT sepgsql_getcon();
153+ sepgsql_getcon
154+ --------------------------------------------------
155+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
156+ (1 row)
157+
158+ BEGIN;
159+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c12');
160+ sepgsql_setcon
161+ ----------------
162+ t
163+ (1 row)
164+
165+ SELECT sepgsql_getcon();
166+ sepgsql_getcon
167+ --------------------------------------------------
168+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
169+ (1 row)
170+
171+ SAVEPOINT svpt_1;
172+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c9');
173+ sepgsql_setcon
174+ ----------------
175+ t
176+ (1 row)
177+
178+ SELECT sepgsql_getcon();
179+ sepgsql_getcon
180+ -------------------------------------------------
181+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
182+ (1 row)
183+
184+ SAVEPOINT svpt_2;
185+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
186+ sepgsql_setcon
187+ ----------------
188+ t
189+ (1 row)
190+
191+ SELECT sepgsql_getcon();
192+ sepgsql_getcon
193+ -------------------------------------------------
194+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
195+ (1 row)
196+
197+ SAVEPOINT svpt_3;
198+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c3');
199+ sepgsql_setcon
200+ ----------------
201+ t
202+ (1 row)
203+
204+ SELECT sepgsql_getcon();
205+ sepgsql_getcon
206+ -------------------------------------------------
207+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c3
208+ (1 row)
209+
210+ ROLLBACK TO SAVEPOINT svpt_2;
211+ SELECT sepgsql_getcon();-- should be 's0:c0.c9'
212+ sepgsql_getcon
213+ -------------------------------------------------
214+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c9
215+ (1 row)
216+
217+ ROLLBACK TO SAVEPOINT svpt_1;
218+ SELECT sepgsql_getcon();-- should be 's0:c0.c12'
219+ sepgsql_getcon
220+ --------------------------------------------------
221+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c12
222+ (1 row)
223+
224+ ABORT;
225+ SELECT sepgsql_getcon();-- should be 's0:c0.c15'
226+ sepgsql_getcon
227+ --------------------------------------------------
228+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c15
229+ (1 row)
230+
231+ BEGIN;
232+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c8');
233+ sepgsql_setcon
234+ ----------------
235+ t
236+ (1 row)
237+
238+ SELECT sepgsql_getcon();
239+ sepgsql_getcon
240+ -------------------------------------------------
241+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
242+ (1 row)
243+
244+ SAVEPOINT svpt_1;
245+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c4');
246+ sepgsql_setcon
247+ ----------------
248+ t
249+ (1 row)
250+
251+ SELECT sepgsql_getcon();
252+ sepgsql_getcon
253+ -------------------------------------------------
254+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c4
255+ (1 row)
256+
257+ ROLLBACK TO SAVEPOINT svpt_1;
258+ SELECT sepgsql_getcon();-- should be 's0:c0.c8'
259+ sepgsql_getcon
260+ -------------------------------------------------
261+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c8
262+ (1 row)
263+
264+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c6');
265+ sepgsql_setcon
266+ ----------------
267+ t
268+ (1 row)
269+
270+ COMMIT;
271+ SELECT sepgsql_getcon();-- should be 's0:c0.c6'
272+ sepgsql_getcon
273+ -------------------------------------------------
274+ unconfined_u:unconfined_r:unconfined_t:s0:c0.c6
275+ (1 row)
276+
277+ -- sepgsql_regtest_user_t is not available dynamic-transition,
278+ -- unless sepgsql_setcon() is called inside of trusted-procedure
279+ SELECT sepgsql_getcon();-- confirm client privilege
280+ sepgsql_getcon
281+ ------------------------------------------------------------
282+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
283+ (1 row)
284+
285+ -- sepgsql_regtest_user_t has no permission to switch current label
286+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0');-- failed
287+ ERROR: SELinux: security policy violation
288+ SELECT sepgsql_getcon();
289+ sepgsql_getcon
290+ ------------------------------------------------------------
291+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c15
292+ (1 row)
293+
294+ -- trusted procedure allows to switch, but unavailable to override MCS rules
295+ SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7');-- OK
296+ f5
297+ ----
298+ t
299+ (1 row)
300+
301+ SELECT sepgsql_getcon();
302+ sepgsql_getcon
303+ -----------------------------------------------------------
304+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
305+ (1 row)
306+
307+ SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c31');-- Failed
308+ ERROR: SELinux: security policy violation
309+ CONTEXT: SQL function "f5" statement 1
310+ SELECT sepgsql_getcon();
311+ sepgsql_getcon
312+ -----------------------------------------------------------
313+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
314+ (1 row)
315+
316+ SELECT f5(NULL);-- Failed
317+ ERROR: SELinux: security policy violation
318+ CONTEXT: SQL function "f5" statement 1
319+ SELECT sepgsql_getcon();
320+ sepgsql_getcon
321+ -----------------------------------------------------------
322+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
323+ (1 row)
324+
325+ BEGIN;
326+ SELECT f5('unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c3');-- OK
327+ f5
328+ ----
329+ t
330+ (1 row)
331+
332+ SELECT sepgsql_getcon();
333+ sepgsql_getcon
334+ -----------------------------------------------------------
335+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c3
336+ (1 row)
337+
338+ ABORT;
339+ SELECT sepgsql_getcon();
340+ sepgsql_getcon
341+ -----------------------------------------------------------
342+ unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0:c0.c7
343+ (1 row)
344+
345+ --
346+ -- Test for simulation of typical connection pooling server
347+ --
348+ SELECT sepgsql_getcon();-- confirm client privilege
349+ sepgsql_getcon
350+ -----------------------------------------------------
351+ unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
352+ (1 row)
353+
354+ -- we shouldn't allow to switch client label without trusted procedure
355+ SELECT sepgsql_setcon('unconfined_u:unconfined_r:sepgsql_regtest_foo_t:s0');
356+ ERROR: SELinux: security policy violation
357+ SELECT * FROM auth_tbl;-- failed, no permission to reference
358+ ERROR: SELinux: security policy violation
359+ -- switch to "foo"
360+ SELECT auth_func('foo', 'acbd18db4cc2f85cedef654fccc4a4d8');
361+ auth_func
362+ -----------
363+ t
364+ (1 row)
365+
366+ SELECT sepgsql_getcon();
367+ sepgsql_getcon
368+ ----------------------------------------------------
369+ unconfined_u:unconfined_r:sepgsql_regtest_foo_t:s0
370+ (1 row)
371+
372+ SELECT * FROM foo_tbl;-- OK
373+ a | b
374+ ---+-----
375+ 1 | aaa
376+ 2 | bbb
377+ 3 | ccc
378+ 4 | ddd
379+ (4 rows)
380+
381+ SELECT * FROM var_tbl;-- failed
382+ ERROR: SELinux: security policy violation
383+ SELECT * FROM auth_tbl;-- failed
384+ ERROR: SELinux: security policy violation
385+ SELECT sepgsql_setcon(NULL);-- end of session
386+ sepgsql_setcon
387+ ----------------
388+ t
389+ (1 row)
390+
391+ SELECT sepgsql_getcon();
392+ sepgsql_getcon
393+ -----------------------------------------------------
394+ unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
395+ (1 row)
396+
397+ -- the pooler cannot touch these tables directry
398+ SELECT * FROM foo_tbl;-- failed
399+ ERROR: SELinux: security policy violation
400+ SELECT * FROM var_tbl;-- failed
401+ ERROR: SELinux: security policy violation
402+ -- switch to "var"
403+ SELECT auth_func('var', 'b2145aac704ce76dbe1ac7adac535b23');
404+ auth_func
405+ -----------
406+ t
407+ (1 row)
408+
409+ SELECT sepgsql_getcon();
410+ sepgsql_getcon
411+ ----------------------------------------------------
412+ unconfined_u:unconfined_r:sepgsql_regtest_var_t:s0
413+ (1 row)
414+
415+ SELECT * FROM foo_tbl; -- failed
416+ ERROR: SELinux: security policy violation
417+ SELECT * FROM var_tbl; -- OK
418+ x | y
419+ ---+-----
420+ 2 | xxx
421+ 3 | yyy
422+ 4 | zzz
423+ 5 | xyz
424+ (4 rows)
425+
426+ SELECT * FROM auth_tbl;-- failed
427+ ERROR: SELinux: security policy violation
428+ SELECT sepgsql_setcon(NULL); -- end of session
429+ sepgsql_setcon
430+ ----------------
431+ t
432+ (1 row)
433+
434+ -- misc checks
435+ SELECT auth_func('var', 'invalid credential');-- not works
436+ auth_func
437+ -----------
438+
439+ (1 row)
440+
441+ SELECT sepgsql_getcon();
442+ sepgsql_getcon
443+ -----------------------------------------------------
444+ unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0
445+ (1 row)
446+
102447--
103448-- Clean up
104449--
@@ -115,3 +460,4 @@ DROP FUNCTION IF EXISTS f1() CASCADE;
115460DROP FUNCTION IF EXISTS f2() CASCADE;
116461DROP FUNCTION IF EXISTS f3() CASCADE;
117462DROP FUNCTION IF EXISTS f4() CASCADE;
463+ DROP FUNCTION IF EXISTS f5(text) CASCADE;