postgres/contrib/sepgsql/sql/dml.sql

--
-- Regression Test for DML Permissions
--

--
-- Setup
--
CREATE TABLE t1 (a int, b text);
SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');

CREATE TABLE t2 (x int, y text);
SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');

CREATE TABLE t3 (s int, t text);
SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');

CREATE TABLE t4 (m int, n text);
SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');

CREATE TABLE t5 (e text, f text, g text);
SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';

CREATE TABLE customer (cid int primary key, cname text, ccredit text);
SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO customer VALUES (1, 'Taro',   '1111-2222-3333-4444'),
                            (2, 'Hanako', '5555-6666-7777-8888');
CREATE FUNCTION customer_credit(int) RETURNS text
    AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
    LANGUAGE sql;
SECURITY LABEL ON FUNCTION customer_credit(int)
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';

SELECT objtype, objname, label FROM pg_seclabels
    WHERE provider = 'selinux'
     AND  objtype in ('table', 'column')
     AND  objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
ORDER BY objname;

-- Hardwired Rules
UPDATE pg_attribute SET attisdropped = true
    WHERE attrelid = 't5'::regclass AND attname = 'f';	-- failed

--
-- Simple DML statements
--
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0

SELECT * FROM t1;			-- ok
SELECT * FROM t2;			-- ok
SELECT * FROM t3;			-- ok
SELECT * FROM t4;			-- failed
SELECT * FROM t5;			-- failed
SELECT e,f FROM t5;			-- ok

SELECT * FROM customer;			-- failed
SELECT cid, cname, customer_credit(cid) FROM customer;	-- ok

SELECT count(*) FROM t5;			-- ok
SELECT count(*) FROM t5 WHERE g IS NULL;	-- failed

INSERT INTO t1 VALUES (4, 'abc');		-- ok
INSERT INTO t2 VALUES (4, 'xyz');		-- failed
INSERT INTO t3 VALUES (4, 'stu');		-- ok
INSERT INTO t4 VALUES (4, 'mno');		-- failed
INSERT INTO t5 VALUES (1,2,3);			-- failed
INSERT INTO t5 (e,f) VALUES ('abc', 'def');	-- failed
INSERT INTO t5 (e) VALUES ('abc');		-- ok

UPDATE t1 SET b = b || '_upd';			-- ok
UPDATE t2 SET y = y || '_upd';			-- failed
UPDATE t3 SET t = t || '_upd';			-- failed
UPDATE t4 SET n = n || '_upd';			-- failed
UPDATE t5 SET e = 'xyz';			-- ok
UPDATE t5 SET e = f || '_upd';			-- ok
UPDATE t5 SET e = g || '_upd';			-- failed

DELETE FROM t1;					-- ok
DELETE FROM t2;					-- failed
DELETE FROM t3;					-- failed
DELETE FROM t4;					-- failed
DELETE FROM t5;					-- ok
DELETE FROM t5 WHERE f IS NULL;			-- ok
DELETE FROM t5 WHERE g IS NULL;			-- failed

--
-- COPY TO/FROM statements
--
COPY t1 TO '/dev/null';				-- ok
COPY t2 TO '/dev/null';				-- ok
COPY t3 TO '/dev/null';				-- ok
COPY t4 TO '/dev/null';				-- failed
COPY t5 TO '/dev/null';				-- failed
COPY t5(e,f) TO '/dev/null';			-- ok

COPY t1 FROM '/dev/null';			-- ok
COPY t2 FROM '/dev/null';			-- failed
COPY t3 FROM '/dev/null';			-- ok
COPY t4 FROM '/dev/null';			-- failed
COPY t5 FROM '/dev/null';			-- failed
COPY t5 (e,f) FROM '/dev/null';			-- failed
COPY t5 (e) FROM '/dev/null';			-- ok

--
-- Clean up
--
-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255
DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP TABLE IF EXISTS t5 CASCADE;
DROP TABLE IF EXISTS customer CASCADE;
sepgsql, an SE-Linux integration for PostgreSQL This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei 2011-01-23 20:44:48 -05:00			`--`
			`-- Regression Test for DML Permissions`
			`--`

			`--`
			`-- Setup`
			`--`
			`CREATE TABLE t1 (a int, b text);`
			`SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';`
			`INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');`

			`CREATE TABLE t2 (x int, y text);`
			`SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';`
			`INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');`

			`CREATE TABLE t3 (s int, t text);`
			`SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';`
			`INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');`

			`CREATE TABLE t4 (m int, n text);`
			`SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';`
			`INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');`

			`CREATE TABLE t5 (e text, f text, g text);`
			`SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';`
			`SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';`
			`SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';`
			`SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';`

			`CREATE TABLE customer (cid int primary key, cname text, ccredit text);`
			`SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';`
			`INSERT INTO customer VALUES (1, 'Taro', '1111-2222-3333-4444'),`
			`(2, 'Hanako', '5555-6666-7777-8888');`
			`CREATE FUNCTION customer_credit(int) RETURNS text`
			`AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'`
			`LANGUAGE sql;`
			`SECURITY LABEL ON FUNCTION customer_credit(int)`
			`IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';`

			`SELECT objtype, objname, label FROM pg_seclabels`
			`WHERE provider = 'selinux'`
			`AND objtype in ('table', 'column')`
Minor sepgsql regression test fixes. 2011-02-02 23:46:51 -05:00			`AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')`
			`ORDER BY objname;`
sepgsql, an SE-Linux integration for PostgreSQL This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei 2011-01-23 20:44:48 -05:00
			`-- Hardwired Rules`
			`UPDATE pg_attribute SET attisdropped = true`
			`WHERE attrelid = 't5'::regclass AND attname = 'f'; -- failed`

			`--`
			`-- Simple DML statements`
			`--`
			`-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0`

			`SELECT * FROM t1; -- ok`
			`SELECT * FROM t2; -- ok`
			`SELECT * FROM t3; -- ok`
			`SELECT * FROM t4; -- failed`
			`SELECT * FROM t5; -- failed`
			`SELECT e,f FROM t5; -- ok`

			`SELECT * FROM customer; -- failed`
			`SELECT cid, cname, customer_credit(cid) FROM customer; -- ok`

			`SELECT count(*) FROM t5; -- ok`
			`SELECT count(*) FROM t5 WHERE g IS NULL; -- failed`

			`INSERT INTO t1 VALUES (4, 'abc'); -- ok`
			`INSERT INTO t2 VALUES (4, 'xyz'); -- failed`
			`INSERT INTO t3 VALUES (4, 'stu'); -- ok`
			`INSERT INTO t4 VALUES (4, 'mno'); -- failed`
			`INSERT INTO t5 VALUES (1,2,3); -- failed`
			`INSERT INTO t5 (e,f) VALUES ('abc', 'def'); -- failed`
			`INSERT INTO t5 (e) VALUES ('abc'); -- ok`

			`UPDATE t1 SET b = b \|\| '_upd'; -- ok`
			`UPDATE t2 SET y = y \|\| '_upd'; -- failed`
			`UPDATE t3 SET t = t \|\| '_upd'; -- failed`
			`UPDATE t4 SET n = n \|\| '_upd'; -- failed`
			`UPDATE t5 SET e = 'xyz'; -- ok`
			`UPDATE t5 SET e = f \|\| '_upd'; -- ok`
			`UPDATE t5 SET e = g \|\| '_upd'; -- failed`

			`DELETE FROM t1; -- ok`
			`DELETE FROM t2; -- failed`
			`DELETE FROM t3; -- failed`
			`DELETE FROM t4; -- failed`
			`DELETE FROM t5; -- ok`
			`DELETE FROM t5 WHERE f IS NULL; -- ok`
			`DELETE FROM t5 WHERE g IS NULL; -- failed`

			`--`
			`-- COPY TO/FROM statements`
			`--`
			`COPY t1 TO '/dev/null'; -- ok`
			`COPY t2 TO '/dev/null'; -- ok`
			`COPY t3 TO '/dev/null'; -- ok`
			`COPY t4 TO '/dev/null'; -- failed`
			`COPY t5 TO '/dev/null'; -- failed`
			`COPY t5(e,f) TO '/dev/null'; -- ok`

			`COPY t1 FROM '/dev/null'; -- ok`
			`COPY t2 FROM '/dev/null'; -- failed`
			`COPY t3 FROM '/dev/null'; -- ok`
			`COPY t4 FROM '/dev/null'; -- failed`
			`COPY t5 FROM '/dev/null'; -- failed`
			`COPY t5 (e,f) FROM '/dev/null'; -- failed`
			`COPY t5 (e) FROM '/dev/null'; -- ok`

			`--`
			`-- Clean up`
			`--`
Fix sepgsql regression tests (9.2-only patch). The regression tests for sepgsql were broken by changes in the base distro as-shipped policies. Specifically, definition of unconfined_t in the system default policy was changed to bypass multi-category rules, which the regression test depended on. Fix that by defining a custom privileged domain (sepgsql_regtest_superuser_t) and using it instead of system's unconfined_t domain. The new sepgsql_regtest_superuser_t domain performs almost like the current unconfined_t, but restricted by multi-category policy as the traditional unconfined_t was. The custom policy module is a self defined domain, and so should not be affected by related future system policy changes. However, it still uses the unconfined_u:unconfined_r pair for selinux-user and role. Those definitions have not been changed for several years and seem less risky to rely on than the unconfined_t domain. Additionally, if we define custom user/role, they would need to be manually defined at the operating system level, adding more complexity to an already non-standard and complex regression test. Applies only to 9.2. Unlike the previous similar patch, commit 794e2558b, this also fixes a bug related to processing SELECT INTO statement. Because v9.2 didn't have ObjectAccessPostCreate to inform the context when a relation is newly created, sepgsql had an alternative method. However, related code in sepgsql_object_access() neglected to consider T_CreateTableAsStmt, thus no label was assigned on the new relation. This logic was removed and replaced starting in 9.3. Patch by Kohei KaiGai. 2015-09-22 14:58:38 -07:00			`-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255`
sepgsql, an SE-Linux integration for PostgreSQL This is still pretty rough - among other things, the documentation needs work, and the messages need a visit from the style police - but this gets the basic framework in place. KaiGai Kohei 2011-01-23 20:44:48 -05:00			`DROP TABLE IF EXISTS t1 CASCADE;`
			`DROP TABLE IF EXISTS t2 CASCADE;`
			`DROP TABLE IF EXISTS t3 CASCADE;`
			`DROP TABLE IF EXISTS t4 CASCADE;`
			`DROP TABLE IF EXISTS t5 CASCADE;`
			`DROP TABLE IF EXISTS customer CASCADE;`