contrib/sepgsql/expected/dml.out


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183

--
-- Regression Test for DML Permissions
--
--
-- Setup
--
CREATE TABLE t1 (a int, b text);
SECURITY LABEL ON TABLE t1 IS 'system_u:object_r:sepgsql_table_t:s0';
INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
CREATE TABLE t2 (x int, y text);
SECURITY LABEL ON TABLE t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0';
INSERT INTO t2 VALUES (1, 'xxx'), (2, 'yyy'), (3, 'zzz');
CREATE TABLE t3 (s int, t text);
SECURITY LABEL ON TABLE t3 IS 'system_u:object_r:sepgsql_fixed_table_t:s0';
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
CREATE TABLE t4 (m int, n text);
SECURITY LABEL ON TABLE t4 IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO t4 VALUES (1, 'mmm'), (2, 'nnn'), (3, 'ooo');
CREATE TABLE t5 (e text, f text, g text);
SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0';
SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0';
SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0';
CREATE TABLE customer (cid int primary key, cname text, ccredit text);
NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index "customer_pkey" for table "customer"
SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0';
INSERT INTO customer VALUES (1, 'Taro',   '1111-2222-3333-4444'),
                            (2, 'Hanako', '5555-6666-7777-8888');
CREATE FUNCTION customer_credit(int) RETURNS text
    AS 'SELECT regexp_replace(ccredit, ''-[0-9]+$'', ''-????'') FROM customer WHERE cid = $1'
    LANGUAGE sql;
SECURITY LABEL ON FUNCTION customer_credit(int)
    IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
SELECT objtype, objname, label FROM pg_seclabels
    WHERE provider = 'selinux'
     AND  objtype in ('table', 'column')
     AND  objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g')
ORDER BY objname;
 objtype | objname |                    label                    
---------+---------+---------------------------------------------
 table   | t1      | system_u:object_r:sepgsql_table_t:s0
 table   | t2      | system_u:object_r:sepgsql_ro_table_t:s0
 table   | t3      | system_u:object_r:sepgsql_fixed_table_t:s0
 table   | t4      | system_u:object_r:sepgsql_secret_table_t:s0
 table   | t5      | system_u:object_r:sepgsql_table_t:s0
 column  | t5.e    | system_u:object_r:sepgsql_table_t:s0
 column  | t5.f    | system_u:object_r:sepgsql_ro_table_t:s0
 column  | t5.g    | system_u:object_r:sepgsql_secret_table_t:s0
(8 rows)

-- Hardwired Rules
UPDATE pg_attribute SET attisdropped = true
    WHERE attrelid = 't5'::regclass AND attname = 'f';	-- failed
ERROR:  SELinux: hardwired security policy violation
--
-- Simple DML statements
--
SELECT sepgsql_getcon();	-- confirm client privilege
                   sepgsql_getcon                    
-----------------------------------------------------
 unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0
(1 row)

SELECT * FROM t1;			-- ok
 a |  b  
---+-----
 1 | aaa
 2 | bbb
 3 | ccc
(3 rows)

SELECT * FROM t2;			-- ok
 x |  y  
---+-----
 1 | xxx
 2 | yyy
 3 | zzz
(3 rows)

SELECT * FROM t3;			-- ok
 s |  t  
---+-----
 1 | sss
 2 | ttt
 3 | uuu
(3 rows)

SELECT * FROM t4;			-- failed
ERROR:  SELinux: security policy violation
SELECT * FROM t5;			-- failed
ERROR:  SELinux: security policy violation
SELECT e,f FROM t5;			-- ok
 e | f 
---+---
(0 rows)

SELECT * FROM customer;			-- failed
ERROR:  SELinux: security policy violation
SELECT cid, cname, customer_credit(cid) FROM customer;	-- ok
 cid | cname  |   customer_credit   
-----+--------+---------------------
   1 | Taro   | 1111-2222-3333-????
   2 | Hanako | 5555-6666-7777-????
(2 rows)

SELECT count(*) FROM t5;			-- ok
 count 
-------
     0
(1 row)

SELECT count(*) FROM t5 WHERE g IS NULL;	-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t1 VALUES (4, 'abc');		-- ok
INSERT INTO t2 VALUES (4, 'xyz');		-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t3 VALUES (4, 'stu');		-- ok
INSERT INTO t4 VALUES (4, 'mno');		-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 VALUES (1,2,3);			-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 (e,f) VALUES ('abc', 'def');	-- failed
ERROR:  SELinux: security policy violation
INSERT INTO t5 (e) VALUES ('abc');		-- ok
UPDATE t1 SET b = b || '_upd';			-- ok
UPDATE t2 SET y = y || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t3 SET t = t || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t4 SET n = n || '_upd';			-- failed
ERROR:  SELinux: security policy violation
UPDATE t5 SET e = 'xyz';			-- ok
UPDATE t5 SET e = f || '_upd';			-- ok
UPDATE t5 SET e = g || '_upd';			-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t1;					-- ok
DELETE FROM t2;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t3;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t4;					-- failed
ERROR:  SELinux: security policy violation
DELETE FROM t5;					-- ok
DELETE FROM t5 WHERE f IS NULL;			-- ok
DELETE FROM t5 WHERE g IS NULL;			-- failed
ERROR:  SELinux: security policy violation
--
-- COPY TO/FROM statements
--
COPY t1 TO '/dev/null';				-- ok
COPY t2 TO '/dev/null';				-- ok
COPY t3 TO '/dev/null';				-- ok
COPY t4 TO '/dev/null';				-- failed
ERROR:  SELinux: security policy violation
COPY t5 TO '/dev/null';				-- failed
ERROR:  SELinux: security policy violation
COPY t5(e,f) TO '/dev/null';			-- ok
COPY t1 FROM '/dev/null';			-- ok
COPY t2 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t3 FROM '/dev/null';			-- ok
COPY t4 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 (e,f) FROM '/dev/null';			-- failed
ERROR:  SELinux: security policy violation
COPY t5 (e) FROM '/dev/null';			-- ok
--
-- Clean up
--
SELECT sepgsql_getcon();	-- confirm client privilege
                    sepgsql_getcon                    
------------------------------------------------------
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c255
(1 row)

DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
DROP TABLE IF EXISTS t4 CASCADE;
DROP TABLE IF EXISTS t5 CASCADE;
DROP TABLE IF EXISTS customer CASCADE;