Hackers, Since all DAC checks should have corresponding MAC, this patch adds a hook to allow extensions to implement a MAC check on TRUNCATE. I have also implemented this access check in the sepgsql extension.
One important thing to note is that refpolicy [1] and Redhat based distributions do not have the SELinux permission for db_table {truncate} implemented. This patch is the first step to add this permission to the upstream SELinux policy. If this permission does not exist in the policy, sepgsql is being used, and `deny_unknown` is set to 1, the TRUNCATE will be denied. As a workaround for this behavior, the SELinux aware system would need to have `/sys/fs/selinux/deny_unknown` set to 0 until the permission has been added to refpolicy/Redhat SELinux policy. The deny_unknown behavior can be set using CIL [2] by extracting the base SELinux module, and setting how the kernel handles unknown permissions. The dependencies for overriding handle_unknown are policycoreutils, selinux-policy-targeted, and a libsemanage version that supports CIL (CentOS 7+). $ sudo semodule -cE base $ sed -Ei 's/(handleunknown )deny/\1allow/g' base.cil $ sudo semodule -i base.cil Thanks, Yuli [1] https://github.com/SELinuxProject/refpolicy/blob/master/policy/flask/access_vectors#L794 [2] https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_policy_config_statements.md#handleunknown 0001-Use-MAC-in-addition-to-DAC-for-TRUNCATE.patch
0001-Use-MAC-in-addition-to-DAC-for-TRUNCATE.patch
Description: Binary data