| Main Archive Page > Month Archives > fedora-selinux archives |
Re: [BUG] legacy typenames of se-postgresql still remain
From: Daniel J Walsh <dwalsh_at_nospam>Date: Thu Aug 14 2008 - 12:47:43 GMT
To: KaiGai Kohei <kaigai@kaigai.gr.jp>
KaiGai Kohei wrote:
> Daniel J Walsh wrote:
>> KaiGai Kohei wrote:
>>> Sorry, the previous patch was imcomplete one.
>>>
>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>> because sepgsql_trusted_proc_t is a domain.
>>>
>>> This matter also exists at upstreamed policy now.
>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>>> to upstreamed reference policy.
>>>
>>> Thanks,
>>>
>>> KaiGai Kohei wrote:
>>>> I got the following access denied logs, when I tries to connect
>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>> tclass=sock_file
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>>> tclass=unix_stream_socket
>>>>
>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>> independent from any booleans, if required types are provided by
>>>> postgresql.te.
>>>>
>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>> within same optional_policy section at apache.te.
>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>> but postgresql.te declares them in legacy names.
>>>>
>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>>
>>>> Could you apply the attached patch?
>>>> It fixes them as upstream doing.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fedora 9? Rawhide?
>
> Sorry, I missed the version.
> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>
> Thanks,
Current Rawhide is pretty much the same as upstream. Here is the only patch I have on postgresql as of today's rawhide. Fedora 9 next update should match this policy in the next update also.
- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/postgresql.fc 2008-08-11 16:39:48.000000000 -0400 @@ -34,6 +34,7 @@ /var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -42,3 +43,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0) + +/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0) --- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/postgresql.if 2008-08-11 16:39:48.000000000 -0400 @@ -372,3 +372,70 @@
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_script_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.te 2008-08-11 16:39:48.000000000 -0400
@@ -44,6 +44,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
# database clients attribute
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
@@ -186,6 +189,7 @@
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list