unable to connect PostgreSQL from user_t

unable to connect PostgreSQL from user_t

[KaiGai Kohei]

[-- Attachment #1: Type: text/plain, Size: 771 bytes --]

I found the following definition at 'policy/modules/services/postgresql.te'

--------------------------------
ifdef(`TODO',`
ifdef(`targeted_policy', `', `
bool allow_user_postgresql_connect false;

if (allow_user_postgresql_connect) {
# allow any user domain to connect to the database server
allow userdomain postgresql_t:unix_stream_socket connectto;
allow userdomain postgresql_var_run_t:sock_file write;
allow userdomain postgresql_tmp_t:sock_file write;
}
')
--------------------------------
Is there any reason why this block is disabled now, although
'mysql_stream_connect($_t)' is enabled at 'system/userdomain.if' ?

The attached patch enables the definition and moves them into
userdomain.(if|te) as mysql did.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>


[-- Attachment #2: refpolicy-add-userdomain-pgsql-connect.patch --]
[-- Type: text/x-diff, Size: 1737 bytes --]

Index: refpolicy-tresys/policy/modules/services/postgresql.te
===================================================================
--- refpolicy-tresys/policy/modules/services/postgresql.te	(revision 2336)
+++ refpolicy-tresys/policy/modules/services/postgresql.te	(working copy)
@@ -175,16 +175,6 @@
 ')
 
 ifdef(`TODO',`
-ifdef(`targeted_policy', `', `
-bool allow_user_postgresql_connect false;
-
-if (allow_user_postgresql_connect) {
-# allow any user domain to connect to the database server
-allow userdomain postgresql_t:unix_stream_socket connectto;
-allow userdomain postgresql_var_run_t:sock_file write;
-allow userdomain postgresql_tmp_t:sock_file write;
-}
-')
 ifdef(`distro_debian', `
 	init_exec_script_files(postgresql_t)
 	# gross hack
Index: refpolicy-tresys/policy/modules/system/userdomain.te
===================================================================
--- refpolicy-tresys/policy/modules/system/userdomain.te	(revision 2336)
+++ refpolicy-tresys/policy/modules/system/userdomain.te	(working copy)
@@ -32,6 +32,13 @@
 
 ## <desc>
 ## <p>
+## Allow users to connect to PostgreSQL
+## </p>
+## </desc>
+gen_tunable(allow_user_postgresql_connect,false)
+
+## <desc>
+## <p>
 ## Allow regular users direct mouse access
 ## </p>
 ## </desc>
Index: refpolicy-tresys/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-tresys/policy/modules/system/userdomain.if	(revision 2336)
+++ refpolicy-tresys/policy/modules/system/userdomain.if	(working copy)
@@ -891,6 +891,12 @@
 	')
 
 	optional_policy(`
+		tunable_policy(`allow_user_postgresql_connect',`
+			postgresql_stream_connect($1_t)
+		')
+	')
+
+	optional_policy(`
 		nscd_socket_use($1_t)
 	')
 

Re: unable to connect PostgreSQL from user_t

[Christopher J. PeBenito]

On Sat, 2007-06-16 at 14:33 +0900, KaiGai Kohei wrote:
> I found the following definition at 'policy/modules/services/postgresql.te'
> 
> --------------------------------
> ifdef(`TODO',`
> ifdef(`targeted_policy', `', `
> bool allow_user_postgresql_connect false;
> 
> if (allow_user_postgresql_connect) {
> # allow any user domain to connect to the database server
> allow userdomain postgresql_t:unix_stream_socket connectto;
> allow userdomain postgresql_var_run_t:sock_file write;
> allow userdomain postgresql_tmp_t:sock_file write;
> }
> ')
> --------------------------------
> Is there any reason why this block is disabled now, although
> 'mysql_stream_connect($_t)' is enabled at 'system/userdomain.if' ?

No, just a block that missed getting converted from the example policy.

> The attached patch enables the definition and moves them into
> userdomain.(if|te) as mysql did.

Merged, though I moved the userdomain.if change down a few lines.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.