Re: [PATCH] SE-PostgreSQL Security Policy (try #3)

[KaiGai Kohei <kaigai@kaigai.gr.jp>]

>> type_transition postgresql_t postgresql_t:db_database sepgsql_db_t;
>>
>> What object is being transitioned on?  Other type transitions are
>> clearer: a file being created in a directory or a message enqueued to a
>> message queue.  I won't block merging the policy over this, but I think
>> the postgresql_contexts is the better method.
> 
> This type transition rule means a new database is created on a database
> management system. A database management system can maintain several
> databases in same time, like several files are placed under a directory.
> An only difference between a directory and a database management system
> is whether it is a process, or not. So, I don't think it is unnatural
> method to decide a correct context of newly created database.

In properly speaking, I oppose to drop type_transition rule for a newly
created database object, don't oppose the postgresql_contexts file.
I noticed they are not exclusive options after a carefull consideration.

The biggest concern of dropping type_transition is that we cannot decide
what security context should be attached for a new database when
the postgresql_contexts is lost, if we completely depends on this file.
We can help the situation, if we can decide it with type_transition rule
when the file or proper entries are not found.

If you feel strange to use the context of server process as the target
of the type_transition, using the root directory of database cluster
is an alternative idea. (It is '/var/lib/sepgsql/data' in default.)
Any database files are placed under the directory, like filed placed
under a directory.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.