From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4846A481.4080805@tresys.com> Date: Wed, 04 Jun 2008 10:19:45 -0400 From: Joshua Brindle MIME-Version: 1.0 To: KaiGai Kohei CC: "Christopher J. PeBenito" , Eamon Walsh , Stephen Smalley , selinux@tycho.nsa.gov Subject: Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts References: <483A9137.5050509@ak.jp.nec.com> <1211908477.19360.28.camel@moss-spartans.epoch.ncsc.mil> <1211910942.5008.57.camel@gorn.columbia.tresys.com> <1211913263.19360.72.camel@moss-spartans.epoch.ncsc.mil> <1211914557.5008.72.camel@gorn.columbia.tresys.com> <483C6BEA.8040101@tycho.nsa.gov> <1211981040.5008.105.camel@gorn.columbia.tresys.com> <483EF06E.7080406@tycho.nsa.gov> <1212085228.31546.5.camel@gorn> <483F48AB.7030406@tycho.nsa.gov> <1212150456.31546.16.camel@gorn> <4843CB24.1040000@ak.jp.nec.com> <48442E7E.9050303@tycho.nsa.gov> <1212431955.31546.94.camel@gorn> <48451C0C.6060303@ak.jp.nec.com> <1212496632.31546.105.camel@gorn.columbia.tresys.com> <4846142F.8090100@ak.jp.nec.com> In-Reply-To: <4846142F.8090100@ak.jp.nec.com> Content-Type: text/plain; charset=ISO-2022-JP Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov KaiGai Kohei wrote: > Christopher J. PeBenito wrote: > > In addition, I found an unclear point which came from my original policy. :( > > allow sepgsql_unconfined_type postgresql_t:db_blob { import export }; > > A blob import interface enables to read a file on a server host by the server > process (postgresql_t), and import to database as several frames of largeobject. > A export interface works for inversed direction. > > In the previous discussion, the meaning of these permission is to indicate > server process to start importing or exporting. > However, I'm now considering the following rules are more sensefull: > > 1. SE-PostgreSQL checks whether the client has db_blob:{import} for > the target large object. > 2. SE-PostgreSQL checks whether the client has file:{read} for > the target file. > 3. SELinux (kernel) checks whether postgresql_t has file:{read} for the > target file, because it uses read(2) system call. > > Could you tell me your opinion? Chris asked me to look at this for him. The access checks above seem completely reasonable to me, much better than the previous check. I wonder though, how you'll do an export check between the client and file type, since a compute_create between the client and the target directory may be different than between postgresql_t and the directory? Which context would you attempt to use? -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.