From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Chris PeBenito <pebenito@gentoo.org>
Cc: Eamon Walsh <ewalsh@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Subject: Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts
Date: Fri, 06 Jun 2008 14:21:51 +0900 [thread overview]
Message-ID: <4848C96F.50201@ak.jp.nec.com> (raw)
In-Reply-To: <1212672916.15752.7.camel@gorn.pebenito.net>
Chris PeBenito wrote:
> On Thu, 2008-06-05 at 10:18 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Wed, 2008-06-04 at 13:03 +0900, KaiGai Kohei wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> On Tue, 2008-06-03 at 19:25 +0900, KaiGai Kohei wrote:
>>>>>> Christopher J. PeBenito wrote:
>>>>>>> I'm out of arguments; clearly I'm in the minority on this issue. I
>>>>>>> already said I wouldn't block the policy over this, so KaiGai, if you
>>>>>>> would send a last patch based on the revisions I made [1], let see if we
>>>>>>> can finally get this merged.
>>>>>>>
>>>>>>> [1] http://marc.info/?l=selinux&m=120999566809541&w=2
>>>>>> I'll submit a revised version later.
>>>>>> (Now we cannot update SVN repository, due to server maintenance.)
>>>>>>
>>>>>> Before this, I want to modify the following points:
>
>>>> Then, the above dontaudit rule should be rewritten as follows:
>>>>
>>>> dontaudit { sepgsql_client_type sepgsql_unpriv_type postgresql_t } \
>>>> { sepgsql_table_type - sepgsql_sysobj_table_type } : db_tuple *;
>>>>
>>>> At first, I used a boolean (sepgsql_enable_audittuple) to turn on/off
>>>> tuple-level access logs, but you suggested it is unnecessary, so I removed it.
>>> I don't agree because of:
>>>
>>> +allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
>>> +allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
>>>
>>> so dontauditing for postgresql_t and sepgsql_unconfined_type doesn't do
>>> anything since the access is allowed.
>> It is correct in type enforcement.
>> But MCS/MLS can prevent to access by unconfined domains, and make flood of
>> access denied logs.
>
> Ok, I see your point. Please add a comment in the policy that explains
> this, so I don't mistakenly remove the dontaudit in the future :)
>
> One thing I just realized: do we really want to dontaudit all perms? It
> seems like use and/or select might be sufficient. Dontauditing
> relabelto and relabelfrom doesn't seem like a good idea.
OK, I'll send the patch with a comment for tuple-level dontaudit and
without dontaudit for relabelfrom/relabelto.
Please wait for days.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-06-06 5:21 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-26 10:30 [PATCH] libselinux: add support for /contexts/postgresql_contexts KaiGai Kohei
2008-05-27 17:14 ` Stephen Smalley
2008-05-27 17:55 ` Christopher J. PeBenito
2008-05-27 18:34 ` Stephen Smalley
2008-05-27 18:55 ` Christopher J. PeBenito
2008-05-27 19:59 ` Stephen Smalley
2008-05-27 20:15 ` Eamon Walsh
2008-05-28 13:24 ` Christopher J. PeBenito
2008-05-29 18:05 ` Eamon Walsh
2008-05-29 18:20 ` Christopher J. PeBenito
2008-05-30 0:22 ` Eamon Walsh
2008-05-30 12:27 ` Christopher J. PeBenito
2008-06-02 10:27 ` KaiGai Kohei
2008-06-02 17:31 ` Eamon Walsh
2008-06-02 18:39 ` Christopher J. PeBenito
2008-06-03 10:25 ` KaiGai Kohei
2008-06-03 12:37 ` Christopher J. PeBenito
2008-06-04 4:03 ` KaiGai Kohei
2008-06-04 14:19 ` Joshua Brindle
2008-06-05 1:07 ` KaiGai Kohei
2008-06-05 18:09 ` Eamon Walsh
2008-06-06 5:32 ` KaiGai Kohei
2008-06-04 14:32 ` Christopher J. PeBenito
2008-06-05 1:18 ` KaiGai Kohei
2008-06-05 13:35 ` Chris PeBenito
2008-06-06 5:21 ` KaiGai Kohei [this message]
2008-06-09 3:07 ` KaiGai Kohei
2008-06-10 18:09 ` Christopher J. PeBenito
2008-06-13 10:39 ` KaiGai Kohei
2008-06-13 13:37 ` Christopher J. PeBenito
2008-06-18 6:53 ` KaiGai Kohei
2008-06-18 13:41 ` Christopher J. PeBenito
2008-06-20 6:48 ` KaiGai Kohei
2008-06-23 12:35 ` Christopher J. PeBenito
2008-06-23 12:48 ` KaiGai Kohei
2008-06-23 12:56 ` Christopher J. PeBenito
2008-06-24 2:35 ` KaiGai Kohei
2008-06-24 12:56 ` Christopher J. PeBenito
2008-05-28 1:49 ` KaiGai Kohei
2008-05-28 12:56 ` Christopher J. PeBenito
2008-05-28 16:12 ` KaiGai Kohei
2008-05-28 1:13 ` KaiGai Kohei
2008-05-28 15:12 ` Stephen Smalley
2008-05-28 16:18 ` KaiGai Kohei
2008-05-28 2:49 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4848C96F.50201@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=pebenito@gentoo.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.