From: pebenito@gentoo.org (Chris PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)
Date: Tue, 17 Aug 2010 14:00:50 -0400 [thread overview]
Message-ID: <4C6ACE52.60905@gentoo.org> (raw)
In-Reply-To: <4C69CBC9.4090904@ak.jp.nec.com>
On 08/16/10 19:37, KaiGai Kohei wrote:
> (2010/08/17 4:42), Christopher J. PeBenito wrote:
>> On 08/16/10 05:11, KaiGai Kohei wrote:
>>> Sorry for this long silent on the topic.
>>>
>>> IIRC, we have already agreed most part of the patch, haven't we?
>>>
>>> - The dbadm_t domain shall be launched via sudo, not a login shell,
>>> so, userdom_base_user_template() is used to grant basic privileges
>>> to dbadm_t instead of userdom_unpriv_user_template().
>>> - It allows too much privileges to dbadm_t, if we allows him to launch
>>> setfiles, so we removed seutil_domtrans_setfiles().
>>>
>>> Did we have any more issues?
>>>
>>> The attached patch is same as the last version except for it was rebased
>>> to the latest reference policy.
>>
>> I only have two issues:
>>
>> 1. Why should dbadm be allowed to set enforce mode?
>
> It uses selinux_get_enforce_mode(), not selinux_set_enforce_mode().
> We just allow dbadm_t to see the current working mode.
My mistake, I misread it. You're right, its fine.
>> 2. Why does dbadm need to manage generic locks?
>
> It was originally copied from webadb.te, but PostgreSQL also makes
> its lockfile on the /var/lock/subsys/postgresql. If server process
> unexpectedly crashed, dbadm_t need to remove it by hand, doesn't it?
Based on what I see in the policy, my guess is this file is created by
the init script, right? If not, then it sounds like PostgreSQL needs a
lock type.
I'd rather it just have delete permissions, rather than full manage
permissions. Something like files_delete_all_locks(), but for
var_lock_t instead.
> Thanks,
>
>> After those are resolved, it can be merged.
next prev parent reply other threads:[~2010-08-17 18:00 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4BBD28D0.8080204@ak.jp.nec.com>
[not found] ` <20100408082729.GE25042@localhost.localdomain>
[not found] ` <4BBDC8E5.1050307@redhat.com>
2010-04-09 5:29 ` [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) KaiGai Kohei
2010-04-12 14:09 ` Christopher J. PeBenito
2010-04-13 0:28 ` KaiGai Kohei
2010-04-13 13:17 ` Christopher J. PeBenito
2010-04-13 15:15 ` Daniel J Walsh
2010-04-13 15:57 ` Christopher J. PeBenito
2010-04-15 6:02 ` KaiGai Kohei
2010-04-15 12:54 ` Daniel J Walsh
2010-04-15 14:36 ` KaiGai Kohei
2010-08-16 9:11 ` KaiGai Kohei
2010-08-16 19:42 ` Christopher J. PeBenito
2010-08-16 23:37 ` KaiGai Kohei
2010-08-17 18:00 ` Chris PeBenito [this message]
2010-08-18 8:19 ` KaiGai Kohei
2010-08-19 12:47 ` Christopher J. PeBenito
2010-04-09 5:40 ` [refpolicy] [BUGFIX] lack of type transition on dbadm domain " KaiGai Kohei
2010-04-12 14:16 ` Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4C6ACE52.60905@gentoo.org \
--to=pebenito@gentoo.org \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.