[refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kaigai@ak.jp.nec.com (KaiGai Kohei)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)
Date: Wed, 18 Aug 2010 17:19:06 +0900	[thread overview]
Message-ID: <4C6B977A.4040402@ak.jp.nec.com> (raw)
In-Reply-To: <4C6ACE52.60905@gentoo.org>

(2010/08/18 3:00), Chris PeBenito wrote:
> On 08/16/10 19:37, KaiGai Kohei wrote:
>> (2010/08/17 4:42), Christopher J. PeBenito wrote:
>>> On 08/16/10 05:11, KaiGai Kohei wrote:
>>>> Sorry for this long silent on the topic.
>>>>
>>>> IIRC, we have already agreed most part of the patch, haven't we?
>>>>
>>>> - The dbadm_t domain shall be launched via sudo, not a login shell,
>>>> so, userdom_base_user_template() is used to grant basic privileges
>>>> to dbadm_t instead of userdom_unpriv_user_template().
>>>> - It allows too much privileges to dbadm_t, if we allows him to launch
>>>> setfiles, so we removed seutil_domtrans_setfiles().
>>>>
>>>> Did we have any more issues?
>>>>
>>>> The attached patch is same as the last version except for it was 
>>>> rebased
>>>> to the latest reference policy.
>>>
>>> I only have two issues:
>>>
>>> 1. Why should dbadm be allowed to set enforce mode?
>>
>> It uses selinux_get_enforce_mode(), not selinux_set_enforce_mode().
>> We just allow dbadm_t to see the current working mode.
> 
> My mistake, I misread it. You're right, its fine.
> 
>>> 2. Why does dbadm need to manage generic locks?
>>
>> It was originally copied from webadb.te, but PostgreSQL also makes
>> its lockfile on the /var/lock/subsys/postgresql. If server process
>> unexpectedly crashed, dbadm_t need to remove it by hand, doesn't it?
> 
> Based on what I see in the policy, my guess is this file is created by 
> the init script, right? If not, then it sounds like PostgreSQL needs a 
> lock type.
> 
Yes, this file is created by the init script.

In addition, postgresql_lock_t is defined, but type_transition rule is
defined on a pair of postgresql_t and var_lock_t, so the lockfile shall
be labeled as var_lock_t.

  [root at saba ~]# ls -Z /var/lock/subsys/postgresql
  -rw-r--r--. root root dbadm_u:object_r:var_lock_t:s0   /var/lock/subsys/postgresql

Maybe, init script should relabel it to postgresql_lock_t, ideally?

> I'd rather it just have delete permissions, rather than full manage 
> permissions. Something like files_delete_all_locks(), but for var_lock_t 
> instead.
> 
I tried to define files_delete_generic_locks(), instead of the manage.

Thanks,
-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-dbadm-revise.4.patch
Type: text/x-patch
Size: 3441 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100818/1de3086e/attachment.bin

next prev parent reply	other threads:[~2010-08-18  8:19 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <4BBD28D0.8080204@ak.jp.nec.com>
     [not found] ` <20100408082729.GE25042@localhost.localdomain>
     [not found]   ` <4BBDC8E5.1050307@redhat.com>
2010-04-09  5:29     ` [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package) KaiGai Kohei
2010-04-12 14:09       ` Christopher J. PeBenito
2010-04-13  0:28         ` KaiGai Kohei
2010-04-13 13:17           ` Christopher J. PeBenito
2010-04-13 15:15             ` Daniel J Walsh
2010-04-13 15:57               ` Christopher J. PeBenito
2010-04-15  6:02                 ` KaiGai Kohei
2010-04-15 12:54                   ` Daniel J Walsh
2010-04-15 14:36                     ` KaiGai Kohei
2010-08-16  9:11                   ` KaiGai Kohei
2010-08-16 19:42                     ` Christopher J. PeBenito
2010-08-16 23:37                       ` KaiGai Kohei
2010-08-17 18:00                         ` Chris PeBenito
2010-08-18  8:19                           ` KaiGai Kohei [this message]
2010-08-19 12:47                             ` Christopher J. PeBenito
2010-04-09  5:40     ` [refpolicy] [BUGFIX] lack of type transition on dbadm domain " KaiGai Kohei
2010-04-12 14:16       ` Christopher J. PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4C6B977A.4040402@ak.jp.nec.com \
    --to=kaigai@ak.jp.nec.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.