[refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t

All of lore.kernel.org
 help / color / mirror / Atom feed

From: dwalsh@redhat.com (Daniel J Walsh)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
Date: Mon, 18 Nov 2013 09:09:49 -0500	[thread overview]
Message-ID: <528A1FAD.4000809@redhat.com> (raw)
In-Reply-To: <1384692777-9505-1-git-send-email-aranea@aixah.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2013 07:52 AM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t. 
> This means they can only be executed by db admins. However, the "normal" 
> commands, such as createdb or psql, should also be executable by users. 
> (The users in question still need to be granted postgresql_role(), so this
> is no security problem.)
> 
> I only changed this behavior in the gentoo-specific part of the policy, 
> however other distros might want to have a look at this. --- 
> policy/modules/services/postgresql.fc | 18 ++++++++++++++++++ 1 file
> changed, 18 insertions(+)
> 
> diff --git a/policy/modules/services/postgresql.fc
> b/policy/modules/services/postgresql.fc index a26f84f..bf28911 100644 ---
> a/policy/modules/services/postgresql.fc +++
> b/policy/modules/services/postgresql.fc @@ -46,3 +46,21 @@
> ifdef(`distro_redhat', ` /var/run/postgresql(/.*)?
> gen_context(system_u:object_r:postgresql_var_run_t,s0)
> 
> /var/run/postmaster.*
> gen_context(system_u:object_r:postgresql_var_run_t,s0) + 
> +ifdef(`distro_gentoo',` +/etc/init\.d/postgresql-.*	--
> gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) + 
> +/etc/postgresql-.*(/.*)?
> gen_context(system_u:object_r:postgresql_etc_t,s0) + 
> +/usr/lib/postgresql-.*/bin(/.*)?
> gen_context(system_u:object_r:bin_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_archivecleanup	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_basebackup	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_controldata	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_ctl		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_resetxlog		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_standby		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_upgrade		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_xlogdump		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/postgres		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/postmaster		-l
> gen_context(system_u:object_r:postgresql_exec_t,s0) +')
> 
I hate adding ifdef code to fc files, it is usually just clutter.  If I have
an init script named /etc/init\.d/postgresql-.*	 I would figure all
distributions would want this labeled this way.

If this labeling makes sense for other distributions, then we should remove
the ifdef.

Also bin_t should never be listed in an fc file other then corecommands.fc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKH60ACgkQrlYvE4MpobMmbwCdG3HHiD4Nsj6ub95baRu6tr3T
RvQAnizNBe5YyklYCoLRngnghtCas396
=d00v
-----END PGP SIGNATURE-----

next prev parent reply	other threads:[~2013-11-18 14:09 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-11-17 12:52 [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t Luis Ressel
2013-11-18 14:09 ` Daniel J Walsh [this message]
2013-11-18 16:46   ` Luis Ressel
2013-11-18 20:07     ` Daniel J Walsh
2013-11-18 20:15       ` Luis Ressel
  -- strict thread matches above, loose matches on Subject: below --
2013-11-17 13:32 Luis Ressel
2013-11-17 13:34 ` Luis Ressel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=528A1FAD.4000809@redhat.com \
    --to=dwalsh@redhat.com \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.