[refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec

All of lore.kernel.org
 help / color / mirror / Atom feed

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
@ 2013-11-17 12:52 Luis Ressel
  2013-11-18 14:09 ` Daniel J Walsh
  0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 12:52 UTC (permalink / raw)
  To: refpolicy

Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)

I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
 policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.*	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
-- 
1.8.4.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
  2013-11-17 12:52 [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t Luis Ressel
@ 2013-11-18 14:09 ` Daniel J Walsh
  2013-11-18 16:46   ` Luis Ressel
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2013-11-18 14:09 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/17/2013 07:52 AM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t. 
> This means they can only be executed by db admins. However, the "normal" 
> commands, such as createdb or psql, should also be executable by users. 
> (The users in question still need to be granted postgresql_role(), so this
> is no security problem.)
> 
> I only changed this behavior in the gentoo-specific part of the policy, 
> however other distros might want to have a look at this. --- 
> policy/modules/services/postgresql.fc | 18 ++++++++++++++++++ 1 file
> changed, 18 insertions(+)
> 
> diff --git a/policy/modules/services/postgresql.fc
> b/policy/modules/services/postgresql.fc index a26f84f..bf28911 100644 ---
> a/policy/modules/services/postgresql.fc +++
> b/policy/modules/services/postgresql.fc @@ -46,3 +46,21 @@
> ifdef(`distro_redhat', ` /var/run/postgresql(/.*)?
> gen_context(system_u:object_r:postgresql_var_run_t,s0)
> 
> /var/run/postmaster.*
> gen_context(system_u:object_r:postgresql_var_run_t,s0) + 
> +ifdef(`distro_gentoo',` +/etc/init\.d/postgresql-.*	--
> gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) + 
> +/etc/postgresql-.*(/.*)?
> gen_context(system_u:object_r:postgresql_etc_t,s0) + 
> +/usr/lib/postgresql-.*/bin(/.*)?
> gen_context(system_u:object_r:bin_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_archivecleanup	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_basebackup	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_controldata	--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_ctl		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_resetxlog		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_standby		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_upgrade		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/pg_xlogdump		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/postgres		--
> gen_context(system_u:object_r:postgresql_exec_t,s0) 
> +/usr/lib/postgresql-.*/bin/postmaster		-l
> gen_context(system_u:object_r:postgresql_exec_t,s0) +')
> 
I hate adding ifdef code to fc files, it is usually just clutter.  If I have
an init script named /etc/init\.d/postgresql-.*	 I would figure all
distributions would want this labeled this way.

If this labeling makes sense for other distributions, then we should remove
the ifdef.

Also bin_t should never be listed in an fc file other then corecommands.fc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKH60ACgkQrlYvE4MpobMmbwCdG3HHiD4Nsj6ub95baRu6tr3T
RvQAnizNBe5YyklYCoLRngnghtCas396
=d00v
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
  2013-11-18 14:09 ` Daniel J Walsh
@ 2013-11-18 16:46   ` Luis Ressel
  2013-11-18 20:07     ` Daniel J Walsh
  0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-18 16:46 UTC (permalink / raw)
  To: refpolicy

On Mon, 18 Nov 2013 09:09:49 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:

> I hate adding ifdef code to fc files, it is usually just clutter.  If
> I have an init script named /etc/init\.d/postgresql-.*	 I
> would figure all distributions would want this labeled this way.
> 
> If this labeling makes sense for other distributions, then we should
> remove the ifdef.
> 
> Also bin_t should never be listed in an fc file other then
> corecommands.fc

Sorry, the ifdefs were there in the original gentoo patch, but it makes
sense to me to drop them. But how else should I label these files, if
not bin_t? Yet another separate type like "postgresql_user_exec_t"?


Regards,
Luis Ressel

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/de97a24f/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
  2013-11-18 16:46   ` Luis Ressel
@ 2013-11-18 20:07     ` Daniel J Walsh
  2013-11-18 20:15       ` Luis Ressel
  0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2013-11-18 20:07 UTC (permalink / raw)
  To: refpolicy

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/18/2013 11:46 AM, Luis Ressel wrote:
> On Mon, 18 Nov 2013 09:09:49 -0500 Daniel J Walsh <dwalsh@redhat.com>
> wrote:
> 
>> I hate adding ifdef code to fc files, it is usually just clutter.  If I
>> have an init script named /etc/init\.d/postgresql-.*	 I would figure all
>> distributions would want this labeled this way.
>> 
>> If this labeling makes sense for other distributions, then we should 
>> remove the ifdef.
>> 
>> Also bin_t should never be listed in an fc file other then 
>> corecommands.fc
> 
> Sorry, the ifdefs were there in the original gentoo patch, but it makes 
> sense to me to drop them. But how else should I label these files, if not
> bin_t? Yet another separate type like "postgresql_user_exec_t"?
> 
> 
> Regards, Luis Ressel
> 
I believe by default then should be bin_t unless they match someother regex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKc4kACgkQrlYvE4MpobOUCACeJZNXl6Ln8FoXSp845tdpMCF2
1IwAoKQXRD0iZ4gyesvoQrTqdIu7/as2
=8Kgl
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
  2013-11-18 20:07     ` Daniel J Walsh
@ 2013-11-18 20:15       ` Luis Ressel
  0 siblings, 0 replies; 7+ messages in thread
From: Luis Ressel @ 2013-11-18 20:15 UTC (permalink / raw)
  To: refpolicy

On Mon, 18 Nov 2013 15:07:37 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:

> I believe by default then should be bin_t unless they match someother
> regex.

I thought it would be lib_t. But you're right, there's
"/usr/lib(.*/)?bin(/.*)?" --> bin_t, so my rule can indeed be dropped.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/858f2109/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
@ 2013-11-17 13:32 Luis Ressel
  2013-11-17 13:34 ` Luis Ressel
  0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 13:32 UTC (permalink / raw)
  To: refpolicy

Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)

I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
 policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
 
 /var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.*	--	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)?		gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
-- 
1.8.4.3

^ permalink raw reply related	[flat|nested] 7+ messages in thread

* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
  2013-11-17 13:32 Luis Ressel
@ 2013-11-17 13:34 ` Luis Ressel
  0 siblings, 0 replies; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 13:34 UTC (permalink / raw)
  To: refpolicy

Sorry for the resends...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131117/f2c542b4/attachment.bin 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2013-11-18 20:15 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-11-17 12:52 [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t Luis Ressel
2013-11-18 14:09 ` Daniel J Walsh
2013-11-18 16:46   ` Luis Ressel
2013-11-18 20:07     ` Daniel J Walsh
2013-11-18 20:15       ` Luis Ressel
  -- strict thread matches above, loose matches on Subject: below --
2013-11-17 13:32 Luis Ressel
2013-11-17 13:34 ` Luis Ressel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.