[selinux-policy: 2612/3172] [BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy pa
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:52:14 UTC 2010
commit ec8d32c8e9afc7ddb56e4ceb9f61d60e2a01c3ea
Author: KaiGai Kohei <kaigai at ak.jp.nec.com>
Date: Mon Apr 12 10:14:10 2010 -0400
[BUGFIX] lack of type transition on dbadm domain (Re: dbadm.pp is not available in selinux-policy package)
I found out a bug when we initialize the database with dbadm_r:dbadm_t
which belongs to sepgsql_admin_type attribute.
In the case when sepgsql_admin_type create a new database objects,
it does not have valid type_transition rules. So, it was failed.
Sorry, I didn't find out it for a long time.
And db_procedure:{execute} on the sepgsql_proc_exec_t might be necessary
for the administrative domain independently from sepgsql_unconfined_dbadm,
because we need to execute some of system defined procedures to look up
system tables.
Changelog | 1 +
policy/modules/services/postgresql.te | 9 ++++++++-
2 files changed, 9 insertions(+), 1 deletions(-)
---
diff --git a/Changelog b/Changelog
index 390ea11..ccdaf25 100644
--- a/Changelog
+++ b/Changelog
@@ -1,3 +1,4 @@
+- SE-Postgresql updates from KaiGai Kohei.
- X object manager revisions from Eamon Walsh.
- Added modules:
chronyd (Miroslav Grepl)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index d95c87e..77ff0c6 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,5 +1,5 @@
-policy_module(postgresql, 1.10.1)
+policy_module(postgresql, 1.10.2)
gen_require(`
class db_database all_db_database_perms;
@@ -366,10 +366,17 @@ allow sepgsql_admin_type sepgsql_table_type:db_table { create drop getattr setat
allow sepgsql_admin_type sepgsql_table_type:db_column { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_admin_type sepgsql_sysobj_table_type:db_tuple { relabelfrom relabelto select update insert delete };
+type_transition sepgsql_admin_type sepgsql_database_type:db_table sepgsql_table_t;
+
allow sepgsql_admin_type sepgsql_procedure_type:db_procedure { create drop getattr relabelfrom relabelto };
+allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure execute;
+
+type_transition sepgsql_admin_type sepgsql_database_type:db_procedure sepgsql_proc_exec_t;
allow sepgsql_admin_type sepgsql_blob_type:db_blob { create drop getattr setattr relabelfrom relabelto };
+type_transition sepgsql_admin_type sepgsql_database_type:db_blob sepgsql_blob_t;
+
allow sepgsql_admin_type sepgsql_module_type:db_database install_module;
kernel_relabelfrom_unlabeled_database(sepgsql_admin_type)
More information about the scm-commits
mailing list