3:33 a.m.
I got the following access denied logs, when I tries to connect
SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
domain socket (/tmp/.s.PGSQL.5432).
type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6
ino=1079246
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
tclass=sock_file
type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:postgresql_t:s0
tclass=unix_stream_socket
However, both permissions are allowed via postgresql_stream_connect()
independent from any booleans, if required types are provided by
postgresql.te.
postgresql_stream_connect() and postgresql_unpriv_client() are put
within same optional_policy section at apache.te.
postgresql_unpriv_client() requires trusted procedure related types,
but postgresql.te declares them in legacy names.
old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
Could you apply the attached patch?
It fixes them as upstream doing.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
4:25 a.m.
Sorry, the previous patch was imcomplete one.
We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
because sepgsql_trusted_proc_t is a domain.
This matter also exists at upstreamed policy now.
The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
to upstreamed reference policy.
Thanks,
KaiGai Kohei wrote:
I got the following access denied logs, when I tries to connect
SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
domain socket (/tmp/.s.PGSQL.5432).
type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6
ino=1079246
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
tclass=sock_file
type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:postgresql_t:s0
tclass=unix_stream_socket
However, both permissions are allowed via postgresql_stream_connect()
independent from any booleans, if required types are provided by
postgresql.te.
postgresql_stream_connect() and postgresql_unpriv_client() are put
within same optional_policy section at apache.te.
postgresql_unpriv_client() requires trusted procedure related types,
but postgresql.te declares them in legacy names.
old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
Could you apply the attached patch?
It fixes them as upstream doing.
Thanks,
------------------------------------------------------------------------
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
11:35 a.m.
KaiGai Kohei wrote:
Sorry, the previous patch was imcomplete one.
We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
because sepgsql_trusted_proc_t is a domain.
This matter also exists at upstreamed policy now.
The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
to upstreamed reference policy.
Thanks,
KaiGai Kohei wrote:
> I got the following access denied logs, when I tries to connect
> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
> domain socket (/tmp/.s.PGSQL.5432).
>
> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6
ino=1079246
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
> tclass=sock_file
> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:postgresql_t:s0
> tclass=unix_stream_socket
>
> However, both permissions are allowed via postgresql_stream_connect()
> independent from any booleans, if required types are provided by
> postgresql.te.
>
> postgresql_stream_connect() and postgresql_unpriv_client() are put
> within same optional_policy section at apache.te.
> postgresql_unpriv_client() requires trusted procedure related types,
> but postgresql.te declares them in legacy names.
>
> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>
> Could you apply the attached patch?
> It fixes them as upstream doing.
>
> Thanks,
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list(a)redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fedora 9? Rawhide?
5:32 p.m.
Daniel J Walsh wrote:
KaiGai Kohei wrote:
> Sorry, the previous patch was imcomplete one.
>
> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
> because sepgsql_trusted_proc_t is a domain.
>
> This matter also exists at upstreamed policy now.
> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
> to upstreamed reference policy.
>
> Thanks,
>
> KaiGai Kohei wrote:
>> I got the following access denied logs, when I tries to connect
>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>> domain socket (/tmp/.s.PGSQL.5432).
>>
>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6
ino=1079246
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>> tclass=sock_file
>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:system_r:postgresql_t:s0
>> tclass=unix_stream_socket
>>
>> However, both permissions are allowed via postgresql_stream_connect()
>> independent from any booleans, if required types are provided by
>> postgresql.te.
>>
>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>> within same optional_policy section at apache.te.
>> postgresql_unpriv_client() requires trusted procedure related types,
>> but postgresql.te declares them in legacy names.
>>
>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>
>> Could you apply the attached patch?
>> It fixes them as upstream doing.
>>
>> Thanks,
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list(a)redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
Fedora 9? Rawhide?
Sorry, I missed the version.
It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
Thanks,
--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>
7:47 a.m.
KaiGai Kohei wrote:
Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Sorry, the previous patch was imcomplete one.
>>
>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>> because sepgsql_trusted_proc_t is a domain.
>>
>> This matter also exists at upstreamed policy now.
>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be
applied
>> to upstreamed reference policy.
>>
>> Thanks,
>>
>> KaiGai Kohei wrote:
>>> I got the following access denied logs, when I tries to connect
>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>> domain socket (/tmp/.s.PGSQL.5432).
>>>
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432"
dev=sda6 ino=1079246
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>> tclass=sock_file
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>> tclass=unix_stream_socket
>>>
>>> However, both permissions are allowed via postgresql_stream_connect()
>>> independent from any booleans, if required types are provided by
>>> postgresql.te.
>>>
>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>> within same optional_policy section at apache.te.
>>> postgresql_unpriv_client() requires trusted procedure related types,
>>> but postgresql.te declares them in legacy names.
>>>
>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>
>>> Could you apply the attached patch?
>>> It fixes them as upstream doing.
>>>
>>> Thanks,
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Fedora 9? Rawhide?
Sorry, I missed the version.
It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
Thanks,
Current Rawhide is pretty much the same as upstream. Here is the only
patch I have on postgresql as of today's rawhide. Fedora 9 next update
should match this policy in the next update also.
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.fc 2008-08-11 16:39:48.000000000
-0400
@@ -34,6 +34,7 @@
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -42,3 +43,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.if 2008-08-11 16:39:48.000000000
-0400
@@ -372,3 +372,70 @@
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_script_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.te 2008-08-11 16:39:48.000000000
-0400
@@ -44,6 +44,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
# database clients attribute
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
@@ -186,6 +189,7 @@
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
8:47 p.m.
Daniel J Walsh wrote:
KaiGai Kohei wrote:
> Daniel J Walsh wrote:
>> KaiGai Kohei wrote:
>>> Sorry, the previous patch was imcomplete one.
>>>
>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>> because sepgsql_trusted_proc_t is a domain.
>>>
>>> This matter also exists at upstreamed policy now.
>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be
applied
>>> to upstreamed reference policy.
>>>
>>> Thanks,
>>>
>>> KaiGai Kohei wrote:
>>>> I got the following access denied logs, when I tries to connect
>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432"
dev=sda6 ino=1079246
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>> tclass=sock_file
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>>> for pid=4805 comm="httpd"
path="/tmp/.s.PGSQL.5432"
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>>> tclass=unix_stream_socket
>>>>
>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>> independent from any booleans, if required types are provided by
>>>> postgresql.te.
>>>>
>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>> within same optional_policy section at apache.te.
>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>> but postgresql.te declares them in legacy names.
>>>>
>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>>
>>>> Could you apply the attached patch?
>>>> It fixes them as upstream doing.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list(a)redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fedora 9? Rawhide?
> Sorry, I missed the version.
> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>
> Thanks,
Current Rawhide is pretty much the same as upstream. Here is the only
patch I have on postgresql as of today's rawhide. Fedora 9 next update
should match this policy in the next update also.
OK, I confirmed the first matter is fixed at selinux-policy-3.5.4-2 in
rawhide. (Sorry, I saw a bit older version.)
However, the second matter still remains at upstream and rawhide.
Chris, could you apply the attached patch which fixes lagacy naming
matter.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(a)ak.jp.nec.com>
5726
days inactive
5728
days old
selinux@lists.fedoraproject.org
5 comments
3 participants
participants (3)
-
Daniel J Walsh -
KaiGai Kohei -
KaiGai Kohei