KaiGai Kohei wrote:
Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Sorry, the previous patch was imcomplete one.
>>
>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>> because sepgsql_trusted_proc_t is a domain.
>>
>> This matter also exists at upstreamed policy now.
>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be
applied
>> to upstreamed reference policy.
>>
>> Thanks,
>>
>> KaiGai Kohei wrote:
>>> I got the following access denied logs, when I tries to connect
>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>> domain socket (/tmp/.s.PGSQL.5432).
>>>
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432"
dev=sda6 ino=1079246
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>> tclass=sock_file
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>> tclass=unix_stream_socket
>>>
>>> However, both permissions are allowed via postgresql_stream_connect()
>>> independent from any booleans, if required types are provided by
>>> postgresql.te.
>>>
>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>> within same optional_policy section at apache.te.
>>> postgresql_unpriv_client() requires trusted procedure related types,
>>> but postgresql.te declares them in legacy names.
>>>
>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>
>>> Could you apply the attached patch?
>>> It fixes them as upstream doing.
>>>
>>> Thanks,
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list(a)redhat.com
>>>
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> Fedora 9? Rawhide?
Sorry, I missed the version.
It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
Thanks,
Current Rawhide is pretty much the same as upstream. Here is the only
patch I have on postgresql as of today's rawhide. Fedora 9 next update
should match this policy in the next update also.
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.fc 2008-08-11 16:39:48.000000000
-0400
@@ -34,6 +34,7 @@
/var/lib/sepgsql/pgstartup\.log -- gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgres\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
@@ -42,3 +43,5 @@
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/etc/rc\.d/init\.d/postgresql -- gen_context(system_u:object_r:postgresql_script_exec_t,s0)
--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.if 2008-08-11 16:39:48.000000000
-0400
@@ -372,3 +372,70 @@
typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_script_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-07 11:15:11.000000000
-0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.te 2008-08-11 16:39:48.000000000
-0400
@@ -44,6 +44,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)
+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
# database clients attribute
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
@@ -186,6 +189,7 @@
fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)
selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)