[selinux-policy: 2558/3172] postgresql patch from Dan Walsh: "File context for /etc/sysconfig/pgsql and other bugs. Sends audit
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:47:22 UTC 2010
commit 9681df1c8d1216be114cf975ff9a181fe26dca31
Author: Jeremy Solt <jsolt at tresys.com>
Date: Fri Mar 19 13:51:32 2010 -0400
postgresql patch from Dan Walsh:
"File context for /etc/sysconfig/pgsql and other bugs.
Sends audit messages connect to posgresql_server port
Reads its own process info"
Moved signal interface for style.
policy/modules/services/postgresql.fc | 8 +++++---
policy/modules/services/postgresql.if | 17 +++++++++++++++++
policy/modules/services/postgresql.te | 6 +++++-
3 files changed, 27 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index d91cd03..f03fad4 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -3,6 +3,7 @@
#
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
# /usr
@@ -10,9 +11,8 @@
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
+/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_debian', `
@@ -44,3 +44,5 @@ ifdef(`distro_redhat', `
')
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 54ea709..28d6d68 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -235,6 +235,23 @@ interface(`postgresql_domtrans',`
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
')
+######################################
+## <summary>
+## Allow domain to signal postgresql
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`postgresql_signal',`
+ gen_require(`
+ type postgresql_t;
+ ')
+ allow $1 postgresql_t:process signal;
+')
+
########################################
## <summary>
## Allow the specified domain to read postgresql's etc.
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0b3eda9..7725610 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -150,6 +150,7 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
allow postgresql_t self:process signal_perms;
allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
allow postgresql_t self:sem create_sem_perms;
allow postgresql_t self:shm create_shm_perms;
allow postgresql_t self:tcp_socket create_stream_socket_perms;
@@ -220,9 +221,11 @@ corenet_tcp_sendrecv_generic_node(postgresql_t)
corenet_udp_sendrecv_generic_node(postgresql_t)
corenet_tcp_sendrecv_all_ports(postgresql_t)
corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
corenet_tcp_bind_generic_node(postgresql_t)
corenet_tcp_bind_postgresql_port(postgresql_t)
corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
corenet_sendrecv_postgresql_server_packets(postgresql_t)
corenet_sendrecv_auth_client_packets(postgresql_t)
@@ -253,11 +256,12 @@ files_search_etc(postgresql_t)
files_read_etc_runtime_files(postgresql_t)
files_read_usr_files(postgresql_t)
-auth_use_nsswitch(postgresql_t)
+auth_use_pam(postgresql_t)
init_read_utmp(postgresql_t)
logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
miscfiles_read_localization(postgresql_t)
More information about the scm-commits
mailing list