[selinux-policy: 2558/3172] postgresql patch from Dan Walsh: "File context for /etc/sysconfig/pgsql and other bugs. Sends audit

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:47:22 UTC 2010 

commit 9681df1c8d1216be114cf975ff9a181fe26dca31
Author: Jeremy Solt <jsolt at tresys.com>
Date:   Fri Mar 19 13:51:32 2010 -0400

    postgresql patch from Dan Walsh:
    "File context for /etc/sysconfig/pgsql and other bugs.
    Sends audit messages connect to posgresql_server port
    Reads its own process info"
    
    Moved signal interface for style.

 policy/modules/services/postgresql.fc |    8 +++++---
 policy/modules/services/postgresql.if |   17 +++++++++++++++++
 policy/modules/services/postgresql.te |    6 +++++-
 3 files changed, 27 insertions(+), 4 deletions(-)
---
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index d91cd03..f03fad4 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -3,6 +3,7 @@
 #
 /etc/postgresql(/.*)?			gen_context(system_u:object_r:postgresql_etc_t,s0)
 /etc/rc\.d/init\.d/(se)?postgresql --	gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/sysconfig/pgsql(/.*)? 		gen_context(system_u:object_r:postgresql_etc_t,s0)
 
 #
 # /usr
@@ -10,9 +11,8 @@
 /usr/bin/initdb(\.sepgsql)?	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 /usr/bin/(se)?postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
-/usr/lib/pgsql/test/regres(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
-/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-
+/usr/lib(64)?/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
+/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
 /usr/lib(64)?/postgresql/bin/.* --	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 ifdef(`distro_debian', `
@@ -44,3 +44,5 @@ ifdef(`distro_redhat', `
 ')
 
 /var/run/postgresql(/.*)?		gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+/var/run/postmaster.*			gen_context(system_u:object_r:postgresql_var_run_t,s0)
diff --git a/policy/modules/services/postgresql.if b/policy/modules/services/postgresql.if
index 54ea709..28d6d68 100644
--- a/policy/modules/services/postgresql.if
+++ b/policy/modules/services/postgresql.if
@@ -235,6 +235,23 @@ interface(`postgresql_domtrans',`
 	domtrans_pattern($1, postgresql_exec_t, postgresql_t)
 ')
 
+######################################
+## <summary>
+##	Allow domain to signal postgresql
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`postgresql_signal',`
+	gen_require(`
+		type postgresql_t;
+	')
+	allow $1 postgresql_t:process signal;
+')
+
 ########################################
 ## <summary>
 ##	Allow the specified domain to read postgresql's etc.
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0b3eda9..7725610 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -150,6 +150,7 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
 dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
 allow postgresql_t self:process signal_perms;
 allow postgresql_t self:fifo_file rw_fifo_file_perms;
+allow postgresql_t self:file { getattr read };
 allow postgresql_t self:sem create_sem_perms;
 allow postgresql_t self:shm create_shm_perms;
 allow postgresql_t self:tcp_socket create_stream_socket_perms;
@@ -220,9 +221,11 @@ corenet_tcp_sendrecv_generic_node(postgresql_t)
 corenet_udp_sendrecv_generic_node(postgresql_t)
 corenet_tcp_sendrecv_all_ports(postgresql_t)
 corenet_udp_sendrecv_all_ports(postgresql_t)
+corenet_udp_bind_generic_node(postgresql_t)
 corenet_tcp_bind_generic_node(postgresql_t)
 corenet_tcp_bind_postgresql_port(postgresql_t)
 corenet_tcp_connect_auth_port(postgresql_t)
+corenet_tcp_connect_postgresql_port(postgresql_t)
 corenet_sendrecv_postgresql_server_packets(postgresql_t)
 corenet_sendrecv_auth_client_packets(postgresql_t)
 
@@ -253,11 +256,12 @@ files_search_etc(postgresql_t)
 files_read_etc_runtime_files(postgresql_t)
 files_read_usr_files(postgresql_t)
 
-auth_use_nsswitch(postgresql_t)
+auth_use_pam(postgresql_t)
 
 init_read_utmp(postgresql_t)
 
 logging_send_syslog_msg(postgresql_t)
+logging_send_audit_msgs(postgresql_t)
 
 miscfiles_read_localization(postgresql_t)

More information about the scm-commits mailing list