avc denied from postgresql
Russell Coker
russell at coker.com.au
Fri Jul 2 07:48:57 UTC 2004
On Thu, 1 Jul 2004 21:52, Daniel J Walsh <dwalsh at redhat.com> wrote:
> Added the following. Please check since I know nothing about postgresql.
I am not a postgresql expert either. However i think that some of these
aren't needed.
> #
> # Files from postgresql
> #
> /usr/bin/clusterdb -- system_u:object_r:postgresql_exec_t
> /usr/bin/createdb -- system_u:object_r:postgresql_exec_t
> /usr/bin/createuser -- system_u:object_r:postgresql_exec_t
> /usr/bin/dropdb -- system_u:object_r:postgresql_exec_t
> /usr/bin/dropuser -- system_u:object_r:postgresql_exec_t
> /usr/bin/psql -- system_u:object_r:postgresql_exec_t
> /usr/bin/vacuumdb -- system_u:object_r:postgresql_exec_t
The above are just wrappers for SQL commands. I don't think that there's any
benefit in labelling them, and there may be some disadvantages for some of
them (think of SQL scripts that need read/write access to files that the
calling domain accesses).
> /usr/bin/createlang -- system_u:object_r:postgresql_exec_t
> /usr/bin/droplang -- system_u:object_r:postgresql_exec_t
> /usr/bin/pg_encoding -- system_u:object_r:postgresql_exec_t
> /usr/bin/pg_id -- system_u:object_r:postgresql_exec_t
> /usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t
I am unsure about the above. Either the documentation or my understanding is
lacking.
> /usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t
> /usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t
The above definitely need labelling.
> /usr/bin/initdb -- system_u:object_r:postgresql_exec_t
initdb is just a shell script. Maybe it should be left unlabeled and just
have transitions when it runs /usr/bin/postgres?
> /usr/bin/ipcclean -- system_u:object_r:postgresql_exec_t
This shell script refuses to run as root, probably doesn't need a special
label.
> /usr/bin/pg_controldata -- system_u:object_r:postgresql_exec_t
Displays stuff from initdb. If initdb doesn't need it then it probably
doesn't either.
> /usr/bin/pg_ctl -- system_u:object_r:postgresql_exec_t
Runs "postmaster" which is a symlink to "postgres", so it shouldn't need a
label.
> /usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t
This one is not clear to me, but I think for the moment it should be labelled.
> /usr/bin/postgres -- system_u:object_r:postgresql_exec_t
Definately needs labelling.
> /usr/bin/postmaster -- system_u:object_r:postgresql_exec_t
No such file.
Please try out the attached postgresql.fc file, I'm sure it will work at least
as well as anything that anyone else has posted, and probably better than
most.
I'll review Yuichi's labelling ideas for the data directory later.
--
http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/ Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/ My home page
-------------- next part --------------
# postgresql - ldap server
/usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t
/usr/bin/postgres -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t
# not sure whether the following binaries need labelling
/usr/bin/createlang -- system_u:object_r:postgresql_exec_t
/usr/bin/droplang -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_encoding -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_id -- system_u:object_r:postgresql_exec_t
/usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t
/var/lib/postgres(/.*)? system_u:object_r:postgresql_db_t
/var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t
/var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t
/etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t
/var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t
/var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t
More information about the selinux
mailing list