LinuxLists.cc - [refpolicy] services

2009-05-22 14:33:46

Subject: [refpolicy] services_postgresql.patch

http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_postgresql.patch

Add _admin interface
Type for init script,

And I believe a couple of transtions to be to proc_t not proc_exec_t

Added a transition on creation of sock_file

2009-05-22 14:51:00

by KaiGai Kohei

[permalink] [raw]

Subject: [refpolicy] services_postgresql.patch

Daniel J Walsh wrote:
> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_postgresql.patch
>
> Add _admin interface
> Type for init script,
>
> And I believe a couple of transtions to be to proc_t not proc_exec_t

In the latest refpolicy, sepgsql_proc_t is an alias of sepgsql_proc_exec_t.
Other procedure types also have xxxx_sepgsql_proc_exec_t, so it should
follow the convension.

Thanks,
--
KaiGai Kohei <[email protected]>

2009-05-22 18:17:30

by Daniel Walsh

[permalink] [raw]

Subject: [refpolicy] services_postgresql.patch

On 05/22/2009 10:51 AM, KaiGai Kohei wrote:
> Daniel J Walsh wrote:
>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_postgresql.patch
>>
>>
>> Add _admin interface
>> Type for init script,
>>
>> And I believe a couple of transtions to be to proc_t not proc_exec_t
>
> In the latest refpolicy, sepgsql_proc_t is an alias of sepgsql_proc_exec_t.
> Other procedure types also have xxxx_sepgsql_proc_exec_t, so it should
> follow the convension.
>
> Thanks,

ok. Did not make much sense to me, you are creating executables?

2009-05-23 11:44:35

by KaiGai Kohei

[permalink] [raw]

Subject: [refpolicy] services_postgresql.patch

Daniel J Walsh wrote:
> On 05/22/2009 10:51 AM, KaiGai Kohei wrote:
>> Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_postgresql.patch
>>>
>>>
>>>
>>> Add _admin interface
>>> Type for init script,
>>>
>>> And I believe a couple of transtions to be to proc_t not proc_exec_t
>>
>> In the latest refpolicy, sepgsql_proc_t is an alias of
>> sepgsql_proc_exec_t.
>> Other procedure types also have xxxx_sepgsql_proc_exec_t, so it should
>> follow the convension.
>>
>> Thanks,
>
> ok. Did not make much sense to me, you are creating executables?

Yes, db_procedure class objects are executable stuff.

We assume xxxx_proc_exec_t types are assigned to SQL procedures.
SQL procedures are invoked and executed as a part of SQL query,
and some of them (with sepgsql_trusted_proc_exec_t) can causes
domain transition during execution of the procedure.

It is an analogy of executable programs in database.

Thanks,
--
KaiGai Kohei <[email protected]>