2010-08-26 22:31:26

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] roles_dbadm.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch

Add sudo for transition from staff.

I think this should not be a login domain.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx26z4ACgkQrlYvE4MpobO3MACdEJvxr8B2Wq6ukvZ6O3yNVR3g
Ux8An1Sr318SZEbxPX9aWmiakKWnSlgO
=OUZK
-----END PGP SIGNATURE-----


2010-08-27 07:31:44

by Kohei KaiGai

[permalink] [raw]
Subject: [refpolicy] roles_dbadm.patch

(2010/08/27 7:31), Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch
>
> Add sudo for transition from staff.
>
> I think this should not be a login domain.

| --- a/policy/modules/roles/dbadm.te
| +++ b/policy/modules/roles/dbadm.te
| @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
|
| role dbadm_r;
|
| -userdom_base_user_template(dbadm)
| +userdom_unpriv_user_template(dbadm)
|
| ########################################
| #

The userdom_unpriv_user_template() contains userdom_login_user_template()
which allows dbadm_t performs as a login domain.
It is not what you intend, is it?

In the latest refpolicy, dbadm is declared with userdom_base_user_template().

| @@ -58,3 +58,7 @@ optional_policy(`
| optional_policy(`
| postgresql_admin(dbadm_t, dbadm_r)
| ')
| +
| +optional_policy(`
| + sudo_role_template(dbadm, dbadm_r, dbadm_t)
| +')
| diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
| index 531c616..321e5a7 100644

Also, it was already merged in the latest refpolicy.

BTW, could you add the dbadm.pp into selinux-policy package?
IIRC, you concerned about dbadm_t is declared as login domain.

Thanks,
--
KaiGai Kohei <[email protected]>

2010-08-27 13:24:33

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] roles_dbadm.patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/27/2010 03:31 AM, KaiGai Kohei wrote:
> (2010/08/27 7:31), Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch
>>
>> Add sudo for transition from staff.
>>
>> I think this should not be a login domain.
>
> | --- a/policy/modules/roles/dbadm.te
> | +++ b/policy/modules/roles/dbadm.te
> | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
> |
> | role dbadm_r;
> |
> | -userdom_base_user_template(dbadm)
> | +userdom_unpriv_user_template(dbadm)
> |
> | ########################################
> | #
>
> The userdom_unpriv_user_template() contains userdom_login_user_template()
> which allows dbadm_t performs as a login domain.
> It is not what you intend, is it?
>
No my mistake. I reversed the patch. It should be

userdom_base_user_template(dbadm)
> In the latest refpolicy, dbadm is declared with userdom_base_user_template().
>
> | @@ -58,3 +58,7 @@ optional_policy(`
> | optional_policy(`
> | postgresql_admin(dbadm_t, dbadm_r)
> | ')
> | +
> | +optional_policy(`
> | + sudo_role_template(dbadm, dbadm_r, dbadm_t)
> | +')
> | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
> | index 531c616..321e5a7 100644
>
> Also, it was already merged in the latest refpolicy.
>
Not in the refpolicy I am looking at.
> BTW, could you add the dbadm.pp into selinux-policy package?
> IIRC, you concerned about dbadm_t is declared as login domain.
>
> Thanks,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkx3vJEACgkQrlYvE4MpobNNdACg0A2PnKxkWKw1g8c/+9CRgfDD
DIUAnjhKbG2F60UQ3V23FZrbalzLl0Sl
=knMn
-----END PGP SIGNATURE-----

2010-08-27 13:27:29

by domg472

[permalink] [raw]
Subject: [refpolicy] roles_dbadm.patch

On 08/27/2010 03:24 PM, Daniel J Walsh wrote:
> On 08/27/2010 03:31 AM, KaiGai Kohei wrote:
>> (2010/08/27 7:31), Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F14/roles_dbadm.patch
>>>
>>> Add sudo for transition from staff.
>>>
>>> I think this should not be a login domain.
>
>> | --- a/policy/modules/roles/dbadm.te
>> | +++ b/policy/modules/roles/dbadm.te
>> | @@ -21,7 +21,7 @@ gen_tunable(dbadm_read_user_files, false)
>> |
>> | role dbadm_r;
>> |
>> | -userdom_base_user_template(dbadm)
>> | +userdom_unpriv_user_template(dbadm)
>> |
>> | ########################################
>> | #
>
>> The userdom_unpriv_user_template() contains userdom_login_user_template()
>> which allows dbadm_t performs as a login domain.
>> It is not what you intend, is it?
>
> No my mistake. I reversed the patch. It should be
>
> userdom_base_user_template(dbadm)
>> In the latest refpolicy, dbadm is declared with userdom_base_user_template().
>
>> | @@ -58,3 +58,7 @@ optional_policy(`
>> | optional_policy(`
>> | postgresql_admin(dbadm_t, dbadm_r)
>> | ')
>> | +
>> | +optional_policy(`
>> | + sudo_role_template(dbadm, dbadm_r, dbadm_t)
>> | +')
>> | diff --git a/policy/modules/roles/guest.te b/policy/modules/roles/guest.te
>> | index 531c616..321e5a7 100644
>
>> Also, it was already merged in the latest refpolicy.
>
> Not in the refpolicy I am looking at.

http://oss.tresys.com/projects/refpolicy/changeset/c62f1bef77c839295b49bdddc7bfd13df780bf4e


>> BTW, could you add the dbadm.pp into selinux-policy package?
>> IIRC, you concerned about dbadm_t is declared as login domain.
>
>> Thanks,
>
_______________________________________________
refpolicy mailing list
refpolicy at oss.tresys.com
http://oss.tresys.com/mailman/listinfo/refpolicy


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20100827/f6f0a76e/attachment-0001.bin