Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.* -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
--
1.8.4.3
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/17/2013 07:52 AM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t.
> This means they can only be executed by db admins. However, the "normal"
> commands, such as createdb or psql, should also be executable by users.
> (The users in question still need to be granted postgresql_role(), so this
> is no security problem.)
>
> I only changed this behavior in the gentoo-specific part of the policy,
> however other distros might want to have a look at this. ---
> policy/modules/services/postgresql.fc | 18 ++++++++++++++++++ 1 file
> changed, 18 insertions(+)
>
> diff --git a/policy/modules/services/postgresql.fc
> b/policy/modules/services/postgresql.fc index a26f84f..bf28911 100644 ---
> a/policy/modules/services/postgresql.fc +++
> b/policy/modules/services/postgresql.fc @@ -46,3 +46,21 @@
> ifdef(`distro_redhat', ` /var/run/postgresql(/.*)?
> gen_context(system_u:object_r:postgresql_var_run_t,s0)
>
> /var/run/postmaster.*
> gen_context(system_u:object_r:postgresql_var_run_t,s0) +
> +ifdef(`distro_gentoo',` +/etc/init\.d/postgresql-.* --
> gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) +
> +/etc/postgresql-.*(/.*)?
> gen_context(system_u:object_r:postgresql_etc_t,s0) +
> +/usr/lib/postgresql-.*/bin(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_archivecleanup --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_basebackup --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_controldata --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_ctl --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_resetxlog --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_standby --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_upgrade --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_xlogdump --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/postgres --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/postmaster -l
> gen_context(system_u:object_r:postgresql_exec_t,s0) +')
>
I hate adding ifdef code to fc files, it is usually just clutter. If I have
an init script named /etc/init\.d/postgresql-.* I would figure all
distributions would want this labeled this way.
If this labeling makes sense for other distributions, then we should remove
the ifdef.
Also bin_t should never be listed in an fc file other then corecommands.fc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKH60ACgkQrlYvE4MpobMmbwCdG3HHiD4Nsj6ub95baRu6tr3T
RvQAnizNBe5YyklYCoLRngnghtCas396
=d00v
-----END PGP SIGNATURE-----
On Mon, 18 Nov 2013 09:09:49 -0500
Daniel J Walsh <[email protected]> wrote:
> I hate adding ifdef code to fc files, it is usually just clutter. If
> I have an init script named /etc/init\.d/postgresql-.* I
> would figure all distributions would want this labeled this way.
>
> If this labeling makes sense for other distributions, then we should
> remove the ifdef.
>
> Also bin_t should never be listed in an fc file other then
> corecommands.fc
Sorry, the ifdefs were there in the original gentoo patch, but it makes
sense to me to drop them. But how else should I label these files, if
not bin_t? Yet another separate type like "postgresql_user_exec_t"?
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/de97a24f/attachment.bin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/18/2013 11:46 AM, Luis Ressel wrote:
> On Mon, 18 Nov 2013 09:09:49 -0500 Daniel J Walsh <[email protected]>
> wrote:
>
>> I hate adding ifdef code to fc files, it is usually just clutter. If I
>> have an init script named /etc/init\.d/postgresql-.* I would figure all
>> distributions would want this labeled this way.
>>
>> If this labeling makes sense for other distributions, then we should
>> remove the ifdef.
>>
>> Also bin_t should never be listed in an fc file other then
>> corecommands.fc
>
> Sorry, the ifdefs were there in the original gentoo patch, but it makes
> sense to me to drop them. But how else should I label these files, if not
> bin_t? Yet another separate type like "postgresql_user_exec_t"?
>
>
> Regards, Luis Ressel
>
I believe by default then should be bin_t unless they match someother regex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKc4kACgkQrlYvE4MpobOUCACeJZNXl6Ln8FoXSp845tdpMCF2
1IwAoKQXRD0iZ4gyesvoQrTqdIu7/as2
=8Kgl
-----END PGP SIGNATURE-----
On Mon, 18 Nov 2013 15:07:37 -0500
Daniel J Walsh <[email protected]> wrote:
> I believe by default then should be bin_t unless they match someother
> regex.
I thought it would be lib_t. But you're right, there's
"/usr/lib(.*/)?bin(/.*)?" --> bin_t, so my rule can indeed be dropped.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/858f2109/attachment.bin