I reworked the patch for the Postgresql command contexts which I already
proposed here in november. The main changes are in the second patch.
Regards,
Luis Ressel
---
policy/modules/services/postgresql.fc | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..9b693c4 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -1,8 +1,11 @@
#
# /etc
#
-/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+/etc/postgresql(-.*)?(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/etc/init\.d/postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
--
1.8.5.3
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
---
policy/modules/services/postgresql.fc | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 9b693c4..1996f74 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -16,7 +16,17 @@
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_xlogdum -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
--
1.8.5.3
I'm sure this is the right thing to do; however, the Debian developers
might want to have a say in this, so I made it a separate patch.
---
policy/modules/services/postgresql.fc | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 1996f74..b52c25c 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -17,20 +17,16 @@
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_xlogdum -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_xlogdum -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
--
1.8.5.3
The second and third patch include a small typo which I somehow missed:
It should be "pg_xlogdump", not "pg_xlogdum". Please fix this when
applying the patches.
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140125/def64511/attachment.bin
On 1/25/2014 12:24 PM, Luis Ressel wrote:
> ---
> policy/modules/services/postgresql.fc | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
> index a26f84f..9b693c4 100644
> --- a/policy/modules/services/postgresql.fc
> +++ b/policy/modules/services/postgresql.fc
> @@ -1,8 +1,11 @@
> #
> # /etc
> #
> -/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
> +/etc/postgresql(-.*)?(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
Is this intended to handle something like /etc/postgresql-3.9.2/*?
> +/etc/init\.d/postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
We should remove the rc\.d from the existing line instead. The file context substitutions will take care of instances where someone has init scripts in /etc/rc.d/init.d.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 1/25/2014 12:24 PM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t.
> This means they can only be executed by db admins. However, the "normal"
> commands, such as createdb or psql, should also be executable by users.
> (The users in question still need to be granted postgresql_role(), so
> this is no security problem.)
KaiGai, any comment on this? I'm hoping for additional comment on this before moving forward.
> ---
> policy/modules/services/postgresql.fc | 12 +++++++++++-
> 1 file changed, 11 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
> index 9b693c4..1996f74 100644
> --- a/policy/modules/services/postgresql.fc
> +++ b/policy/modules/services/postgresql.fc
> @@ -16,7 +16,17 @@
>
> /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
> /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> -/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +
> +/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_xlogdum -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
>
> ifdef(`distro_debian', `
> /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 2/8/2014 10:07 AM, Christopher J. PeBenito wrote:
> On 1/25/2014 12:24 PM, Luis Ressel wrote:
>> +/etc/init\.d/postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
>> /etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
>
> We should remove the rc\.d from the existing line instead. The file context substitutions will take care of instances where someone has init scripts in /etc/rc.d/init.d.
I read the path substitution backwards. The existing line should be appended to handle the extra file naming. The rc\.d should not be removed.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Sat, 8 Feb 2014 10:07:13 -0500
"Christopher J. PeBenito" <[email protected]> wrote:
> Is this intended to handle something like /etc/postgresql-3.9.2/*?
Yes, exactly. This scheme is used on gentoo to allow for parallel
install of multiple postgresql versions.
--
Luis Ressel <[email protected]>
GPG fpr: F08D 2AF6 655E 25DE 52BC E53D 08F5 7F90 3029 B5BD
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140208/e8197c17/attachment.bin
Gentoo appends version numbers to the names of the init script and the
config directory.
---
policy/modules/services/postgresql.fc | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..3794099 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -1,8 +1,10 @@
#
# /etc
#
-/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
-/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+/etc/postgresql(-.*)?(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/etc/rc\.d/init\.d/(se)?postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
#
--
1.8.5.4
On 02/08/2014 12:31 PM, Luis Ressel wrote:
> Gentoo appends version numbers to the names of the init script and the
> config directory.
> ---
> policy/modules/services/postgresql.fc | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
> index a26f84f..3794099 100644
> --- a/policy/modules/services/postgresql.fc
> +++ b/policy/modules/services/postgresql.fc
> @@ -1,8 +1,10 @@
> #
> # /etc
> #
> -/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
> -/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
> +/etc/postgresql(-.*)?(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
> +
> +/etc/rc\.d/init\.d/(se)?postgresql(-.*)? -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
> +
> /etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
>
> #
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com