From: kaigai@kaigai.gr.jp (KaiGai Kohei)
Date: Sat, 23 May 2009 20:44:35 +0900
Subject: [refpolicy] services_postgresql.patch
In-Reply-To: <4A16EC3A.70208@redhat.com>
References: <4A16B7CA.7090208@redhat.com> <4A16BBD4.3000000@kaigai.gr.jp>
	<4A16EC3A.70208@redhat.com>
Message-ID: <4A17E1A3.4010501@kaigai.gr.jp>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Daniel J Walsh wrote:
> On 05/22/2009 10:51 AM, KaiGai Kohei wrote:
>> Daniel J Walsh wrote:
>>> http://people.fedoraproject.org/~dwalsh/SELinux/F11/services_postgresql.patch 
>>>
>>>
>>>
>>> Add _admin interface
>>> Type for init script,
>>>
>>> And I believe a couple of transtions to be to proc_t not proc_exec_t
>>
>> In the latest refpolicy, sepgsql_proc_t is an alias of 
>> sepgsql_proc_exec_t.
>> Other procedure types also have xxxx_sepgsql_proc_exec_t, so it should
>> follow the convension.
>>
>> Thanks,
> 
> ok.  Did not make much sense to me, you are creating executables?

Yes, db_procedure class objects are executable stuff.

We assume xxxx_proc_exec_t types are assigned to SQL procedures.
SQL procedures are invoked and executed as a part of SQL query,
and some of them (with sepgsql_trusted_proc_exec_t) can causes
domain transition during execution of the procedure.

It is an analogy of executable programs in database.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>