From: dwalsh@redhat.com (Daniel J Walsh) Date: Mon, 18 Nov 2013 09:09:49 -0500 Subject: [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t In-Reply-To: <1384692777-9505-1-git-send-email-aranea@aixah.de> References: <1384692777-9505-1-git-send-email-aranea@aixah.de> Message-ID: <528A1FAD.4000809@redhat.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 11/17/2013 07:52 AM, Luis Ressel wrote: > Currently, all postgresql commands in are labeled as postgresql_exec_t. > This means they can only be executed by db admins. However, the "normal" > commands, such as createdb or psql, should also be executable by users. > (The users in question still need to be granted postgresql_role(), so this > is no security problem.) > > I only changed this behavior in the gentoo-specific part of the policy, > however other distros might want to have a look at this. --- > policy/modules/services/postgresql.fc | 18 ++++++++++++++++++ 1 file > changed, 18 insertions(+) > > diff --git a/policy/modules/services/postgresql.fc > b/policy/modules/services/postgresql.fc index a26f84f..bf28911 100644 --- > a/policy/modules/services/postgresql.fc +++ > b/policy/modules/services/postgresql.fc @@ -46,3 +46,21 @@ > ifdef(`distro_redhat', ` /var/run/postgresql(/.*)? > gen_context(system_u:object_r:postgresql_var_run_t,s0) > > /var/run/postmaster.* > gen_context(system_u:object_r:postgresql_var_run_t,s0) + > +ifdef(`distro_gentoo',` +/etc/init\.d/postgresql-.* -- > gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) + > +/etc/postgresql-.*(/.*)? > gen_context(system_u:object_r:postgresql_etc_t,s0) + > +/usr/lib/postgresql-.*/bin(/.*)? > gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/postgresql-.*/bin/pg_archivecleanup -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_basebackup -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_controldata -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_ctl -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_resetxlog -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_standby -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_upgrade -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/pg_xlogdump -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/postgres -- > gen_context(system_u:object_r:postgresql_exec_t,s0) > +/usr/lib/postgresql-.*/bin/postmaster -l > gen_context(system_u:object_r:postgresql_exec_t,s0) +') > I hate adding ifdef code to fc files, it is usually just clutter. If I have an init script named /etc/init\.d/postgresql-.* I would figure all distributions would want this labeled this way. If this labeling makes sense for other distributions, then we should remove the ifdef. Also bin_t should never be listed in an fc file other then corecommands.fc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlKKH60ACgkQrlYvE4MpobMmbwCdG3HHiD4Nsj6ub95baRu6tr3T RvQAnizNBe5YyklYCoLRngnghtCas396 =d00v -----END PGP SIGNATURE-----