From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Sat, 8 Feb 2014 10:11:47 -0500
Subject: [refpolicy] [PATCH 2/3] Only label administrative postgres
 commands as postgresql_exec_t
In-Reply-To: <1390670684-21197-3-git-send-email-aranea@aixah.de>
References: <1390670684-21197-1-git-send-email-aranea@aixah.de>
	<1390670684-21197-3-git-send-email-aranea@aixah.de>
Message-ID: <52F64933.7040304@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 1/25/2014 12:24 PM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t.
> This means they can only be executed by db admins. However, the "normal"
> commands, such as createdb or psql, should also be executable by users.
> (The users in question still need to be granted postgresql_role(), so
> this is no security problem.)

KaiGai, any comment on this?  I'm hoping for additional comment on this before moving forward.


> ---
>  policy/modules/services/postgresql.fc | 12 +++++++++++-
>  1 file changed, 11 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
> index 9b693c4..1996f74 100644
> --- a/policy/modules/services/postgresql.fc
> +++ b/policy/modules/services/postgresql.fc
> @@ -16,7 +16,17 @@
>  
>  /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
>  /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
> -/usr/lib/postgresql/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +
> +/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_standby	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_upgrade	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/pg_xlogdum	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql(-.*)?/bin/postmaster	-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
>  
>  ifdef(`distro_debian', `
>  /usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com