From: mike.palmiotto@crunchydata.com (Mike Palmiotto) Date: Sun, 21 Jan 2018 14:52:50 -0500 Subject: [refpolicy] [PATCH] postgres: Add neccessary map permissions In-Reply-To: <20180121165603.1665-1-aranea@aixah.de> References: <20180121165603.1665-1-aranea@aixah.de> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Jan 21, 2018 at 11:56 AM, Luis Ressel via refpolicy wrote: > I'm also removing pg's permission to open hugetlbfs_t files, since it > doesn't make any sense. Is this because hugetlbfs_t files are accessed via mmap or read? Doesn't read require an open file descriptor? virtd_t and mysqld_t are also calling the `fs_rw_hugetlbfs_files` interface. If this is meant to address an issue fundamental to hugetlbfs and not something postgres-specific, perhaps the commit should fix the interface itself and/or virtd_t and mysqld_t as well. > --- > policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ > policy/modules/services/postgresql.te | 3 ++- > 2 files changed, 20 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if > index 41f19619..e2a58d8e 100644 > --- a/policy/modules/kernel/filesystem.if > +++ b/policy/modules/kernel/filesystem.if > @@ -2322,6 +2322,24 @@ interface(`fs_rw_inherited_hugetlbfs_files',` > allow $1 hugetlbfs_t:file rw_inherited_file_perms; > ') > > +######################################## > +## > +## Read and write inherited hugetlbfs files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`fs_mmap_rw_inherited_hugetlbfs_files',` > + gen_require(` > + type hugetlbfs_t; > + ') > + > + allow $1 hugetlbfs_t:file mmap_rw_inherited_file_perms; > +') > + > ######################################## > ## > ## Read and write hugetlbfs files. > diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te > index f118d9d0..97a9d153 100644 > --- a/policy/modules/services/postgresql.te > +++ b/policy/modules/services/postgresql.te > @@ -297,6 +297,7 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) > manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) > files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) > fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) > +allow postgresql_t postgresql_tmp_t:file map; > > manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) > manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) > @@ -330,7 +331,7 @@ dev_read_urand(postgresql_t) > > fs_getattr_all_fs(postgresql_t) > fs_search_auto_mountpoints(postgresql_t) > -fs_rw_hugetlbfs_files(postgresql_t) > +fs_mmap_rw_inherited_hugetlbfs_files(postgresql_t) > > selinux_get_enforce_mode(postgresql_t) > selinux_validate_context(postgresql_t) > -- > 2.15.1 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Mike Palmiotto Software Engineer Crunchy Data Solutions https://crunchydata.com