From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 22 Jan 2018 17:10:58 -0500 Subject: [refpolicy] [PATCH] postgres: Add neccessary map permissions In-Reply-To: References: <20180121165603.1665-1-aranea@aixah.de> Message-ID: <732fca65-0736-88e6-2927-48cd95fa4248@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/21/2018 02:52 PM, Mike Palmiotto via refpolicy wrote: > On Sun, Jan 21, 2018 at 11:56 AM, Luis Ressel via refpolicy > wrote: >> I'm also removing pg's permission to open hugetlbfs_t files, since it >> doesn't make any sense. > > Is this because hugetlbfs_t files are accessed via mmap or read? > Doesn't read require an open file descriptor? > > virtd_t and mysqld_t are also calling the `fs_rw_hugetlbfs_files` > interface. If this is meant to address an issue fundamental to > hugetlbfs and not something postgres-specific, perhaps the commit > should fix the interface itself and/or virtd_t and mysqld_t as well. This seems like a possibility, but I'd like more info. >> --- >> policy/modules/kernel/filesystem.if | 18 ++++++++++++++++++ >> policy/modules/services/postgresql.te | 3 ++- >> 2 files changed, 20 insertions(+), 1 deletion(-) >> >> diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if >> index 41f19619..e2a58d8e 100644 >> --- a/policy/modules/kernel/filesystem.if >> +++ b/policy/modules/kernel/filesystem.if >> @@ -2322,6 +2322,24 @@ interface(`fs_rw_inherited_hugetlbfs_files',` >> allow $1 hugetlbfs_t:file rw_inherited_file_perms; >> ') >> >> +######################################## >> +## >> +## Read and write inherited hugetlbfs files. >> +## >> +## >> +## >> +## Domain allowed access. >> +## >> +## >> +# >> +interface(`fs_mmap_rw_inherited_hugetlbfs_files',` >> + gen_require(` >> + type hugetlbfs_t; >> + ') >> + >> + allow $1 hugetlbfs_t:file mmap_rw_inherited_file_perms; >> +') >> + >> ######################################## >> ## >> ## Read and write hugetlbfs files. >> diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te >> index f118d9d0..97a9d153 100644 >> --- a/policy/modules/services/postgresql.te >> +++ b/policy/modules/services/postgresql.te >> @@ -297,6 +297,7 @@ manage_fifo_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) >> manage_sock_files_pattern(postgresql_t, postgresql_tmp_t, postgresql_tmp_t) >> files_tmp_filetrans(postgresql_t, postgresql_tmp_t, { dir file sock_file }) >> fs_tmpfs_filetrans(postgresql_t, postgresql_tmp_t, { dir file lnk_file sock_file fifo_file }) >> +allow postgresql_t postgresql_tmp_t:file map; >> >> manage_dirs_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) >> manage_files_pattern(postgresql_t, postgresql_var_run_t, postgresql_var_run_t) >> @@ -330,7 +331,7 @@ dev_read_urand(postgresql_t) >> >> fs_getattr_all_fs(postgresql_t) >> fs_search_auto_mountpoints(postgresql_t) >> -fs_rw_hugetlbfs_files(postgresql_t) >> +fs_mmap_rw_inherited_hugetlbfs_files(postgresql_t) >> >> selinux_get_enforce_mode(postgresql_t) >> selinux_validate_context(postgresql_t) -- Chris PeBenito