From: aranea@aixah.de (Luis Ressel)
Date: Tue, 23 Jan 2018 03:23:49 +0100
Subject: [refpolicy] [PATCH] postgres: Add neccessary map permissions
In-Reply-To: <CAMN686FHEWc0z2ZeFnJKgssx2zA5GkEWukis+r_fd0zKLCicxA@mail.gmail.com>
References: <20180121165603.1665-1-aranea@aixah.de>
	<CAMN686FHEWc0z2ZeFnJKgssx2zA5GkEWukis+r_fd0zKLCicxA@mail.gmail.com>
Message-ID: <20180123032349.6f94cac9@vega.skynet.aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Sun, 21 Jan 2018 14:52:50 -0500
Mike Palmiotto via refpolicy <refpolicy@oss.tresys.com> wrote:

> On Sun, Jan 21, 2018 at 11:56 AM, Luis Ressel via refpolicy
> <refpolicy@oss.tresys.com> wrote:
> > I'm also removing pg's permission to open hugetlbfs_t files, since
> > it doesn't make any sense.  
> 
> Is this because hugetlbfs_t files are accessed via mmap or read?
> Doesn't read require an open file descriptor?
> 
> virtd_t and mysqld_t are also calling the `fs_rw_hugetlbfs_files`
> interface. If this is meant to address an issue fundamental to
> hugetlbfs and not something postgres-specific, perhaps the commit
> should fix the interface itself and/or virtd_t and mysqld_t as well.

postgres uses huge pages by calling mmap() with fd=-1 and
flags=MAP_ANONYMOUS|MAP_HUGETLB, which doesn't require the open
permission.

I don't use virtd or mysql, so I haven't checked them; I couldn't
verify the potential policy changes anyway. If someone else could take
care of this, I'd be very grateful.

Cheers,
Luis