From: aranea@aixah.de (Luis Ressel) Date: Tue, 23 Jan 2018 03:23:49 +0100 Subject: [refpolicy] [PATCH] postgres: Add neccessary map permissions In-Reply-To: References: <20180121165603.1665-1-aranea@aixah.de> Message-ID: <20180123032349.6f94cac9@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, 21 Jan 2018 14:52:50 -0500 Mike Palmiotto via refpolicy wrote: > On Sun, Jan 21, 2018 at 11:56 AM, Luis Ressel via refpolicy > wrote: > > I'm also removing pg's permission to open hugetlbfs_t files, since > > it doesn't make any sense. > > Is this because hugetlbfs_t files are accessed via mmap or read? > Doesn't read require an open file descriptor? > > virtd_t and mysqld_t are also calling the `fs_rw_hugetlbfs_files` > interface. If this is meant to address an issue fundamental to > hugetlbfs and not something postgres-specific, perhaps the commit > should fix the interface itself and/or virtd_t and mysqld_t as well. postgres uses huge pages by calling mmap() with fd=-1 and flags=MAP_ANONYMOUS|MAP_HUGETLB, which doesn't require the open permission. I don't use virtd or mysql, so I haven't checked them; I couldn't verify the potential policy changes anyway. If someone else could take care of this, I'd be very grateful. Cheers, Luis