Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   legacy typenames of se-postgresql still remain (http://www.linux-archive.org/fedora-selinux-support/142185-legacy-typenames-se-postgresql-still-remain.html)

KaiGai Kohei 08-13-2008 08:33 AM

legacy typenames of se-postgresql still remain
 
I got the following access denied logs, when I tries to connect
SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
domain socket (/tmp/.s.PGSQL.5432).

type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
tclass=sock_file
type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=unconfined_u:system_r:postgresql_t:s0
tclass=unix_stream_socket

However, both permissions are allowed via postgresql_stream_connect()
independent from any booleans, if required types are provided by
postgresql.te.

postgresql_stream_connect() and postgresql_unpriv_client() are put
within same optional_policy section at apache.te.
postgresql_unpriv_client() requires trusted procedure related types,
but postgresql.te declares them in legacy names.

old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t

Could you apply the attached patch?
It fixes them as upstream doing.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

KaiGai Kohei 08-13-2008 09:25 AM

legacy typenames of se-postgresql still remain
 
Sorry, the previous patch was imcomplete one.

We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
because sepgsql_trusted_proc_t is a domain.

This matter also exists at upstreamed policy now.
The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
to upstreamed reference policy.

Thanks,

KaiGai Kohei wrote:
> I got the following access denied logs, when I tries to connect
> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
> domain socket (/tmp/.s.PGSQL.5432).
>
> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
> tclass=sock_file
> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:postgresql_t:s0
> tclass=unix_stream_socket
>
> However, both permissions are allowed via postgresql_stream_connect()
> independent from any booleans, if required types are provided by
> postgresql.te.
>
> postgresql_stream_connect() and postgresql_unpriv_client() are put
> within same optional_policy section at apache.te.
> postgresql_unpriv_client() requires trusted procedure related types,
> but postgresql.te declares them in legacy names.
>
> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>
> Could you apply the attached patch?
> It fixes them as upstream doing.
>
> Thanks,
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 08-13-2008 04:35 PM

legacy typenames of se-postgresql still remain
 
KaiGai Kohei wrote:
> Sorry, the previous patch was imcomplete one.
>
> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
> because sepgsql_trusted_proc_t is a domain.
>
> This matter also exists at upstreamed policy now.
> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
> to upstreamed reference policy.
>
> Thanks,
>
> KaiGai Kohei wrote:
>> I got the following access denied logs, when I tries to connect
>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>> domain socket (/tmp/.s.PGSQL.5432).
>>
>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>> tclass=sock_file
>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>> scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:system_r:postgresql_t:s0
>> tclass=unix_stream_socket
>>
>> However, both permissions are allowed via postgresql_stream_connect()
>> independent from any booleans, if required types are provided by
>> postgresql.te.
>>
>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>> within same optional_policy section at apache.te.
>> postgresql_unpriv_client() requires trusted procedure related types,
>> but postgresql.te declares them in legacy names.
>>
>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>
>> Could you apply the attached patch?
>> It fixes them as upstream doing.
>>
>> Thanks,
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
Fedora 9? Rawhide?


--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

KaiGai Kohei 08-13-2008 10:32 PM

legacy typenames of se-postgresql still remain
 
Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Sorry, the previous patch was imcomplete one.
>>
>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>> because sepgsql_trusted_proc_t is a domain.
>>
>> This matter also exists at upstreamed policy now.
>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>> to upstreamed reference policy.
>>
>> Thanks,
>>
>> KaiGai Kohei wrote:
>>> I got the following access denied logs, when I tries to connect
>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>> domain socket (/tmp/.s.PGSQL.5432).
>>>
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>> tclass=sock_file
>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>> scontext=unconfined_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>> tclass=unix_stream_socket
>>>
>>> However, both permissions are allowed via postgresql_stream_connect()
>>> independent from any booleans, if required types are provided by
>>> postgresql.te.
>>>
>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>> within same optional_policy section at apache.te.
>>> postgresql_unpriv_client() requires trusted procedure related types,
>>> but postgresql.te declares them in legacy names.
>>>
>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>
>>> Could you apply the attached patch?
>>> It fixes them as upstream doing.
>>>
>>> Thanks,
>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
> Fedora 9? Rawhide?

Sorry, I missed the version.
It is in Rawhide. (selinux-policy-3.5.1-4.fc10)

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

Daniel J Walsh 08-14-2008 12:47 PM

legacy typenames of se-postgresql still remain
 
KaiGai Kohei wrote:
> Daniel J Walsh wrote:
>> KaiGai Kohei wrote:
>>> Sorry, the previous patch was imcomplete one.
>>>
>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>> because sepgsql_trusted_proc_t is a domain.
>>>
>>> This matter also exists at upstreamed policy now.
>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>>> to upstreamed reference policy.
>>>
>>> Thanks,
>>>
>>> KaiGai Kohei wrote:
>>>> I got the following access denied logs, when I tries to connect
>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>> tclass=sock_file
>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>>> tclass=unix_stream_socket
>>>>
>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>> independent from any booleans, if required types are provided by
>>>> postgresql.te.
>>>>
>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>> within same optional_policy section at apache.te.
>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>> but postgresql.te declares them in legacy names.
>>>>
>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>>
>>>> Could you apply the attached patch?
>>>> It fixes them as upstream doing.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> --
>>>> fedora-selinux-list mailing list
>>>> fedora-selinux-list@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> Fedora 9? Rawhide?
>
> Sorry, I missed the version.
> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>
> Thanks,

Current Rawhide is pretty much the same as upstream. Here is the only
patch I have on postgresql as of today's rawhide. Fedora 9 next update
should match this policy in the next update also.
--- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.fc 2008-08-11 16:39:48.000000000 -0400
@@ -34,6 +34,7 @@
/var/lib/sepgsql/pgstartup.log -- gen_context(system_u:object_r:postgresql_log_t,s0)

/var/log/postgres.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0)
/var/log/sepostgresql.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)

@@ -42,3 +43,5 @@
')

/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t ,s0)
+
+/etc/rc.d/init.d/postgresql -- gen_context(system_u:object_r:postgresql_script_ex ec_t,s0)
--- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.if 2008-08-11 16:39:48.000000000 -0400
@@ -372,3 +372,70 @@

typeattribute $1 sepgsql_unconfined_type;
')
+
+########################################
+## <summary>
+## Execute postgresql server in the posgresql domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## The type of the process performing this action.
+## </summary>
+## </param>
+#
+interface(`postgresql_script_domtrans',`
+ gen_require(`
+ type postgresql_script_exec_t;
+ ')
+
+ init_script_domtrans_spec($1, postgresql_script_exec_t)
+')
+
+########################################
+## <summary>
+## All of the rules required to administrate an postgresql environment
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## The role to be allowed to manage the postgresql domain.
+## </summary>
+## </param>
+## <param name="terminal">
+## <summary>
+## The type of the terminal allow the postgresql domain to use.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`postgresql_admin',`
+ gen_require(`
+ type postgresql_t, postgresql_var_run_t;
+ type postgresql_tmp_t, postgresql_db_t;
+ type postgresql_etc_t, postgresql_log_t;
+ type postgresql_script_exec_t;
+ ')
+
+ allow $1 postgresql_t:process { ptrace signal_perms };
+ ps_process_pattern($1, postgresql_t)
+
+ # Allow $1 to restart the apache service
+ postgresql_script_domtrans($1)
+ domain_system_change_exemption($1)
+ role_transition $2 postgresql_script_exec_t system_r;
+ allow $2 system_r;
+
+ admin_pattern($1, postgresql_var_run_t)
+
+ admin_pattern($1, postgresql_db_t)
+
+ admin_pattern($1, postgresql_etc_t)
+
+ admin_pattern($1, postgresql_log_t)
+
+ admin_pattern($1, postgresql_tmp_t)
+')
--- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-07 11:15:11.000000000 -0400
+++ serefpolicy-3.5.4/policy/modules/services/postgresql.te 2008-08-11 16:39:48.000000000 -0400
@@ -44,6 +44,9 @@
type postgresql_var_run_t;
files_pid_file(postgresql_var_run_t)

+type postgresql_script_exec_t;
+init_script_type(postgresql_script_exec_t)
+
# database clients attribute
attribute sepgsql_client_type;
attribute sepgsql_unconfined_type;
@@ -186,6 +189,7 @@

fs_getattr_all_fs(postgresql_t)
fs_search_auto_mountpoints(postgresql_t)
+fs_rw_hugetlbfs_files(postgresql_t)

selinux_get_enforce_mode(postgresql_t)
selinux_validate_context(postgresql_t)
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

KaiGai Kohei 08-15-2008 01:47 AM

legacy typenames of se-postgresql still remain
 
Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Daniel J Walsh wrote:
>>> KaiGai Kohei wrote:
>>>> Sorry, the previous patch was imcomplete one.
>>>>
>>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>>> because sepgsql_trusted_proc_t is a domain.
>>>>
>>>> This matter also exists at upstreamed policy now.
>>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>>>> to upstreamed reference policy.
>>>>
>>>> Thanks,
>>>>
>>>> KaiGai Kohei wrote:
>>>>> I got the following access denied logs, when I tries to connect
>>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>>
>>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>>> tclass=sock_file
>>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>>>> tclass=unix_stream_socket
>>>>>
>>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>>> independent from any booleans, if required types are provided by
>>>>> postgresql.te.
>>>>>
>>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>>> within same optional_policy section at apache.te.
>>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>>> but postgresql.te declares them in legacy names.
>>>>>
>>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>>>
>>>>> Could you apply the attached patch?
>>>>> It fixes them as upstream doing.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> Fedora 9? Rawhide?
>> Sorry, I missed the version.
>> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>>
>> Thanks,
>
> Current Rawhide is pretty much the same as upstream. Here is the only
> patch I have on postgresql as of today's rawhide. Fedora 9 next update
> should match this policy in the next update also.
>

OK, I confirmed the first matter is fixed at selinux-policy-3.5.4-2 in
rawhide. (Sorry, I saw a bit older version.)

However, the second matter still remains at upstream and rawhide.
Chris, could you apply the attached patch which fixes lagacy naming
matter.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


All times are GMT. The time now is 06:43 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.