legacy typenames of se-postgresql still remain
I got the following access denied logs, when I tries to connect
SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix domain socket (/tmp/.s.PGSQL.5432). type=AVC msg=audit(1218613044.484:10388): avc: denied { write } for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 tclass=sock_file type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:postgresql_t:s0 tclass=unix_stream_socket However, both permissions are allowed via postgresql_stream_connect() independent from any booleans, if required types are provided by postgresql.te. postgresql_stream_connect() and postgresql_unpriv_client() are put within same optional_policy section at apache.te. postgresql_unpriv_client() requires trusted procedure related types, but postgresql.te declares them in legacy names. old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t Could you apply the attached patch? It fixes them as upstream doing. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
legacy typenames of se-postgresql still remain
Sorry, the previous patch was imcomplete one.
We allows sepgsql_client_type and sepgsql_unconfined_type to invoke sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t, because sepgsql_trusted_proc_t is a domain. This matter also exists at upstreamed policy now. The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied to upstreamed reference policy. Thanks, KaiGai Kohei wrote: > I got the following access denied logs, when I tries to connect > SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix > domain socket (/tmp/.s.PGSQL.5432). > > type=AVC msg=audit(1218613044.484:10388): avc: denied { write } > for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 > tclass=sock_file > type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } > for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" > scontext=unconfined_u:system_r:httpd_t:s0 > tcontext=unconfined_u:system_r:postgresql_t:s0 > tclass=unix_stream_socket > > However, both permissions are allowed via postgresql_stream_connect() > independent from any booleans, if required types are provided by > postgresql.te. > > postgresql_stream_connect() and postgresql_unpriv_client() are put > within same optional_policy section at apache.te. > postgresql_unpriv_client() requires trusted procedure related types, > but postgresql.te declares them in legacy names. > > old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t > old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t > > Could you apply the attached patch? > It fixes them as upstream doing. > > Thanks, > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
legacy typenames of se-postgresql still remain
KaiGai Kohei wrote:
> Sorry, the previous patch was imcomplete one. > > We allows sepgsql_client_type and sepgsql_unconfined_type to invoke > sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t, > because sepgsql_trusted_proc_t is a domain. > > This matter also exists at upstreamed policy now. > The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied > to upstreamed reference policy. > > Thanks, > > KaiGai Kohei wrote: >> I got the following access denied logs, when I tries to connect >> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix >> domain socket (/tmp/.s.PGSQL.5432). >> >> type=AVC msg=audit(1218613044.484:10388): avc: denied { write } >> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 >> scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 >> tclass=sock_file >> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } >> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" >> scontext=unconfined_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:system_r:postgresql_t:s0 >> tclass=unix_stream_socket >> >> However, both permissions are allowed via postgresql_stream_connect() >> independent from any booleans, if required types are provided by >> postgresql.te. >> >> postgresql_stream_connect() and postgresql_unpriv_client() are put >> within same optional_policy section at apache.te. >> postgresql_unpriv_client() requires trusted procedure related types, >> but postgresql.te declares them in legacy names. >> >> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t >> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t >> >> Could you apply the attached patch? >> It fixes them as upstream doing. >> >> Thanks, >> >> >> ------------------------------------------------------------------------ >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > > Fedora 9? Rawhide? -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
legacy typenames of se-postgresql still remain
Daniel J Walsh wrote:
> KaiGai Kohei wrote: >> Sorry, the previous patch was imcomplete one. >> >> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke >> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t, >> because sepgsql_trusted_proc_t is a domain. >> >> This matter also exists at upstreamed policy now. >> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied >> to upstreamed reference policy. >> >> Thanks, >> >> KaiGai Kohei wrote: >>> I got the following access denied logs, when I tries to connect >>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix >>> domain socket (/tmp/.s.PGSQL.5432). >>> >>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write } >>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 >>> scontext=unconfined_u:system_r:httpd_t:s0 >>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 >>> tclass=sock_file >>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } >>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" >>> scontext=unconfined_u:system_r:httpd_t:s0 >>> tcontext=unconfined_u:system_r:postgresql_t:s0 >>> tclass=unix_stream_socket >>> >>> However, both permissions are allowed via postgresql_stream_connect() >>> independent from any booleans, if required types are provided by >>> postgresql.te. >>> >>> postgresql_stream_connect() and postgresql_unpriv_client() are put >>> within same optional_policy section at apache.te. >>> postgresql_unpriv_client() requires trusted procedure related types, >>> but postgresql.te declares them in legacy names. >>> >>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t >>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t >>> >>> Could you apply the attached patch? >>> It fixes them as upstream doing. >>> >>> Thanks, >>> >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@redhat.com >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> > Fedora 9? Rawhide? Sorry, I missed the version. It is in Rawhide. (selinux-policy-3.5.1-4.fc10) Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
legacy typenames of se-postgresql still remain
KaiGai Kohei wrote:
> Daniel J Walsh wrote: >> KaiGai Kohei wrote: >>> Sorry, the previous patch was imcomplete one. >>> >>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke >>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t, >>> because sepgsql_trusted_proc_t is a domain. >>> >>> This matter also exists at upstreamed policy now. >>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied >>> to upstreamed reference policy. >>> >>> Thanks, >>> >>> KaiGai Kohei wrote: >>>> I got the following access denied logs, when I tries to connect >>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix >>>> domain socket (/tmp/.s.PGSQL.5432). >>>> >>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write } >>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 >>>> scontext=unconfined_u:system_r:httpd_t:s0 >>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 >>>> tclass=sock_file >>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } >>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" >>>> scontext=unconfined_u:system_r:httpd_t:s0 >>>> tcontext=unconfined_u:system_r:postgresql_t:s0 >>>> tclass=unix_stream_socket >>>> >>>> However, both permissions are allowed via postgresql_stream_connect() >>>> independent from any booleans, if required types are provided by >>>> postgresql.te. >>>> >>>> postgresql_stream_connect() and postgresql_unpriv_client() are put >>>> within same optional_policy section at apache.te. >>>> postgresql_unpriv_client() requires trusted procedure related types, >>>> but postgresql.te declares them in legacy names. >>>> >>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t >>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t >>>> >>>> Could you apply the attached patch? >>>> It fixes them as upstream doing. >>>> >>>> Thanks, >>>> >>>> >>>> ------------------------------------------------------------------------ >>>> >>>> -- >>>> fedora-selinux-list mailing list >>>> fedora-selinux-list@redhat.com >>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> Fedora 9? Rawhide? > > Sorry, I missed the version. > It is in Rawhide. (selinux-policy-3.5.1-4.fc10) > > Thanks, Current Rawhide is pretty much the same as upstream. Here is the only patch I have on postgresql as of today's rawhide. Fedora 9 next update should match this policy in the next update also. --- nsaserefpolicy/policy/modules/services/postgresql.fc 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/postgresql.fc 2008-08-11 16:39:48.000000000 -0400 @@ -34,6 +34,7 @@ /var/lib/sepgsql/pgstartup.log -- gen_context(system_u:object_r:postgresql_log_t,s0) /var/log/postgres.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) +/var/lib/pgsql/logfile(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/log/postgresql(/.*)? gen_context(system_u:object_r:postgresql_log_t,s0) /var/log/sepostgresql.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0) @@ -42,3 +43,5 @@ ') /var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t ,s0) + +/etc/rc.d/init.d/postgresql -- gen_context(system_u:object_r:postgresql_script_ex ec_t,s0) --- nsaserefpolicy/policy/modules/services/postgresql.if 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/postgresql.if 2008-08-11 16:39:48.000000000 -0400 @@ -372,3 +372,70 @@ typeattribute $1 sepgsql_unconfined_type; ') + +######################################## +## <summary> +## Execute postgresql server in the posgresql domain. +## </summary> +## <param name="domain"> +## <summary> +## The type of the process performing this action. +## </summary> +## </param> +# +interface(`postgresql_script_domtrans',` + gen_require(` + type postgresql_script_exec_t; + ') + + init_script_domtrans_spec($1, postgresql_script_exec_t) +') + +######################################## +## <summary> +## All of the rules required to administrate an postgresql environment +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +## <param name="role"> +## <summary> +## The role to be allowed to manage the postgresql domain. +## </summary> +## </param> +## <param name="terminal"> +## <summary> +## The type of the terminal allow the postgresql domain to use. +## </summary> +## </param> +## <rolecap/> +# +interface(`postgresql_admin',` + gen_require(` + type postgresql_t, postgresql_var_run_t; + type postgresql_tmp_t, postgresql_db_t; + type postgresql_etc_t, postgresql_log_t; + type postgresql_script_exec_t; + ') + + allow $1 postgresql_t:process { ptrace signal_perms }; + ps_process_pattern($1, postgresql_t) + + # Allow $1 to restart the apache service + postgresql_script_domtrans($1) + domain_system_change_exemption($1) + role_transition $2 postgresql_script_exec_t system_r; + allow $2 system_r; + + admin_pattern($1, postgresql_var_run_t) + + admin_pattern($1, postgresql_db_t) + + admin_pattern($1, postgresql_etc_t) + + admin_pattern($1, postgresql_log_t) + + admin_pattern($1, postgresql_tmp_t) +') --- nsaserefpolicy/policy/modules/services/postgresql.te 2008-08-07 11:15:11.000000000 -0400 +++ serefpolicy-3.5.4/policy/modules/services/postgresql.te 2008-08-11 16:39:48.000000000 -0400 @@ -44,6 +44,9 @@ type postgresql_var_run_t; files_pid_file(postgresql_var_run_t) +type postgresql_script_exec_t; +init_script_type(postgresql_script_exec_t) + # database clients attribute attribute sepgsql_client_type; attribute sepgsql_unconfined_type; @@ -186,6 +189,7 @@ fs_getattr_all_fs(postgresql_t) fs_search_auto_mountpoints(postgresql_t) +fs_rw_hugetlbfs_files(postgresql_t) selinux_get_enforce_mode(postgresql_t) selinux_validate_context(postgresql_t) -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
legacy typenames of se-postgresql still remain
Daniel J Walsh wrote:
> KaiGai Kohei wrote: >> Daniel J Walsh wrote: >>> KaiGai Kohei wrote: >>>> Sorry, the previous patch was imcomplete one. >>>> >>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke >>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t, >>>> because sepgsql_trusted_proc_t is a domain. >>>> >>>> This matter also exists at upstreamed policy now. >>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied >>>> to upstreamed reference policy. >>>> >>>> Thanks, >>>> >>>> KaiGai Kohei wrote: >>>>> I got the following access denied logs, when I tries to connect >>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix >>>>> domain socket (/tmp/.s.PGSQL.5432). >>>>> >>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write } >>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246 >>>>> scontext=unconfined_u:system_r:httpd_t:s0 >>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0 >>>>> tclass=sock_file >>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto } >>>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432" >>>>> scontext=unconfined_u:system_r:httpd_t:s0 >>>>> tcontext=unconfined_u:system_r:postgresql_t:s0 >>>>> tclass=unix_stream_socket >>>>> >>>>> However, both permissions are allowed via postgresql_stream_connect() >>>>> independent from any booleans, if required types are provided by >>>>> postgresql.te. >>>>> >>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put >>>>> within same optional_policy section at apache.te. >>>>> postgresql_unpriv_client() requires trusted procedure related types, >>>>> but postgresql.te declares them in legacy names. >>>>> >>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t >>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t >>>>> >>>>> Could you apply the attached patch? >>>>> It fixes them as upstream doing. >>>>> >>>>> Thanks, >>>>> >>>>> >>>>> ------------------------------------------------------------------------ >>>>> >>>>> -- >>>>> fedora-selinux-list mailing list >>>>> fedora-selinux-list@redhat.com >>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >>> Fedora 9? Rawhide? >> Sorry, I missed the version. >> It is in Rawhide. (selinux-policy-3.5.1-4.fc10) >> >> Thanks, > > Current Rawhide is pretty much the same as upstream. Here is the only > patch I have on postgresql as of today's rawhide. Fedora 9 next update > should match this policy in the next update also. > OK, I confirmed the first matter is fixed at selinux-policy-3.5.4-2 in rawhide. (Sorry, I saw a bit older version.) However, the second matter still remains at upstream and rawhide. Chris, could you apply the attached patch which fixes lagacy naming matter. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com> -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| All times are GMT. The time now is 01:51 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.