FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-19-2012, 08:10 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Wed, 2012-09-19 at 16:01 -0400, Daniel J Walsh wrote:
> On 09/19/2012 03:20 PM, Dominick Grift wrote:
> >
> >
> > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
> >>
> >> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to
> >> replicate databases +## </p> +## </desc>
> >> +gen_tunable(postgesql_replication, false)
> >
> > typo in there
> >
> > we should probably implement a ssh_tcp_connect if it doesnt exists already
> > and use that (that goes for all service ports)
> >
> > ######################################## ## <summary> ## Connect to ssh
> > over the TCP network. ## </summary> ## <param name="domain"> ## <summary>
> > ## Domain allowed access. ## </summary> ## </param> #
> > interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ')
> >
> > corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1)
> > corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1)
> > ')
> >
> >
> >
> > -- selinux mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> Looks like Chris did not like a previous interface by that name.
> ########################################
> ## <summary>
> ## Connect to SSH daemons over TCP sockets. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`ssh_tcp_connect',`
> refpolicywarn(`$0($*) has been deprecated.')
> ')
>

Anyways , ok ignore it for now. I guess this should be discussed with
pebenito. I can always change it later

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:10 PM
Dmitry Makovey
 
Default PostgreSQL PITR & SELinux

On September 19, 2012 15:53:10 Daniel J Walsh wrote:
> Sure although I had no idea what PITR was until I asked google.

if I may suggest in tune with some other tunables (no pun intended)

postgres_can_rsync ?

PITR, while implemented in most cases just about the same as I outlined is
more of a concept and could be implemented using alternative strategies (say,
no SSH involved and dumping directly to NFS share), thus mentioning specific
ability "rsync" may be more descriptive.

Just my .02CDN on the subject...

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:17 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 04:10 PM, Dmitry Makovey wrote:
> On September 19, 2012 15:53:10 Daniel J Walsh wrote:
>> Sure although I had no idea what PITR was until I asked google.
>
> if I may suggest in tune with some other tunables (no pun intended)
>
> postgres_can_rsync ?
>
> PITR, while implemented in most cases just about the same as I outlined is
> more of a concept and could be implemented using alternative strategies
> (say, no SSH involved and dumping directly to NFS share), thus mentioning
> specific ability "rsync" may be more descriptive.
>
> Just my .02CDN on the subject...
>
I am fine with that also. Will Let Dominick be the final arbiter.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaKEwACgkQrlYvE4MpobMTKQCg2xyT9rmBJl 5HJIa4oRFbi2//
Q3oAoKXnFqO6oVR/+hlDKw1p7DDqZwkW
=vHeW
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:19 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Wed, 2012-09-19 at 14:10 -0600, Dmitry Makovey wrote:
> On September 19, 2012 15:53:10 Daniel J Walsh wrote:
> > Sure although I had no idea what PITR was until I asked google.
>
> if I may suggest in tune with some other tunables (no pun intended)
>
> postgres_can_rsync ?
>
> PITR, while implemented in most cases just about the same as I outlined is
> more of a concept and could be implemented using alternative strategies (say,
> no SSH involved and dumping directly to NFS share), thus mentioning specific
> ability "rsync" may be more descriptive.
>
> Just my .02CDN on the subject...

Thanks, good point

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:22 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 04:19 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-19 at 14:10 -0600, Dmitry Makovey wrote:
>> On September 19, 2012 15:53:10 Daniel J Walsh wrote:
>>> Sure although I had no idea what PITR was until I asked google.
>>
>> if I may suggest in tune with some other tunables (no pun intended)
>>
>> postgres_can_rsync ?
>>
>> PITR, while implemented in most cases just about the same as I outlined
>> is more of a concept and could be implemented using alternative
>> strategies (say, no SSH involved and dumping directly to NFS share), thus
>> mentioning specific ability "rsync" may be more descriptive.
>>
>> Just my .02CDN on the subject...
>
> Thanks, good point
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Sadly it looks like we already have a boolean for this in Fedora fro sepostgresql.

optional_policy(`
tunable_policy(`sepgsql_enable_pitr_implementation ',`
corenet_tcp_connect_ssh_port(postgresql_t)
rsync_exec(postgresql_t)
ssh_read_user_home_files(postgresql_t)
ssh_exec(postgresql_t)
')
')

Since this has nothing specific to do with sepgsql, we can change the name of
the boolean.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaKXQACgkQrlYvE4MpobM7mQCdGSgG1yBhy6 7EIW+xS+/FNhrr
8SEAnilexMatY5SZbKU41HYUOloTU/I1
=ZQB6
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 09:20 PM
Dmitry Makovey
 
Default PostgreSQL PITR & SELinux

On September 19, 2012 16:22:12 Daniel J Walsh wrote:
> Sadly it looks like we already have a boolean for this in Fedora fro
> sepostgresql.
>
> optional_policy(`
> tunable_policy(`sepgsql_enable_pitr_implementation ',`
> corenet_tcp_connect_ssh_port(postgresql_t)
> rsync_exec(postgresql_t)
> ssh_read_user_home_files(postgresql_t)
> ssh_exec(postgresql_t)
> ')
> ')
>
> Since this has nothing specific to do with sepgsql, we can change the name
> of the boolean.

Daniel, you saved my day - I thought that something like that should exist but
I completely ommited sepgsql* set as I was under impression that it applied to
a completely different functionality. I'll use that instead of my module.
Thank you very much.

For what it's worth I'd like to second the name change as existing one put me
off-track, like many other people (just look up "postgres selinux rsync").

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 09:27 PM
Dmitry Makovey
 
Default PostgreSQL PITR & SELinux

On September 19, 2012 15:20:17 Dmitry Makovey wrote:
> Daniel, you saved my day - I thought that something like that should exist
> but I completely ommited sepgsql* set as I was under impression that it
> applied to a completely different functionality. I'll use that instead of
> my module. Thank you very much.


spoke too soon:

# setsebool sepgsql_enable_pitr_implementation On
Could not change active booleans: Invalid boolean

so it sounds like it doesn't exist in RHEL? yet?

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 09:35 PM
Dmitry Makovey
 
Default PostgreSQL PITR & SELinux

On September 19, 2012 15:27:43 Dmitry Makovey wrote:
> On September 19, 2012 15:20:17 Dmitry Makovey wrote:
>
> > Daniel, you saved my day - I thought that something like that should
> > exist
> > but I completely ommited sepgsql* set as I was under impression that it
> > applied to a completely different functionality. I'll use that instead of
> > my module. Thank you very much.
>
>
>
> spoke too soon:
>
> # setsebool sepgsql_enable_pitr_implementation On
> Could not change active booleans: Invalid boolean
>
> so it sounds like it doesn't exist in RHEL? yet?

ok as per https://bugzilla.redhat.com/show_bug.cgi?id=858406 , Miroslav just
added it, so it definitely doesn't exist yet. But it sounds like it is on it's
way.. thank you Dan and Dominick for the help. I'll stick with my module for
now.

What's the best way of tracking whether above changes made it into RHEL6
policies? Just the changelog?

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 11:31 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 05:35 PM, Dmitry Makovey wrote:
> On September 19, 2012 15:27:43 Dmitry Makovey wrote:
>> On September 19, 2012 15:20:17 Dmitry Makovey wrote:
>>
>>> Daniel, you saved my day - I thought that something like that should
>>> exist but I completely ommited sepgsql* set as I was under impression
>>> that it applied to a completely different functionality. I'll use that
>>> instead of my module. Thank you very much.
>>
>>
>>
>> spoke too soon:
>>
>> # setsebool sepgsql_enable_pitr_implementation On Could not change active
>> booleans: Invalid boolean
>>
>> so it sounds like it doesn't exist in RHEL? yet?
>
> ok as per https://bugzilla.redhat.com/show_bug.cgi?id=858406 , Miroslav
> just added it, so it definitely doesn't exist yet. But it sounds like it is
> on it's way.. thank you Dan and Dominick for the help. I'll stick with my
> module for now.
>
> What's the best way of tracking whether above changes made it into RHEL6
> policies? Just the changelog?
>
Changelog and Bugzillas. The erratas will list all the bugs fixed in a RHEL
update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaVeIACgkQrlYvE4MpobNMGgCfaIXknYd05F +iIHH+5zbJ8p7x
X/IAnif2WZ8f66llAbUVGA/X+33+mIMs
=HD7f
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-20-2012, 06:16 AM
Miroslav Grepl
 
Default PostgreSQL PITR & SELinux

On 09/20/2012 01:31 AM, Daniel J Walsh wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 05:35 PM, Dmitry Makovey wrote:

On September 19, 2012 15:27:43 Dmitry Makovey wrote:

On September 19, 2012 15:20:17 Dmitry Makovey wrote:


Daniel, you saved my day - I thought that something like that should
exist but I completely ommited sepgsql* set as I was under impression
that it applied to a completely different functionality. I'll use that
instead of my module. Thank you very much.



spoke too soon:

# setsebool sepgsql_enable_pitr_implementation On Could not change active
booleans: Invalid boolean

so it sounds like it doesn't exist in RHEL? yet?

ok as per https://bugzilla.redhat.com/show_bug.cgi?id=858406 , Miroslav
just added it, so it definitely doesn't exist yet. But it sounds like it is
on it's way.. thank you Dan and Dominick for the help. I'll stick with my
module for now.

What's the best way of tracking whether above changes made it into RHEL6
policies? Just the changelog?


Changelog and Bugzillas. The erratas will list all the bugs fixed in a RHEL
update.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaVeIACgkQrlYvE4MpobNMGgCfaIXknYd05F +iIHH+5zbJ8p7x
X/IAnif2WZ8f66llAbUVGA/X+33+mIMs
=HD7f
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Thanks all. Will backport the latest solution to RHEL.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:28 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org