PostgreSQL PITR & SELinux
On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote:
> What I really wander about is - above I've opened up quite a few things that > are very specific to this mode of operation, however I can't believe I'm in a > situation nobody else have been before and there are no booleans/tunables for > most of things outlined above. So is there a way to make above utilize > existing hooks or is it "as good as it gets"? Hi This actually looks pretty good in this case and well suited for a boolean in the postgresql policy in my opinion. Currently this is indeed not supported by the policy it seems. Why not file a bugzilla report as a feature request? -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
Hi Dominick,
thanks for your reply, see responses below: On September 18, 2012 22:31:02 Dominick Grift wrote: > On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote: > > What I really wander about is - above I've opened up quite a few things > > that are very specific to this mode of operation, however I can't believe > > I'm in a situation nobody else have been before and there are no > > booleans/tunables for most of things outlined above. So is there a way to > > make above utilize existing hooks or is it "as good as it gets"? > > Hi > > This actually looks pretty good in this case and well suited for a > boolean in the postgresql policy in my opinion. good to know it's not just me who thinks that way :) > Currently this is indeed not supported by the policy it seems. > > Why not file a bugzilla report as a feature request? https://bugzilla.redhat.com/show_bug.cgi?id=858406 -- Dmitry Makovey Web Systems Administrator Athabasca University (780) 675-6245 --- Confidence is what you have before you understand the problem Woody Allen When in trouble when in doubt run in circles scream and shout http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330 -- This communication is intended for the use of the recipient to whom it is addressed, and may contain confidential, personal, and or privileged information. Please contact us immediately if you are not the intended recipient of this communication, and do not copy, distribute, or take action relying on it. Any communications received in error, or subsequent reply, should be deleted or destroyed. --- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/18/2012 06:03 PM, Dmitry Makovey wrote: > Hi Dominick, > > thanks for your reply, see responses below: > > On September 18, 2012 22:31:02 Dominick Grift wrote: >> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote: >>> What I really wander about is - above I've opened up quite a few >>> things that are very specific to this mode of operation, however I >>> can't believe I'm in a situation nobody else have been before and there >>> are no booleans/tunables for most of things outlined above. So is there >>> a way to make above utilize existing hooks or is it "as good as it >>> gets"? >> >> Hi >> >> This actually looks pretty good in this case and well suited for a >> boolean in the postgresql policy in my opinion. > > good to know it's not just me who thinks that way :) > >> Currently this is indeed not supported by the policy it seems. >> >> Why not file a bugzilla report as a feature request? > > https://bugzilla.redhat.com/show_bug.cgi?id=858406 > How about something like this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBZp68ACgkQrlYvE4MpobNuUwCg4J5K2/hp2SKtErkD9QDz7zKQ HDgAoN60dC2w8HxHXslnjNKZjT4LjezZ =c99A -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/18/2012 06:03 PM, Dmitry Makovey wrote: > Hi Dominick, > > thanks for your reply, see responses below: > > On September 18, 2012 22:31:02 Dominick Grift wrote: >> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote: >>> What I really wander about is - above I've opened up quite a few >>> things that are very specific to this mode of operation, however I >>> can't believe I'm in a situation nobody else have been before and there >>> are no booleans/tunables for most of things outlined above. So is there >>> a way to make above utilize existing hooks or is it "as good as it >>> gets"? >> >> Hi >> >> This actually looks pretty good in this case and well suited for a >> boolean in the postgresql policy in my opinion. > > good to know it's not just me who thinks that way :) > >> Currently this is indeed not supported by the policy it seems. >> >> Why not file a bugzilla report as a feature request? > > https://bugzilla.redhat.com/show_bug.cgi?id=858406 > How about this? -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaGAcACgkQrlYvE4MpobORjACdEDRLaAvGyD iJzoVqYgA2BF7J fMwAni+1cQty4eNSDR0r1UtdHO6dw5VQ =aiRn -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
> > ## <desc> > ## <p> > +## Allow postgresql to use ssh and rsync to replicate databases > +## </p> > +## </desc> > +gen_tunable(postgesql_replication, false) typo in there we should probably implement a ssh_tcp_connect if it doesnt exists already and use that (that goes for all service ports) ######################################## ## <summary> ## Connect to ssh over the TCP network. ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ') corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1) corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1) ') -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/19/2012 03:20 PM, Dominick Grift wrote: > > > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote: >> >> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to >> replicate databases +## </p> +## </desc> >> +gen_tunable(postgesql_replication, false) > > typo in there > > we should probably implement a ssh_tcp_connect if it doesnt exists already > and use that (that goes for all service ports) > > ######################################## ## <summary> ## Connect to ssh > over the TCP network. ## </summary> ## <param name="domain"> ## <summary> > ## Domain allowed access. ## </summary> ## </param> # > interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ') > > corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1) > corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1) > ') > > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > Sure that is fine with me. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaHUgACgkQrlYvE4MpobMd1wCeNCEPonShVQ OwTKOvgw4PW/q4 UfAAoK7zMxUpg9VfByCw7w6aHxGGX7gD =sFI3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
> > How about this? maybe postgresql_pitr is a more suitable boolean name. not sure about that but just seems that way to me. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/19/2012 03:44 PM, Dominick Grift wrote: > > > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote: >> >> How about this? > > maybe postgresql_pitr is a more suitable boolean name. not sure about that > but just seems that way to me. > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > Sure although I had no idea what PITR was until I asked google. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaIqYACgkQrlYvE4MpobPm7gCg6Dd+Rm6N/R+gUjmfDwAMs87s IlIAn3h73qnfCFtCf524gTxFuRuX+2B1 =jC00 -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On 09/19/2012 03:20 PM, Dominick Grift wrote: > > > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote: >> >> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to >> replicate databases +## </p> +## </desc> >> +gen_tunable(postgesql_replication, false) > > typo in there > > we should probably implement a ssh_tcp_connect if it doesnt exists already > and use that (that goes for all service ports) > > ######################################## ## <summary> ## Connect to ssh > over the TCP network. ## </summary> ## <param name="domain"> ## <summary> > ## Domain allowed access. ## </summary> ## </param> # > interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ') > > corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1) > corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1) > ') > > > > -- selinux mailing list selinux@lists.fedoraproject.org > https://admin.fedoraproject.org/mailman/listinfo/selinux > Looks like Chris did not like a previous interface by that name. ######################################## ## <summary> ## Connect to SSH daemons over TCP sockets. (Deprecated) ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ssh_tcp_connect',` refpolicywarn(`$0($*) has been deprecated.') ') -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBaJIAACgkQrlYvE4MpobMA8gCgi81QZHdyOW fNS1skLKRCG8KP 0NsAoNB0yEWWYLumGnMORfqoEVfQUkj6 =4GY9 -----END PGP SIGNATURE----- -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
PostgreSQL PITR & SELinux
On Wed, 2012-09-19 at 16:01 -0400, Daniel J Walsh wrote:
> On 09/19/2012 03:20 PM, Dominick Grift wrote: > > > > > > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote: > >> > >> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to > >> replicate databases +## </p> +## </desc> > >> +gen_tunable(postgesql_replication, false) > > > > typo in there > > > > we should probably implement a ssh_tcp_connect if it doesnt exists already > > and use that (that goes for all service ports) > > > > ######################################## ## <summary> ## Connect to ssh > > over the TCP network. ## </summary> ## <param name="domain"> ## <summary> > > ## Domain allowed access. ## </summary> ## </param> # > > interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ') > > > > corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1) > > corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1) > > ') > > > > > > > > -- selinux mailing list selinux@lists.fedoraproject.org > > https://admin.fedoraproject.org/mailman/listinfo/selinux > > > Looks like Chris did not like a previous interface by that name. > ######################################## > ## <summary> > ## Connect to SSH daemons over TCP sockets. (Deprecated) > ## </summary> > ## <param name="domain"> > ## <summary> > ## Domain allowed access. > ## </summary> > ## </param> > # > interface(`ssh_tcp_connect',` > refpolicywarn(`$0($*) has been deprecated.') > ') > I noticed that and i dont know why. Its also inconsistent because mysql and postgres have it but some have it deprecated like i guess ssh and snmp I actually like this interface it provides support for labeled networking. -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux |
| All times are GMT. The time now is 12:49 AM. |
VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.