FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 09-18-2012, 08:31 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote:
> What I really wander about is - above I've opened up quite a few things that
> are very specific to this mode of operation, however I can't believe I'm in a
> situation nobody else have been before and there are no booleans/tunables for
> most of things outlined above. So is there a way to make above utilize
> existing hooks or is it "as good as it gets"?

Hi

This actually looks pretty good in this case and well suited for a
boolean in the postgresql policy in my opinion.

Currently this is indeed not supported by the policy it seems.

Why not file a bugzilla report as a feature request?

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-18-2012, 10:03 PM
Dmitry Makovey
 
Default PostgreSQL PITR & SELinux

Hi Dominick,

thanks for your reply, see responses below:

On September 18, 2012 22:31:02 Dominick Grift wrote:
> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote:
> > What I really wander about is - above I've opened up quite a few things
> > that are very specific to this mode of operation, however I can't believe
> > I'm in a situation nobody else have been before and there are no
> > booleans/tunables for most of things outlined above. So is there a way to
> > make above utilize existing hooks or is it "as good as it gets"?
>
> Hi
>
> This actually looks pretty good in this case and well suited for a
> boolean in the postgresql policy in my opinion.

good to know it's not just me who thinks that way

> Currently this is indeed not supported by the policy it seems.
>
> Why not file a bugzilla report as a feature request?

https://bugzilla.redhat.com/show_bug.cgi?id=858406

--
Dmitry Makovey
Web Systems Administrator
Athabasca University
(780) 675-6245
---
Confidence is what you have before you understand the problem
Woody Allen

When in trouble when in doubt run in circles scream and shout
http://www.wordwizard.com/phpbb3/viewtopic.php?f=16&t=19330


--
This communication is intended for the use of the recipient to whom it
is addressed, and may contain confidential, personal, and or privileged
information. Please contact us immediately if you are not the intended
recipient of this communication, and do not copy, distribute, or take
action relying on it. Any communications received in error, or
subsequent reply, should be deleted or destroyed.
---
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 11:08 AM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/18/2012 06:03 PM, Dmitry Makovey wrote:
> Hi Dominick,
>
> thanks for your reply, see responses below:
>
> On September 18, 2012 22:31:02 Dominick Grift wrote:
>> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote:
>>> What I really wander about is - above I've opened up quite a few
>>> things that are very specific to this mode of operation, however I
>>> can't believe I'm in a situation nobody else have been before and there
>>> are no booleans/tunables for most of things outlined above. So is there
>>> a way to make above utilize existing hooks or is it "as good as it
>>> gets"?
>>
>> Hi
>>
>> This actually looks pretty good in this case and well suited for a
>> boolean in the postgresql policy in my opinion.
>
> good to know it's not just me who thinks that way
>
>> Currently this is indeed not supported by the policy it seems.
>>
>> Why not file a bugzilla report as a feature request?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=858406
>


How about something like this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBZp68ACgkQrlYvE4MpobNuUwCg4J5K2/hp2SKtErkD9QDz7zKQ
HDgAoN60dC2w8HxHXslnjNKZjT4LjezZ
=c99A
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 07:07 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/18/2012 06:03 PM, Dmitry Makovey wrote:
> Hi Dominick,
>
> thanks for your reply, see responses below:
>
> On September 18, 2012 22:31:02 Dominick Grift wrote:
>> On Tue, 2012-09-18 at 13:32 -0600, Dmitry Makovey wrote:
>>> What I really wander about is - above I've opened up quite a few
>>> things that are very specific to this mode of operation, however I
>>> can't believe I'm in a situation nobody else have been before and there
>>> are no booleans/tunables for most of things outlined above. So is there
>>> a way to make above utilize existing hooks or is it "as good as it
>>> gets"?
>>
>> Hi
>>
>> This actually looks pretty good in this case and well suited for a
>> boolean in the postgresql policy in my opinion.
>
> good to know it's not just me who thinks that way
>
>> Currently this is indeed not supported by the policy it seems.
>>
>> Why not file a bugzilla report as a feature request?
>
> https://bugzilla.redhat.com/show_bug.cgi?id=858406
>

How about this?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaGAcACgkQrlYvE4MpobORjACdEDRLaAvGyD iJzoVqYgA2BF7J
fMwAni+1cQty4eNSDR0r1UtdHO6dw5VQ
=aiRn
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 07:20 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
>
> ## <desc>
> ## <p>
> +## Allow postgresql to use ssh and rsync to replicate databases
> +## </p>
> +## </desc>
> +gen_tunable(postgesql_replication, false)

typo in there

we should probably implement a ssh_tcp_connect if it doesnt exists
already and use that (that goes for all service ports)

########################################
## <summary>
## Connect to ssh over the TCP network.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_tcp_connect',`
gen_require(`
type sshd_t;
')

corenet_tcp_recvfrom_labeled($1, sshd_t)
corenet_tcp_sendrecv_ssh_port($1)
corenet_tcp_connect_ssh_port($1)
corenet_sendrecv_ssh_client_packets($1)
')



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 07:30 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 03:20 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
>>
>> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to
>> replicate databases +## </p> +## </desc>
>> +gen_tunable(postgesql_replication, false)
>
> typo in there
>
> we should probably implement a ssh_tcp_connect if it doesnt exists already
> and use that (that goes for all service ports)
>
> ######################################## ## <summary> ## Connect to ssh
> over the TCP network. ## </summary> ## <param name="domain"> ## <summary>
> ## Domain allowed access. ## </summary> ## </param> #
> interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ')
>
> corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1)
> corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1)
> ')
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Sure that is fine with me.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaHUgACgkQrlYvE4MpobMd1wCeNCEPonShVQ OwTKOvgw4PW/q4
UfAAoK7zMxUpg9VfByCw7w6aHxGGX7gD
=sFI3
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 07:44 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
>
> How about this?

maybe postgresql_pitr is a more suitable boolean name. not sure about
that but just seems that way to me.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 07:53 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 03:44 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
>>
>> How about this?
>
> maybe postgresql_pitr is a more suitable boolean name. not sure about that
> but just seems that way to me.
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Sure although I had no idea what PITR was until I asked google.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaIqYACgkQrlYvE4MpobPm7gCg6Dd+Rm6N/R+gUjmfDwAMs87s
IlIAn3h73qnfCFtCf524gTxFuRuX+2B1
=jC00
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:01 PM
Daniel J Walsh
 
Default PostgreSQL PITR & SELinux

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/19/2012 03:20 PM, Dominick Grift wrote:
>
>
> On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
>>
>> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to
>> replicate databases +## </p> +## </desc>
>> +gen_tunable(postgesql_replication, false)
>
> typo in there
>
> we should probably implement a ssh_tcp_connect if it doesnt exists already
> and use that (that goes for all service ports)
>
> ######################################## ## <summary> ## Connect to ssh
> over the TCP network. ## </summary> ## <param name="domain"> ## <summary>
> ## Domain allowed access. ## </summary> ## </param> #
> interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ')
>
> corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1)
> corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1)
> ')
>
>
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Looks like Chris did not like a previous interface by that name.
########################################
## <summary>
## Connect to SSH daemons over TCP sockets. (Deprecated)
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`ssh_tcp_connect',`
refpolicywarn(`$0($*) has been deprecated.')
')

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBaJIAACgkQrlYvE4MpobMA8gCgi81QZHdyOW fNS1skLKRCG8KP
0NsAoNB0yEWWYLumGnMORfqoEVfQUkj6
=4GY9
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 09-19-2012, 08:07 PM
Dominick Grift
 
Default PostgreSQL PITR & SELinux

On Wed, 2012-09-19 at 16:01 -0400, Daniel J Walsh wrote:
> On 09/19/2012 03:20 PM, Dominick Grift wrote:
> >
> >
> > On Wed, 2012-09-19 at 15:07 -0400, Daniel J Walsh wrote:
> >>
> >> ## <desc> ## <p> +## Allow postgresql to use ssh and rsync to
> >> replicate databases +## </p> +## </desc>
> >> +gen_tunable(postgesql_replication, false)
> >
> > typo in there
> >
> > we should probably implement a ssh_tcp_connect if it doesnt exists already
> > and use that (that goes for all service ports)
> >
> > ######################################## ## <summary> ## Connect to ssh
> > over the TCP network. ## </summary> ## <param name="domain"> ## <summary>
> > ## Domain allowed access. ## </summary> ## </param> #
> > interface(`ssh_tcp_connect',` gen_require(` type sshd_t; ')
> >
> > corenet_tcp_recvfrom_labeled($1, sshd_t) corenet_tcp_sendrecv_ssh_port($1)
> > corenet_tcp_connect_ssh_port($1) corenet_sendrecv_ssh_client_packets($1)
> > ')
> >
> >
> >
> > -- selinux mailing list selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> Looks like Chris did not like a previous interface by that name.
> ########################################
> ## <summary>
> ## Connect to SSH daemons over TCP sockets. (Deprecated)
> ## </summary>
> ## <param name="domain">
> ## <summary>
> ## Domain allowed access.
> ## </summary>
> ## </param>
> #
> interface(`ssh_tcp_connect',`
> refpolicywarn(`$0($*) has been deprecated.')
> ')
>

I noticed that and i dont know why. Its also inconsistent because mysql
and postgres have it but some have it deprecated like i guess ssh and
snmp

I actually like this interface it provides support for labeled
networking.

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 08:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org