On Thu, 1 Jul 2004 21:52, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > Added the following. Please check since I know nothing about postgresql. I am not a postgresql expert either. However i think that some of these aren't needed. > # > # Files from postgresql > # > /usr/bin/clusterdb -- system_u:object_r:postgresql_exec_t > /usr/bin/createdb -- system_u:object_r:postgresql_exec_t > /usr/bin/createuser -- system_u:object_r:postgresql_exec_t > /usr/bin/dropdb -- system_u:object_r:postgresql_exec_t > /usr/bin/dropuser -- system_u:object_r:postgresql_exec_t > /usr/bin/psql -- system_u:object_r:postgresql_exec_t > /usr/bin/vacuumdb -- system_u:object_r:postgresql_exec_t The above are just wrappers for SQL commands. I don't think that there's any benefit in labelling them, and there may be some disadvantages for some of them (think of SQL scripts that need read/write access to files that the calling domain accesses). > /usr/bin/createlang -- system_u:object_r:postgresql_exec_t > /usr/bin/droplang -- system_u:object_r:postgresql_exec_t > /usr/bin/pg_encoding -- system_u:object_r:postgresql_exec_t > /usr/bin/pg_id -- system_u:object_r:postgresql_exec_t > /usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t I am unsure about the above. Either the documentation or my understanding is lacking. > /usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t > /usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t The above definitely need labelling. > /usr/bin/initdb -- system_u:object_r:postgresql_exec_t initdb is just a shell script. Maybe it should be left unlabeled and just have transitions when it runs /usr/bin/postgres? > /usr/bin/ipcclean -- system_u:object_r:postgresql_exec_t This shell script refuses to run as root, probably doesn't need a special label. > /usr/bin/pg_controldata -- system_u:object_r:postgresql_exec_t Displays stuff from initdb. If initdb doesn't need it then it probably doesn't either. > /usr/bin/pg_ctl -- system_u:object_r:postgresql_exec_t Runs "postmaster" which is a symlink to "postgres", so it shouldn't need a label. > /usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t This one is not clear to me, but I think for the moment it should be labelled. > /usr/bin/postgres -- system_u:object_r:postgresql_exec_t Definately needs labelling. > /usr/bin/postmaster -- system_u:object_r:postgresql_exec_t No such file. Please try out the attached postgresql.fc file, I'm sure it will work at least as well as anything that anyone else has posted, and probably better than most. I'll review Yuichi's labelling ideas for the data directory later. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page
# postgresql - ldap server /usr/lib(64)?/postgresql/bin/.* -- system_u:object_r:postgresql_exec_t /usr/bin/postgres -- system_u:object_r:postgresql_exec_t /usr/bin/pg_dump -- system_u:object_r:postgresql_exec_t /usr/bin/pg_dumpall -- system_u:object_r:postgresql_exec_t /usr/bin/pg_resetxlog -- system_u:object_r:postgresql_exec_t # not sure whether the following binaries need labelling /usr/bin/createlang -- system_u:object_r:postgresql_exec_t /usr/bin/droplang -- system_u:object_r:postgresql_exec_t /usr/bin/pg_encoding -- system_u:object_r:postgresql_exec_t /usr/bin/pg_id -- system_u:object_r:postgresql_exec_t /usr/bin/pg_restore -- system_u:object_r:postgresql_exec_t /var/lib/postgres(/.*)? system_u:object_r:postgresql_db_t /var/lib/pgsql(/.*)? system_u:object_r:postgresql_db_t /var/run/postgresql(/.*)? system_u:object_r:postgresql_var_run_t /etc/postgresql(/.*)? system_u:object_r:postgresql_etc_t /var/log/postgres\.log.* -- system_u:object_r:postgresql_log_t /var/log/postgresql(/.*)? system_u:object_r:postgresql_log_t
