[BUG] legacy typenames of se-postgresql still remain

KaiGai Kohei <kaigai@xxxxxxxxxxxxx> · Wed, 13 Aug 2008 17:33:52 +0900

I got the following access denied logs, when I tries to connect
SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
domain socket (/tmp/.s.PGSQL.5432).

type=AVC msg=audit(1218613044.484:10388): avc:  denied  { write }
    for  pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
    tclass=sock_file
type=AVC msg=audit(1218613044.484:10388): avc:  denied  { connectto }
    for  pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
    scontext=unconfined_u:system_r:httpd_t:s0
    tcontext=unconfined_u:system_r:postgresql_t:s0
    tclass=unix_stream_socket

However, both permissions are allowed via postgresql_stream_connect()
independent from any booleans, if required types are provided by
postgresql.te.

postgresql_stream_connect() and postgresql_unpriv_client() are put
within same optional_policy section at apache.te.
postgresql_unpriv_client() requires trusted procedure related types,
but postgresql.te declares them in legacy names.

 old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
 old: sepgsql_trusted_proc_t   --> new: sepgsql_trusted_proc_exec_t

Could you apply the attached patch?
It fixes them as upstream doing.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
diff -prNU3 serefpolicy-3.5.1.orig/policy/modules/services/postgresql.te serefpolicy-3.5.1.sepgsql/policy/modules/services/postgresql.te

--- serefpolicy-3.5.1.orig/policy/modules/services/postgresql.te	2008-08-13 16:53:00.000000000 +0900
+++ serefpolicy-3.5.1.sepgsql/policy/modules/services/postgresql.te	2008-08-13 17:03:53.000000000 +0900
@@ -90,14 +90,14 @@ postgresql_system_table_object(sepgsql_s
 type sepgsql_table_t;
 postgresql_table_object(sepgsql_table_t)
 
-type sepgsql_trusted_proc_t;
-postgresql_procedure_object(sepgsql_trusted_proc_t)
+type sepgsql_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
 
 # Trusted Procedure Domain
-type sepgsql_trusted_domain_t;
-domain_type(sepgsql_trusted_domain_t)
-postgresql_unconfined(sepgsql_trusted_domain_t)
-role system_r types sepgsql_trusted_domain_t;
+type sepgsql_trusted_proc_t;
+domain_type(sepgsql_trusted_proc_t)
+postgresql_unconfined(sepgsql_trusted_proc_t)
+role system_r types sepgsql_trusted_proc_t;
 
 ########################################
 #
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list



