Sorry, the previous patch was imcomplete one.
We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
because sepgsql_trusted_proc_t is a domain.
This matter also exists at upstreamed policy now.
The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
to upstreamed reference policy.
Thanks,
KaiGai Kohei wrote:
> I got the following access denied logs, when I tries to connect
> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
> domain socket (/tmp/.s.PGSQL.5432).
>
> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
> tclass=sock_file
> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:system_r:postgresql_t:s0
> tclass=unix_stream_socket
>
> However, both permissions are allowed via postgresql_stream_connect()
> independent from any booleans, if required types are provided by
> postgresql.te.
>
> postgresql_stream_connect() and postgresql_unpriv_client() are put
> within same optional_policy section at apache.te.
> postgresql_unpriv_client() requires trusted procedure related types,
> but postgresql.te declares them in legacy names.
>
> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>
> Could you apply the attached patch?
> It fixes them as upstream doing.
>
> Thanks,
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
diff -rpNU3 serefpolicy-3.5.1.orig/policy/modules/services/postgresql.te serefpolicy-3.5.1.sepgsql/policy/modules/services/postgresql.te
--- serefpolicy-3.5.1.orig/policy/modules/services/postgresql.te 2008-08-13 16:53:00.000000000 +0900
+++ serefpolicy-3.5.1.sepgsql/policy/modules/services/postgresql.te 2008-08-13 17:28:03.000000000 +0900
@@ -90,14 +90,14 @@ postgresql_system_table_object(sepgsql_s
type sepgsql_table_t;
postgresql_table_object(sepgsql_table_t)
-type sepgsql_trusted_proc_t;
-postgresql_procedure_object(sepgsql_trusted_proc_t)
+type sepgsql_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_trusted_proc_exec_t)
# Trusted Procedure Domain
-type sepgsql_trusted_domain_t;
-domain_type(sepgsql_trusted_domain_t)
-postgresql_unconfined(sepgsql_trusted_domain_t)
-role system_r types sepgsql_trusted_domain_t;
+type sepgsql_trusted_proc_t;
+domain_type(sepgsql_trusted_proc_t)
+postgresql_unconfined(sepgsql_trusted_proc_t)
+role system_r types sepgsql_trusted_proc_t;
########################################
#
@@ -292,7 +292,7 @@ allow sepgsql_client_type sepgsql_sysobj
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
-allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
@@ -333,7 +333,7 @@ allow sepgsql_unconfined_type sepgsql_ta
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy/policy/modules/services/postgresql.te (revision 2777)
+++ refpolicy/policy/modules/services/postgresql.te (working copy)
@@ -288,7 +288,7 @@
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
-allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
@@ -329,7 +329,7 @@
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
