Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Daniel J Walsh wrote:
>>> KaiGai Kohei wrote:
>>>> Sorry, the previous patch was imcomplete one.
>>>>
>>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>>> because sepgsql_trusted_proc_t is a domain.
>>>>
>>>> This matter also exists at upstreamed policy now.
>>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>>>> to upstreamed reference policy.
>>>>
>>>> Thanks,
>>>>
>>>> KaiGai Kohei wrote:
>>>>> I got the following access denied logs, when I tries to connect
>>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>>
>>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { write }
>>>>> for pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>>> tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>>> tclass=sock_file
>>>>> type=AVC msg=audit(1218613044.484:10388): avc: denied { connectto }
>>>>> for pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>>>> scontext=unconfined_u:system_r:httpd_t:s0
>>>>> tcontext=unconfined_u:system_r:postgresql_t:s0
>>>>> tclass=unix_stream_socket
>>>>>
>>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>>> independent from any booleans, if required types are provided by
>>>>> postgresql.te.
>>>>>
>>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>>> within same optional_policy section at apache.te.
>>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>>> but postgresql.te declares them in legacy names.
>>>>>
>>>>> old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>>> old: sepgsql_trusted_proc_t --> new: sepgsql_trusted_proc_exec_t
>>>>>
>>>>> Could you apply the attached patch?
>>>>> It fixes them as upstream doing.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list@xxxxxxxxxx
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> Fedora 9? Rawhide?
>> Sorry, I missed the version.
>> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>>
>> Thanks,
>
> Current Rawhide is pretty much the same as upstream. Here is the only
> patch I have on postgresql as of today's rawhide. Fedora 9 next update
> should match this policy in the next update also.
>
OK, I confirmed the first matter is fixed at selinux-policy-3.5.4-2 in
rawhide. (Sorry, I saw a bit older version.)
However, the second matter still remains at upstream and rawhide.
Chris, could you apply the attached patch which fixes lagacy naming
matter.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
Index: refpolicy/policy/modules/services/postgresql.te
===================================================================
--- refpolicy/policy/modules/services/postgresql.te (revision 2777)
+++ refpolicy/policy/modules/services/postgresql.te (working copy)
@@ -288,7 +288,7 @@
allow sepgsql_client_type sepgsql_sysobj_t:db_tuple { use select };
allow sepgsql_client_type sepgsql_proc_t:db_procedure { getattr execute };
-allow sepgsql_client_type sepgsql_trusted_proc_t:db_procedure { getattr execute entrypoint };
+allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { getattr execute entrypoint };
allow sepgsql_client_type sepgsql_blob_t:db_blob { create drop getattr setattr read write };
allow sepgsql_client_type sepgsql_ro_blob_t:db_blob { getattr read };
@@ -329,7 +329,7 @@
# unconfined domain is not allowed to invoke user defined procedure directly.
# They have to confirm and relabel it at first.
-allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_t }:db_procedure *;
+allow sepgsql_unconfined_type { sepgsql_proc_t sepgsql_trusted_proc_exec_t }:db_procedure *;
allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure { create drop getattr setattr relabelfrom relabelto };
allow sepgsql_unconfined_type sepgsql_blob_type:db_blob *;
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
