Re: [refpolicy] [PATCH] revise roles/dbadm.te (Re: dbadm.pp is not available in selinux-policy package)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Sorry for this long silent on the topic.

IIRC, we have already agreed most part of the patch, haven't we?

- The dbadm_t domain shall be launched via sudo, not a login shell,
  so, userdom_base_user_template() is used to grant basic privileges
  to dbadm_t instead of userdom_unpriv_user_template().
- It allows too much privileges to dbadm_t, if we allows him to launch
  setfiles, so we removed seutil_domtrans_setfiles().

Did we have any more issues?

The attached patch is same as the last version except for it was rebased
to the latest reference policy.

Thanks,

(2010/04/15 15:02), KaiGai Kohei wrote:
> (2010/04/14 0:57), Christopher J. PeBenito wrote:
>> On Tue, 2010-04-13 at 11:15 -0400, Daniel J Walsh wrote:
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 04/13/2010 09:17 AM, Christopher J. PeBenito wrote:
>>>> On Tue, 2010-04-13 at 09:28 +0900, KaiGai Kohei wrote:
>>>>> (2010/04/12 23:09), Christopher J. PeBenito wrote:
>>>>>> On Fri, 2010-04-09 at 14:29 +0900, KaiGai Kohei wrote:
>>>>>>> (2010/04/08 21:15), Daniel J Walsh wrote:
>>>>>>>> As Dominick stated.  I prefer to think in terms of two different roles.
>>>>>>>>      Login Roles, and Roles to execute in when you have privileges (IE Root).
>>>>>>>>
>>>>>>>> Login Roles/Types
>>>>>>>> staff_t, user_t, unconfined_t, xguest_t, guest_t
>>>>>>>>
>>>>>>>> Three interfaces can be used to create confined login users.
>>>>>>>>
>>>>>>>> userdom_restricted_user_template(guest)
>>>>>>>> userdom_restricted_xwindows_user_template(xguest)
>>>>>>>> userdom_unpriv_user_template(staff)
>>>>>>>>
>>>>>>>>
>>>>>>>> Admin Roles/Types
>>>>>>>> logadm_t, webadm_t, secadm_t, auditadm_t
>>>>>>>>
>>>>>>>> The following interface can be used to create an Admin ROle
>>>>>>>> userdom_base_user_template(logadm)
>>>>>>>>
>>>>>>>>
>>>>>>>> sysadm_t is sort of a hybrid, most people use it as an Admin Role.
>>>>>>>>
>>>>>>>>
>>>>>>>> I imagine that you login as a confined user and then use sudo/newrole to
>>>>>>>> switch roles to one of the admin roles.
>>>>>>>
>>>>>>> The attached patch revises roles/dbadm.te (to be applied on the upstream
>>>>>>> reference policy). It uses userdom_base_user_template() instead of the
>>>>>>> userdom_unpriv_user_template(), and should be launched via sudo/newrole.
>>>>>>> In the default, it intends the dbadm_r role to be launched by staff_r role.
>>>>>>
>>>>>> Why does dbadm need to run setfiles?
>>>>>
>>>>> The database files (typically, /var/lib/(se)?pgsql/*) have to be labeled
>>>>> correctly, so I thought dbadm needs to run setfiles.
>>>>> However, as long as they initialize database files using init script,
>>>>> initrc_t domain performs this initial labeling, so it might not be necessary.
>>>>>
>>>>> On the other hand, PostgreSQL support a feature to use multiple disks
>>>>> within a single database instance for performance utilization.
>>>>> (Called TABLESPACE; I don't know whether MySQL has such a feature.)
>>>>>
>>>>> http://archives.postgresql.org/pgsql-general/2006-08/msg00142.php
>>>>>
>>>>> It requires administrators to assign proper security context on the secondary
>>>>> directory, or to mount the secondary disk with context='...' option.
>>>>>
>>>>> Is there any good idea?
>>>>>
>>>>> Or, it should not be a task for dbadm?
>>>>
>>>> Ok, the transition for setfiles is fine.
>>>>
>>>
>>> I would be carefull with this.  Since setfiles can take a parameter of a
>>> file context file.  I think it would be better to only give
>>> relabefrom/relabelto privs for all labels dbadm_t can manage.  Then
>>> figure out what access is required to mount.
>>
>> Good point.  We should probably reconsider the setfiles usage from
>> webadm too.
> 
> The attached patch is a revised one.
> - seutil_domtrans_setfiles() was removed
> - staff_role_change_to() was removed, and I put dbadm_role_change()
>    on the staff.te
> - Fix an obvious typo.
> 
> It is not clear for me whether the idea to allow relabelfrom/relabelto
> for all the files dbadm_t can manage, because it is eventually necessary
> someone to relabel (or assign initial labels) files from unlabeled one
> to managed labels when we mount a new disk.
> 
> If so, should it be a task of sysadm_t to mount new disk and assign
> security context correctly, instead of webadm_t/dbadm_t?
> 
> Thanks,
> 
> 
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy@xxxxxxxxxxxxxx
> http://oss.tresys.com/mailman/listinfo/refpolicy


-- 
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>

diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
index 92d23c5..56f2af7 100644
--- a/policy/modules/roles/dbadm.if
+++ b/policy/modules/roles/dbadm.if
@@ -25,7 +25,7 @@ interface(`dbadm_role_change',`
 ## </summary>
 ## <desc>
 ##	<p>
-##	Change from the web administrator role to
+##	Change from the database administrator role to
 ##	the specified role.
 ##	</p>
 ##	<p>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 2ddeb70..f084bbd 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,28 +5,56 @@ policy_module(dbadm, 1.0.0)
 # Declarations
 #
 
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
 role dbadm_r;
 
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
 
 ########################################
 #
 # database admin local policy
 #
 
-optional_policy(`
-	mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_manage_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+	userdom_manage_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
+	userdom_write_user_tmp_files(dbadm_t)
 ')
 
-optional_policy(`
-	postgresql_admin(dbadm_t, dbadm_r)
+tunable_policy(`dbadm_read_user_files',`
+	userdom_read_user_home_content_files(dbadm_t)
+	userdom_read_user_tmp_files(dbadm_t)
 ')
 
-# For starting up daemon processes
 optional_policy(`
-	su_role_template(dbadm, dbadm_r, dbadm_t)
+	mysql_admin(dbadm_t, dbadm_r)
 ')
 
 optional_policy(`
-	sudo_role_template(dbadm, dbadm_r, dbadm_t)
+	postgresql_admin(dbadm_t, dbadm_r)
 ')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a589c55..0c9876c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbadm_role_change(staff_r)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux