(2010/08/18 3:00), Chris PeBenito wrote:
> On 08/16/10 19:37, KaiGai Kohei wrote:
>> (2010/08/17 4:42), Christopher J. PeBenito wrote:
>>> On 08/16/10 05:11, KaiGai Kohei wrote:
>>>> Sorry for this long silent on the topic.
>>>>
>>>> IIRC, we have already agreed most part of the patch, haven't we?
>>>>
>>>> - The dbadm_t domain shall be launched via sudo, not a login shell,
>>>> so, userdom_base_user_template() is used to grant basic privileges
>>>> to dbadm_t instead of userdom_unpriv_user_template().
>>>> - It allows too much privileges to dbadm_t, if we allows him to launch
>>>> setfiles, so we removed seutil_domtrans_setfiles().
>>>>
>>>> Did we have any more issues?
>>>>
>>>> The attached patch is same as the last version except for it was
>>>> rebased
>>>> to the latest reference policy.
>>>
>>> I only have two issues:
>>>
>>> 1. Why should dbadm be allowed to set enforce mode?
>>
>> It uses selinux_get_enforce_mode(), not selinux_set_enforce_mode().
>> We just allow dbadm_t to see the current working mode.
>
> My mistake, I misread it. You're right, its fine.
>
>>> 2. Why does dbadm need to manage generic locks?
>>
>> It was originally copied from webadb.te, but PostgreSQL also makes
>> its lockfile on the /var/lock/subsys/postgresql. If server process
>> unexpectedly crashed, dbadm_t need to remove it by hand, doesn't it?
>
> Based on what I see in the policy, my guess is this file is created by
> the init script, right? If not, then it sounds like PostgreSQL needs a
> lock type.
>
Yes, this file is created by the init script.
In addition, postgresql_lock_t is defined, but type_transition rule is
defined on a pair of postgresql_t and var_lock_t, so the lockfile shall
be labeled as var_lock_t.
[root@saba ~]# ls -Z /var/lock/subsys/postgresql
-rw-r--r--. root root dbadm_u:object_r:var_lock_t:s0 /var/lock/subsys/postgresql
Maybe, init script should relabel it to postgresql_lock_t, ideally?
> I'd rather it just have delete permissions, rather than full manage
> permissions. Something like files_delete_all_locks(), but for var_lock_t
> instead.
>
I tried to define files_delete_generic_locks(), instead of the manage.
Thanks,
--
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
policy/modules/kernel/files.if | 19 +++++++++++++++++
policy/modules/roles/dbadm.if | 2 +-
policy/modules/roles/dbadm.te | 44 ++++++++++++++++++++++++++++++++-------
policy/modules/roles/staff.te | 4 +++
4 files changed, 60 insertions(+), 9 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index 8d3dfad..ad487e0 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -5149,6 +5149,25 @@ interface(`files_manage_generic_locks',`
########################################
## <summary>
+## Delete generic lock files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_delete_generic_locks',`
+ gen_require(`
+ type var_t, var_lock_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ delete_files_pattern($1, var_lock_t, var_lock_t)
+')
+
+########################################
+## <summary>
## Delete all lock files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/roles/dbadm.if b/policy/modules/roles/dbadm.if
index 92d23c5..56f2af7 100644
--- a/policy/modules/roles/dbadm.if
+++ b/policy/modules/roles/dbadm.if
@@ -25,7 +25,7 @@ interface(`dbadm_role_change',`
## </summary>
## <desc>
## <p>
-## Change from the web administrator role to
+## Change from the database administrator role to
## the specified role.
## </p>
## <p>
diff --git a/policy/modules/roles/dbadm.te b/policy/modules/roles/dbadm.te
index 2ddeb70..1875064 100644
--- a/policy/modules/roles/dbadm.te
+++ b/policy/modules/roles/dbadm.te
@@ -5,28 +5,56 @@ policy_module(dbadm, 1.0.0)
# Declarations
#
+## <desc>
+## <p>
+## Allow dbadm to manage files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_manage_user_files, false)
+
+## <desc>
+## <p>
+## Allow dbadm to read files in users home directories
+## </p>
+## </desc>
+gen_tunable(dbadm_read_user_files, false)
+
role dbadm_r;
-userdom_unpriv_user_template(dbadm)
+userdom_base_user_template(dbadm)
########################################
#
# database admin local policy
#
-optional_policy(`
- mysql_admin(dbadm_t, dbadm_r)
+allow dbadm_t self:capability { dac_override dac_read_search sys_ptrace };
+
+files_dontaudit_search_all_dirs(dbadm_t)
+files_delete_generic_locks(dbadm_t)
+files_list_var(dbadm_t)
+
+selinux_get_enforce_mode(dbadm_t)
+
+logging_send_syslog_msg(dbadm_t)
+
+userdom_dontaudit_search_user_home_dirs(dbadm_t)
+
+tunable_policy(`dbadm_manage_user_files',`
+ userdom_manage_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
+ userdom_write_user_tmp_files(dbadm_t)
')
-optional_policy(`
- postgresql_admin(dbadm_t, dbadm_r)
+tunable_policy(`dbadm_read_user_files',`
+ userdom_read_user_home_content_files(dbadm_t)
+ userdom_read_user_tmp_files(dbadm_t)
')
-# For starting up daemon processes
optional_policy(`
- su_role_template(dbadm, dbadm_r, dbadm_t)
+ mysql_admin(dbadm_t, dbadm_r)
')
optional_policy(`
- sudo_role_template(dbadm, dbadm_r, dbadm_t)
+ postgresql_admin(dbadm_t, dbadm_r)
')
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index a589c55..0c9876c 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -23,6 +23,10 @@ optional_policy(`
')
optional_policy(`
+ dbadm_role_change(staff_r)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
