On Fri, 2008-03-21 at 13:32 +0900, KaiGai Kohei wrote:
> Chris, Thanks for your reviewing.
>
> Rest of comments are bellow.
>
> Christopher J. PeBenito wrote:
> > On Mon, 2008-03-17 at 18:31 +0900, Kohei KaiGai wrote:
> >> The attached patch provides revised SE-PostgreSQL policy.
> >> +template(`postgresql_userdom_template',`
> - snip -
> >> + ##############################
> >> + #
> >> + # Client local policy
> >> + #
> >> + type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_table sepgsql_$1_table_t;
> >> + type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_$1_proc_t;
> >> + type_transition { $1_t - sepgsql_unconfined_type } sepgsql_database_type : db_blob sepgsql_$1_blob_t;
> >> + type_transition { $1_t - sepgsql_unconfined_type } sepgsql_sysobj_t : db_tuple sepgsql_$1_sysobj_t;
I missed this previously but I just realized that to be consistent with
the rest of the policy the prefix should actually be a prefix, not
infix. i.e. the types should be like $1_sepgsql_table_t not sepgsql_
$1_table_t.
> > This should probably transition even if its unconfined. If a user
> > starts out unconfined and then the admin later decides the user should
> > be confined, the user will lose access to its object, right?
>
> No. In this case, a new confined user can access to its object if it was
> not explicitly relabeled.
> The default type of db_table class created by unconfined users is sepgsql_table_t.
> Any confined users can also access to them with restricted permissions.
I finally realized what the problem with the type_transitions. You have
many of them to set up the default type for tables, procedures, blobs,
etc. Shouldn't the default labels just be settings in a config file?
Then all of the complex type transitioning behavior isn't needed.
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
