KaiGai Kohei wrote:
> Christopher J. PeBenito wrote:
<snip>
>
> In addition, I found an unclear point which came from my original policy. :(
>
> allow sepgsql_unconfined_type postgresql_t:db_blob { import export };
>
> A blob import interface enables to read a file on a server host by the server
> process (postgresql_t), and import to database as several frames of largeobject.
> A export interface works for inversed direction.
>
> In the previous discussion, the meaning of these permission is to indicate
> server process to start importing or exporting.
> However, I'm now considering the following rules are more sensefull:
>
> 1. SE-PostgreSQL checks whether the client has db_blob:{import} for
> the target large object.
> 2. SE-PostgreSQL checks whether the client has file:{read} for
> the target file.
> 3. SELinux (kernel) checks whether postgresql_t has file:{read} for the
> target file, because it uses read(2) system call.
>
> Could you tell me your opinion?
Chris asked me to look at this for him. The access checks above seem completely reasonable to me, much better than the previous check.
I wonder though, how you'll do an export check between the client and file type, since a compute_create between the client and the target directory may be different than between postgresql_t and the directory? Which context would you attempt to use?
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
