On Fri, 2009-05-08 at 13:12 +0900, KaiGai Kohei wrote:
> The attached patch allows unprivileged clients to export from or
> import
> to the largeobject owned by themselves.
>
> The current security policy does not allow them to import/export any
> largeobjects without any clear reason.
>
> NOTE: Export of the largeobject means that it dumps whole of the
> largeobject into a local file, so SE-PostgreSQL checks both of
> db_blob:{read export} on the largeobject and file:{write} on the
> local file. Import is a reversal behavior.
Merged.
> KaiGai Kohei wrote:
> >>>>> - rework: All the newly created database objects by unprivileged
> >>>>> clients are prefixed with "user_", and these are controled via
> >>>>> sepgsql_enable_users_ddl.
> >>>> I don't think we should be mixing user content with other unpriv
> >>>> clients.
> >>> I would like to discriminate between a procedure declared by
> unpriv
> >>> client and by administrative client, because the policy allows the
> >>> unprefixed "sepgsql_proc_exec_t" to be installed as a system
> internal
> >>> component, but it is undesirable to install unpriv-user defined
> >>> procedures as is.
> >>>
> >>> If the "user_" prefix is unpreferable, how do you think other
> prefixes
> >>> something like "anon_", "unpriv_" and so on?
> >> I think we should go with unpriv_ for now.
> >
> > OK, the attached patch adds the following types for unprivileged
> clients.
> > - unpriv_sepgsql_table_t
> > - unpriv_sepgsql_sysobj_t
> > - unpriv_sepgsql_proc_exec_t
> > - unpriv_sepgsql_blob_t
> >
> > These types are the default for unprivileged and unprefixed domains,
> > such as httpd_t and others.
> >
> > In addition, TYPE_TRANSITION rules are moved to outside of tunable
> > of the sepgsql_enable_users_ddl. IIRC, it was enclosed within the
> > tunable because UBAC domains (user_t and so on) were allowed to
> > create sepgsql_table_t, and its default was pointed to this type
> > when sepgsql_enable_users_ddl is disabled.
> > However, it has different meanings now, so the TYPE_TRANSITION rules
> > should be unconditional.
> >
>
>
>
>
>
>
> differences
> between files
> attachment
> (refpolicy-sepgsql-3-db_blob-import-export.patch)
>
> --- policy/modules/services/postgresql.if.2 2009-05-08 11:58:46.000000000 +0900
> +++ policy/modules/services/postgresql.if.3 2009-05-08 11:59:28.000000000 +0900
> @@ -63,7 +63,7 @@
> allow $2 user_sepgsql_proc_exec_t:db_procedure { getattr execute };
> type_transition $2 sepgsql_database_type:db_procedure user_sepgsql_proc_exec_t;
>
> - allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
> + allow $2 user_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
> type_transition $2 sepgsql_database_type:db_blob user_sepgsql_blob_t;
>
> allow $2 sepgsql_trusted_proc_t:process transition;
> @@ -361,7 +361,7 @@
> allow $1 unpriv_sepgsql_proc_exec_t:db_procedure { getattr execute };
> type_transition $1 sepgsql_database_type:db_procedure unpriv_sepgsql_proc_exec_t;
>
> - allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write };
> + allow $1 unpriv_sepgsql_blob_t:db_blob { create drop getattr setattr read write import export };
> type_transition $1 sepgsql_database_type:db_blob unpriv_sepgsql_blob_t;
> ')
>
>
--
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
