* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
@ 2013-11-17 13:32 Luis Ressel
2013-11-17 13:34 ` Luis Ressel
0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 13:32 UTC (permalink / raw)
To: refpolicy
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.* -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
--
1.8.4.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
2013-11-17 13:32 [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t Luis Ressel
@ 2013-11-17 13:34 ` Luis Ressel
0 siblings, 0 replies; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 13:34 UTC (permalink / raw)
To: refpolicy
Sorry for the resends...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131117/f2c542b4/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
2013-11-18 20:07 ` Daniel J Walsh
@ 2013-11-18 20:15 ` Luis Ressel
0 siblings, 0 replies; 7+ messages in thread
From: Luis Ressel @ 2013-11-18 20:15 UTC (permalink / raw)
To: refpolicy
On Mon, 18 Nov 2013 15:07:37 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:
> I believe by default then should be bin_t unless they match someother
> regex.
I thought it would be lib_t. But you're right, there's
"/usr/lib(.*/)?bin(/.*)?" --> bin_t, so my rule can indeed be dropped.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/858f2109/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
2013-11-18 16:46 ` Luis Ressel
@ 2013-11-18 20:07 ` Daniel J Walsh
2013-11-18 20:15 ` Luis Ressel
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2013-11-18 20:07 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/18/2013 11:46 AM, Luis Ressel wrote:
> On Mon, 18 Nov 2013 09:09:49 -0500 Daniel J Walsh <dwalsh@redhat.com>
> wrote:
>
>> I hate adding ifdef code to fc files, it is usually just clutter. If I
>> have an init script named /etc/init\.d/postgresql-.* I would figure all
>> distributions would want this labeled this way.
>>
>> If this labeling makes sense for other distributions, then we should
>> remove the ifdef.
>>
>> Also bin_t should never be listed in an fc file other then
>> corecommands.fc
>
> Sorry, the ifdefs were there in the original gentoo patch, but it makes
> sense to me to drop them. But how else should I label these files, if not
> bin_t? Yet another separate type like "postgresql_user_exec_t"?
>
>
> Regards, Luis Ressel
>
I believe by default then should be bin_t unless they match someother regex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKc4kACgkQrlYvE4MpobOUCACeJZNXl6Ln8FoXSp845tdpMCF2
1IwAoKQXRD0iZ4gyesvoQrTqdIu7/as2
=8Kgl
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
2013-11-18 14:09 ` Daniel J Walsh
@ 2013-11-18 16:46 ` Luis Ressel
2013-11-18 20:07 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-18 16:46 UTC (permalink / raw)
To: refpolicy
On Mon, 18 Nov 2013 09:09:49 -0500
Daniel J Walsh <dwalsh@redhat.com> wrote:
> I hate adding ifdef code to fc files, it is usually just clutter. If
> I have an init script named /etc/init\.d/postgresql-.* I
> would figure all distributions would want this labeled this way.
>
> If this labeling makes sense for other distributions, then we should
> remove the ifdef.
>
> Also bin_t should never be listed in an fc file other then
> corecommands.fc
Sorry, the ifdefs were there in the original gentoo patch, but it makes
sense to me to drop them. But how else should I label these files, if
not bin_t? Yet another separate type like "postgresql_user_exec_t"?
Regards,
Luis Ressel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 966 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131118/de97a24f/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
2013-11-17 12:52 Luis Ressel
@ 2013-11-18 14:09 ` Daniel J Walsh
2013-11-18 16:46 ` Luis Ressel
0 siblings, 1 reply; 7+ messages in thread
From: Daniel J Walsh @ 2013-11-18 14:09 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/17/2013 07:52 AM, Luis Ressel wrote:
> Currently, all postgresql commands in are labeled as postgresql_exec_t.
> This means they can only be executed by db admins. However, the "normal"
> commands, such as createdb or psql, should also be executable by users.
> (The users in question still need to be granted postgresql_role(), so this
> is no security problem.)
>
> I only changed this behavior in the gentoo-specific part of the policy,
> however other distros might want to have a look at this. ---
> policy/modules/services/postgresql.fc | 18 ++++++++++++++++++ 1 file
> changed, 18 insertions(+)
>
> diff --git a/policy/modules/services/postgresql.fc
> b/policy/modules/services/postgresql.fc index a26f84f..bf28911 100644 ---
> a/policy/modules/services/postgresql.fc +++
> b/policy/modules/services/postgresql.fc @@ -46,3 +46,21 @@
> ifdef(`distro_redhat', ` /var/run/postgresql(/.*)?
> gen_context(system_u:object_r:postgresql_var_run_t,s0)
>
> /var/run/postmaster.*
> gen_context(system_u:object_r:postgresql_var_run_t,s0) +
> +ifdef(`distro_gentoo',` +/etc/init\.d/postgresql-.* --
> gen_context(system_u:object_r:postgresql_initrc_exec_t,s0) +
> +/etc/postgresql-.*(/.*)?
> gen_context(system_u:object_r:postgresql_etc_t,s0) +
> +/usr/lib/postgresql-.*/bin(/.*)?
> gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_archivecleanup --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_basebackup --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_controldata --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_ctl --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_resetxlog --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_standby --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_upgrade --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/pg_xlogdump --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/postgres --
> gen_context(system_u:object_r:postgresql_exec_t,s0)
> +/usr/lib/postgresql-.*/bin/postmaster -l
> gen_context(system_u:object_r:postgresql_exec_t,s0) +')
>
I hate adding ifdef code to fc files, it is usually just clutter. If I have
an init script named /etc/init\.d/postgresql-.* I would figure all
distributions would want this labeled this way.
If this labeling makes sense for other distributions, then we should remove
the ifdef.
Also bin_t should never be listed in an fc file other then corecommands.fc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKKH60ACgkQrlYvE4MpobMmbwCdG3HHiD4Nsj6ub95baRu6tr3T
RvQAnizNBe5YyklYCoLRngnghtCas396
=d00v
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t
@ 2013-11-17 12:52 Luis Ressel
2013-11-18 14:09 ` Daniel J Walsh
0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2013-11-17 12:52 UTC (permalink / raw)
To: refpolicy
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
I only changed this behavior in the gentoo-specific part of the policy,
however other distros might want to have a look at this.
---
policy/modules/services/postgresql.fc | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index a26f84f..bf28911 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -46,3 +46,21 @@ ifdef(`distro_redhat', `
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
+
+ifdef(`distro_gentoo',`
+/etc/init\.d/postgresql-.* -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
+
+/etc/postgresql-.*(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
+
+/usr/lib/postgresql-.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/postgresql-.*/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql-.*/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
+')
--
1.8.4.3
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-11-18 20:15 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-11-17 13:32 [refpolicy] [PATCH] Only label administrative postgres commands as postgresql_exec_t Luis Ressel
2013-11-17 13:34 ` Luis Ressel
-- strict thread matches above, loose matches on Subject: below --
2013-11-17 12:52 Luis Ressel
2013-11-18 14:09 ` Daniel J Walsh
2013-11-18 16:46 ` Luis Ressel
2013-11-18 20:07 ` Daniel J Walsh
2013-11-18 20:15 ` Luis Ressel
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.