[Bug 249522] Review Request: sepostgresql - Security-Enhanced PostgreSQL

Fri Aug 10 06:44:38 UTC 2007

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

Summary: Review Request:  sepostgresql - Security-Enhanced PostgreSQL

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522

------- Additional Comments From kaigai at kaigai.gr.jp  2007-08-10 02:44 EST -------
Created an attachment (id=161040)
 --> (https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=161040&action=view)
init script of sepostgresql-8.2.4-0.418.beta.fc8

Here is the new version of SE-PostgreSQL
SpecURL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SrpmURL:
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.418.beta.fc8.src.rpm

(In reply to comment #24)
> Well, actually unless bug 250494 is resolved, it seems that
> I cannot go further on this review request??

Yes, it depends on selinux-package with object classes definition for
SE-PostgreSQL, so it has to be resolved.
Fortunatelly, these new object classes are merged into the upstreamed reference
policy yesterday.
I think it will be integrated within the selinux-policy package soon.
  http://marc.info/?l=selinux&m=118666527208126&w=2

The new version of SE-PostgreSQL contains some modifications of the init
script.
> However for initscripts:
> * lock file and pid file
>   - Usually when daemon is running, there should be two files
>     - /var/run/<daemon name>.pid - contains the info of the pid
>				     number
>     - /var/lock/subsys/<daemon name>
I added a code to create lock file and pid file on startup, and to remove them
on shutdown. rpmlint got a silent.

I uses "/var/lock/subsys/${NAME}.lock" as a pathname of the lock file.
It is same manner with postgresql's one, but rpmlint made warnings.
Should it be replaced by an immediate value?

> * status
>   - and what does "service sepostgresql status" return?
>     Usually the format is:
> ----------------------------------------------------
> [root at localhost ~]# LANG=C service xfs status
> xfs (pid 2343) is running...
> ----------------------------------------------------

It displays the following message.
------------------------------------------
[root at masu ~]# service sepostgresql status
sepostgresql: server is running (PID: 11726)
[root at masu ~]# service sepostgresql stop
Stopping sepostgresql service:				   [  OK  ]
[root at masu ~]# service sepostgresql status
sepostgresql: no server running
[root at masu ~]# echo $?
3
[root at masu ~]#
------------------------------------------

In addition, I updated the path of the commands run by /sbin/runuser as
follows:
| cd ${SEPGSQL_BIN}
| /sbin/runuser sepgsql -- -c "./pg_ctl -D ${SEPGSQL_DATA} status"

When /sbin/runuser is run with CWD sepgsql cannot access, typically /root, a
noisy warnning message will be generated.
"cd ${SEPGSQL_BIN}" ensure that sepgsql can be placed on his accesable CWD.

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.