[BUG] legacy typenames of se-postgresql still remain

KaiGai Kohei kaigai at ak.jp.nec.com
Fri Aug 15 01:47:24 UTC 2008 

Daniel J Walsh wrote:
> KaiGai Kohei wrote:
>> Daniel J Walsh wrote:
>>> KaiGai Kohei wrote:
>>>> Sorry, the previous patch was imcomplete one.
>>>>
>>>> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
>>>> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
>>>> because sepgsql_trusted_proc_t is a domain.
>>>>
>>>> This matter also exists at upstreamed policy now.
>>>> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
>>>> to upstreamed reference policy.
>>>>
>>>> Thanks,
>>>>
>>>> KaiGai Kohei wrote:
>>>>> I got the following access denied logs, when I tries to connect
>>>>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>>>>> domain socket (/tmp/.s.PGSQL.5432).
>>>>>
>>>>> type=AVC msg=audit(1218613044.484:10388): avc:  denied  { write }
>>>>>     for  pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>>>>     scontext=unconfined_u:system_r:httpd_t:s0
>>>>>     tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>>>>     tclass=sock_file
>>>>> type=AVC msg=audit(1218613044.484:10388): avc:  denied  { connectto }
>>>>>     for  pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>>>>     scontext=unconfined_u:system_r:httpd_t:s0
>>>>>     tcontext=unconfined_u:system_r:postgresql_t:s0
>>>>>     tclass=unix_stream_socket
>>>>>
>>>>> However, both permissions are allowed via postgresql_stream_connect()
>>>>> independent from any booleans, if required types are provided by
>>>>> postgresql.te.
>>>>>
>>>>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>>>>> within same optional_policy section at apache.te.
>>>>> postgresql_unpriv_client() requires trusted procedure related types,
>>>>> but postgresql.te declares them in legacy names.
>>>>>
>>>>>  old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>>>>  old: sepgsql_trusted_proc_t   --> new: sepgsql_trusted_proc_exec_t
>>>>>
>>>>> Could you apply the attached patch?
>>>>> It fixes them as upstream doing.
>>>>>
>>>>> Thanks,
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>>
>>>>> --
>>>>> fedora-selinux-list mailing list
>>>>> fedora-selinux-list at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>> Fedora 9?  Rawhide?
>> Sorry, I missed the version.
>> It is in Rawhide. (selinux-policy-3.5.1-4.fc10)
>>
>> Thanks,
> 
> Current Rawhide is pretty much the same as upstream.  Here is the only
> patch I have on postgresql as of today's rawhide.  Fedora 9 next update
> should match this policy in the next update also.
> 

OK, I confirmed the first matter is fixed at selinux-policy-3.5.4-2 in
rawhide. (Sorry, I saw a bit older version.)

However, the second matter still remains at upstream and rawhide.
Chris, could you apply the attached patch which fixes lagacy naming
matter.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai at ak.jp.nec.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: refpolicy-sepgsql-trusted-proc-fixes.patch
Type: text/x-patch
Size: 1304 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080815/f4d47ddd/attachment.bin>

More information about the fedora-selinux-list mailing list