[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [BUG] legacy typenames of se-postgresql still remain



KaiGai Kohei wrote:
> Sorry, the previous patch was imcomplete one.
> 
> We allows sepgsql_client_type and sepgsql_unconfined_type to invoke
> sepgsql_trusted_proc_t, but it should be sepgsql_trusted_proc_exec_t,
> because sepgsql_trusted_proc_t is a domain.
> 
> This matter also exists at upstreamed policy now.
> The attached "refpolicy-sepgsql-trusted-proc-fixes.patch" can be applied
> to upstreamed reference policy.
> 
> Thanks,
> 
> KaiGai Kohei wrote:
>> I got the following access denied logs, when I tries to connect
>> SE-PostgreSQL (postgresql_t) from PHP script (httpd_t) via unix
>> domain socket (/tmp/.s.PGSQL.5432).
>>
>> type=AVC msg=audit(1218613044.484:10388): avc:  denied  { write }
>>     for  pid=4805 comm="httpd" name=".s.PGSQL.5432" dev=sda6 ino=1079246
>>     scontext=unconfined_u:system_r:httpd_t:s0
>>     tcontext=unconfined_u:object_r:postgresql_tmp_t:s0
>>     tclass=sock_file
>> type=AVC msg=audit(1218613044.484:10388): avc:  denied  { connectto }
>>     for  pid=4805 comm="httpd" path="/tmp/.s.PGSQL.5432"
>>     scontext=unconfined_u:system_r:httpd_t:s0
>>     tcontext=unconfined_u:system_r:postgresql_t:s0
>>     tclass=unix_stream_socket
>>
>> However, both permissions are allowed via postgresql_stream_connect()
>> independent from any booleans, if required types are provided by
>> postgresql.te.
>>
>> postgresql_stream_connect() and postgresql_unpriv_client() are put
>> within same optional_policy section at apache.te.
>> postgresql_unpriv_client() requires trusted procedure related types,
>> but postgresql.te declares them in legacy names.
>>
>>  old: sepgsql_trusted_domain_t --> new: sepgsql_trusted_proc_t
>>  old: sepgsql_trusted_proc_t   --> new: sepgsql_trusted_proc_exec_t
>>
>> Could you apply the attached patch?
>> It fixes them as upstream doing.
>>
>> Thanks,
>>
>>
>> ------------------------------------------------------------------------
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list redhat com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 
> 
Fedora 9?  Rawhide?



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]