* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/services/
@ 2014-08-22 12:27 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2014-08-22 12:27 UTC (permalink / raw
To: gentoo-commits
commit: dcad5d08cbb05a789cb6aaad3c5eea9174e8cdc7
Author: Chris PeBenito <cpebenito <AT> tresys <DOT> com>
AuthorDate: Wed Aug 20 18:38:30 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 17:29:41 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=dcad5d08
Module version bump for postgres fc revisions from Luis Ressel.
---
policy/modules/services/postgresql.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 87cf69d..6e84c95 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -1,4 +1,4 @@
-policy_module(postgresql, 1.16.2)
+policy_module(postgresql, 1.16.3)
gen_require(`
class db_database all_db_database_perms;
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/services/
@ 2014-08-22 12:27 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2014-08-22 12:27 UTC (permalink / raw
To: gentoo-commits
commit: 3738cf10d1b3cfa76d8ee163a8f89ae9f2495171
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:35:58 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 17:29:35 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=3738cf10
Also apply the new postgres labeling scheme on Debian
I'm sure this is the right thing to do; however, the Debian developers
might want to have a say in this, so I made a separate patch.
---
policy/modules/services/postgresql.fc | 24 ++++++++++--------------
1 file changed, 10 insertions(+), 14 deletions(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index cc9eb3a..2a1b1a3 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -16,20 +16,16 @@
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_redhat', `
/usr/share/jonas/pgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/services/
@ 2014-08-22 12:27 Jason Zaman
0 siblings, 0 replies; 3+ messages in thread
From: Jason Zaman @ 2014-08-22 12:27 UTC (permalink / raw
To: gentoo-commits
commit: bcb20e08625b97c697de810bf596ca341a775b92
Author: Luis Ressel <aranea <AT> aixah <DOT> de>
AuthorDate: Tue Aug 12 12:35:57 2014 +0000
Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com>
CommitDate: Thu Aug 21 17:29:31 2014 +0000
URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bcb20e08
Only label administrative postgres commands as postgresql_exec_t
Currently, all postgresql commands in are labeled as postgresql_exec_t.
This means they can only be executed by db admins. However, the "normal"
commands, such as createdb or psql, should also be executable by users.
(The users in question still need to be granted postgresql_role(), so
this is no security problem.)
---
policy/modules/services/postgresql.fc | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 5a34c7b..cc9eb3a 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -15,7 +15,17 @@
/usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+
+/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0)
ifdef(`distro_debian', `
/usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-08-22 12:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-08-22 12:27 [gentoo-commits] proj/hardened-refpolicy:perfinion commit in: policy/modules/services/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2014-08-22 12:27 Jason Zaman
2014-08-22 12:27 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox