commit: bcb20e08625b97c697de810bf596ca341a775b92 Author: Luis Ressel <aranea <AT> aixah <DOT> de> AuthorDate: Tue Aug 12 12:35:57 2014 +0000 Commit: Jason Zaman <gentoo <AT> perfinion <DOT> com> CommitDate: Thu Aug 21 17:29:31 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=bcb20e08
Only label administrative postgres commands as postgresql_exec_t Currently, all postgresql commands in are labeled as postgresql_exec_t. This means they can only be executed by db admins. However, the "normal" commands, such as createdb or psql, should also be executable by users. (The users in question still need to be granted postgresql_role(), so this is no security problem.) --- policy/modules/services/postgresql.fc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index 5a34c7b..cc9eb3a 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -15,7 +15,17 @@ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
