postgresql patch from Dan Walsh:
"File context for /etc/sysconfig/pgsql and other bugs. Sends audit messages connect to posgresql_server port Reads its own process info" Moved signal interface for style.
This commit is contained in:
parent
d3b5907ea4
commit
9681df1c8d
@ -3,6 +3,7 @@
|
|||||||
#
|
#
|
||||||
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
|
/etc/postgresql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
|
||||||
/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/(se)?postgresql -- gen_context(system_u:object_r:postgresql_initrc_exec_t,s0)
|
||||||
|
/etc/sysconfig/pgsql(/.*)? gen_context(system_u:object_r:postgresql_etc_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
@ -10,9 +11,8 @@
|
|||||||
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/bin/initdb(\.sepgsql)? -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/bin/(se)?postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
|
|
||||||
/usr/lib/pgsql/test/regres(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
/usr/lib(64)?/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
|
||||||
/usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/lib(64)?/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
|
|
||||||
/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
/usr/lib(64)?/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)
|
||||||
|
|
||||||
ifdef(`distro_debian', `
|
ifdef(`distro_debian', `
|
||||||
@ -44,3 +44,5 @@ ifdef(`distro_redhat', `
|
|||||||
')
|
')
|
||||||
|
|
||||||
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
/var/run/postgresql(/.*)? gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
||||||
|
|
||||||
|
/var/run/postmaster.* gen_context(system_u:object_r:postgresql_var_run_t,s0)
|
||||||
|
@ -235,6 +235,23 @@ interface(`postgresql_domtrans',`
|
|||||||
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
|
domtrans_pattern($1, postgresql_exec_t, postgresql_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
######################################
|
||||||
|
## <summary>
|
||||||
|
## Allow domain to signal postgresql
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain to not audit.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`postgresql_signal',`
|
||||||
|
gen_require(`
|
||||||
|
type postgresql_t;
|
||||||
|
')
|
||||||
|
allow $1 postgresql_t:process signal;
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Allow the specified domain to read postgresql's etc.
|
## Allow the specified domain to read postgresql's etc.
|
||||||
|
@ -150,6 +150,7 @@ allow postgresql_t self:capability { kill dac_override dac_read_search chown fow
|
|||||||
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
dontaudit postgresql_t self:capability { sys_tty_config sys_admin };
|
||||||
allow postgresql_t self:process signal_perms;
|
allow postgresql_t self:process signal_perms;
|
||||||
allow postgresql_t self:fifo_file rw_fifo_file_perms;
|
allow postgresql_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow postgresql_t self:file { getattr read };
|
||||||
allow postgresql_t self:sem create_sem_perms;
|
allow postgresql_t self:sem create_sem_perms;
|
||||||
allow postgresql_t self:shm create_shm_perms;
|
allow postgresql_t self:shm create_shm_perms;
|
||||||
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
allow postgresql_t self:tcp_socket create_stream_socket_perms;
|
||||||
@ -220,9 +221,11 @@ corenet_tcp_sendrecv_generic_node(postgresql_t)
|
|||||||
corenet_udp_sendrecv_generic_node(postgresql_t)
|
corenet_udp_sendrecv_generic_node(postgresql_t)
|
||||||
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
corenet_tcp_sendrecv_all_ports(postgresql_t)
|
||||||
corenet_udp_sendrecv_all_ports(postgresql_t)
|
corenet_udp_sendrecv_all_ports(postgresql_t)
|
||||||
|
corenet_udp_bind_generic_node(postgresql_t)
|
||||||
corenet_tcp_bind_generic_node(postgresql_t)
|
corenet_tcp_bind_generic_node(postgresql_t)
|
||||||
corenet_tcp_bind_postgresql_port(postgresql_t)
|
corenet_tcp_bind_postgresql_port(postgresql_t)
|
||||||
corenet_tcp_connect_auth_port(postgresql_t)
|
corenet_tcp_connect_auth_port(postgresql_t)
|
||||||
|
corenet_tcp_connect_postgresql_port(postgresql_t)
|
||||||
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
corenet_sendrecv_postgresql_server_packets(postgresql_t)
|
||||||
corenet_sendrecv_auth_client_packets(postgresql_t)
|
corenet_sendrecv_auth_client_packets(postgresql_t)
|
||||||
|
|
||||||
@ -253,11 +256,12 @@ files_search_etc(postgresql_t)
|
|||||||
files_read_etc_runtime_files(postgresql_t)
|
files_read_etc_runtime_files(postgresql_t)
|
||||||
files_read_usr_files(postgresql_t)
|
files_read_usr_files(postgresql_t)
|
||||||
|
|
||||||
auth_use_nsswitch(postgresql_t)
|
auth_use_pam(postgresql_t)
|
||||||
|
|
||||||
init_read_utmp(postgresql_t)
|
init_read_utmp(postgresql_t)
|
||||||
|
|
||||||
logging_send_syslog_msg(postgresql_t)
|
logging_send_syslog_msg(postgresql_t)
|
||||||
|
logging_send_audit_msgs(postgresql_t)
|
||||||
|
|
||||||
miscfiles_read_localization(postgresql_t)
|
miscfiles_read_localization(postgresql_t)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user