selinux-policy/policy/modules
Chris PeBenito e0ea7b15ca trunk:
The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.

The current policy allows users/unprivs to run ALTER TABLE statement
unconditionally, because db_table/db_column:{setattr} is allowed outside
of the boolean. It should be moved to conditional section.

In addition, they are also allowed to db_procedure:{create drop setattr}
for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
or alter definition of the functions unconditionally. So, it also should
be moved to conditional section.

The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
it should not be allowed.

KaiGai Kohei
2009-05-21 11:49:33 +00:00
..
admin trunk: 5 patches from dan. 2009-04-07 14:09:43 +00:00
apps trunk: 4 patches from dan. 2009-03-11 13:32:23 +00:00
kernel trunk: 4 patches from dan. 2009-05-14 14:41:50 +00:00
roles trunk: 5 patches from dan. 2009-04-07 14:09:43 +00:00
services trunk: 2009-05-21 11:49:33 +00:00
system trunk: whitespace fixes. 2009-05-06 14:44:57 +00:00