Re: sepgsql seems rather thoroughly broken on Fedora 30
Tom Lane <tgl@sss.pgh.pa.us>
From: Tom Lane <tgl@sss.pgh.pa.us>
To: Mike Palmiotto <mike.palmiotto@crunchydata.com>
Cc: pgsql-hackers@lists.postgresql.org, Joe Conway <mail@joeconway.com>
Date: 2019-07-19T15:19:35Z
Lists: pgsql-hackers
Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
> The sepgsql_regtest_user_t domain should be allowed to read any file
> labeled "passwd_file_t". We can check that with the `sesearch` tool,
> provided by the "setools-console" package on F30:
> % sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
> allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
I got around to trying this, and lookee here:
$ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
Nothing about passwd_file_t. So *something* is different about the
way the policy is being expanded.
regards, tom lane
Commits
-
Fix contrib/sepgsql test policy to work with latest SELinux releases.
- 0e259d4bc789 9.4.24 landed
- b22e249837ad 9.5.19 landed
- 0a9ba5baac7d 9.6.15 landed
- 5c3d47287fd7 10.10 landed
- 5a1c61bdf4c0 11.5 landed
- 665329abe7ef 12.0 landed
- f5a4ab23e42a 13.0 landed