| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com> |
| Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org, Joe Conway <mail(at)joeconway(dot)com> |
| Subject: | Re: sepgsql seems rather thoroughly broken on Fedora 30 |
| Date: | 2019-07-19 15:19:35 |
| Message-ID: | 25538.1563549575@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com> writes:
> The sepgsql_regtest_user_t domain should be allowed to read any file
> labeled "passwd_file_t". We can check that with the `sesearch` tool,
> provided by the "setools-console" package on F30:
> % sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
> allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };
I got around to trying this, and lookee here:
$ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True
Nothing about passwd_file_t. So *something* is different about the
way the policy is being expanded.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Tomas Vondra | 2019-07-19 16:46:35 | Re: [sqlsmith] Crash in mcv_get_match_bitmap |
| Previous Message | Tom Lane | 2019-07-19 15:03:45 | Re: sepgsql seems rather thoroughly broken on Fedora 30 |