From 456d18982ea5bd41304289f036886bea794ac0f8 Mon Sep 17 00:00:00 2001 From: Luis Ressel Date: Tue, 12 Aug 2014 14:35:57 +0200 Subject: [PATCH] Only label administrative postgres commands as postgresql_exec_t Currently, all postgresql commands in are labeled as postgresql_exec_t. This means they can only be executed by db admins. However, the "normal" commands, such as createdb or psql, should also be executable by users. (The users in question still need to be granted postgresql_role(), so this is no security problem.) --- policy/modules/services/postgresql.fc | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc index 687a4a988..78a7464f4 100644 --- a/policy/modules/services/postgresql.fc +++ b/policy/modules/services/postgresql.fc @@ -15,7 +15,17 @@ /usr/lib/pgsql/test/regress(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0) /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0) -/usr/lib/postgresql/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0) + +/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_basebackup -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_controldata -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_ctl -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_resetxlog -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_standby -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_upgrade -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/pg_xlogdump -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0) +/usr/lib/postgresql(-.*)?/bin/postmaster -l gen_context(system_u:object_r:postgresql_exec_t,s0) ifdef(`distro_debian', ` /usr/lib/postgresql/.*/bin/.* -- gen_context(system_u:object_r:postgresql_exec_t,s0)