Home > mailing lists

Re: sepgsql seems rather thoroughly broken on Fedora 30 - Mailing list pgsql-hackers

From	Tom Lane
Subject	Re: sepgsql seems rather thoroughly broken on Fedora 30
Date	July 19, 2019 18:19:35
Msg-id	25538.1563549575@sss.pgh.pa.us Whole thread Raw
In response to	Re: sepgsql seems rather thoroughly broken on Fedora 30 (Mike Palmiotto <mike.palmiotto@crunchydata.com>)
Responses	Re: sepgsql seems rather thoroughly broken on Fedora 30 (Mike Palmiotto <mike.palmiotto@crunchydata.com>)
List	pgsql-hackers

Tree view

Mike Palmiotto <mike.palmiotto@crunchydata.com> writes:
> The sepgsql_regtest_user_t domain should be allowed to read any file
> labeled "passwd_file_t". We can check that with the `sesearch` tool,
> provided by the "setools-console" package on F30:

> % sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
> allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
> allow domain file_type:file map; [ domain_can_mmap_files ]:True
> allow nsswitch_domain passwd_file_t:file { getattr ioctl lock map open read };

I got around to trying this, and lookee here:

$ sudo sesearch -A -s sepgsql_regtest_user_t -t passwd_file_t
allow domain file_type:blk_file map; [ domain_can_mmap_files ]:True
allow domain file_type:chr_file map; [ domain_can_mmap_files ]:True
allow domain file_type:file map; [ domain_can_mmap_files ]:True
allow domain file_type:lnk_file map; [ domain_can_mmap_files ]:True

Nothing about passwd_file_t.  So *something* is different about the
way the policy is being expanded.

            regards, tom lane

pgsql-hackers by date:

From: Tom Lane
Date: 19 July 2019, 18:03:45
Subject: Re: sepgsql seems rather thoroughly broken on Fedora 30

From: Tomas Vondra
Date: 19 July 2019, 19:46:35
Subject: Re: [sqlsmith] Crash in mcv_get_match_bitmap

Re: sepgsql seems rather thoroughly broken on Fedora 30 - Mailing list pgsql-hackers

Previous

Next