Gentoo Archives: gentoo-commits

From:	Sven Vermeulen <sven.vermeulen@××××××.be>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sun, 25 Nov 2012 21:39:18
Message-Id:	`1353879499.51abb9d4bde449ab072cd8d922d22b89758ad823.SwifT@gentoo`

1	commit: 51abb9d4bde449ab072cd8d922d22b89758ad823
2	Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3	AuthorDate: Sun Nov 25 21:38:04 2012 +0000
4	Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5	CommitDate: Sun Nov 25 21:38:19 2012 +0000
6	URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=51abb9d4
7
8	Postgresql 9.2 connects to its unix stream socket
9
10	When starting postgresql, it fails with the (little saying) error message:
11	pg_ctl: could not start server
12
13	In the denials, we notice:
14	Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
15	audit(1353750112.021:10143): avc: denied { connectto } for pid=20481
16	comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
17	scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
18	tclass=unix_stream_socket
19
20	Hence, allow postgresql to connect to its own stream socket.
21
22	See also bug #444540
23
24	---
25	policy/modules/services/postgresql.te \| 4 ++++
26	1 files changed, 4 insertions(+), 0 deletions(-)
27
28	diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
29	index 0210aef..906a2c1 100644
30	--- a/policy/modules/services/postgresql.te
31	+++ b/policy/modules/services/postgresql.te
32	@@ -363,6 +363,10 @@ userdom_dontaudit_use_unpriv_user_fds(postgresql_t)
33	userdom_dontaudit_search_user_home_dirs(postgresql_t)
34	userdom_dontaudit_use_user_terminals(postgresql_t)
35
36	+ifdef(`distro_gentoo',`
37	+ allow postgresql_t self:unix_stream_socket connectto;
38	+')
39	+
40	optional_policy(`
41	mta_getattr_spool(postgresql_t)
42	')

Report Message

Find on MARC Find on Google Groups