rpms / selinux-policy

Clone
Source Code
GIT

e0ea7b trunk:

Authored and Committed by Chris PeBenito 15 years ago
raw patch tree parent
2 files changed. 9 lines added. 13 lines removed.
policy/modules/services/postgresql.if
file modified
+8 -6
policy/modules/services/postgresql.te
file modified
+1 -7 
    trunk:
    The attached patch fixes incorrect behavior in sepgsql_enable_users_ddl.
    
    The current policy allows users/unprivs to run ALTER TABLE statement
    unconditionally, because db_table/db_column:{setattr} is allowed outside
    of the boolean. It should be moved to conditional section.
    
    In addition, they are also allowed to db_procedure:{create drop setattr}
    for xxxx_sepgsql_proc_exec_t, but it means we allows them to create, drop
    or alter definition of the functions unconditionally. So, it also should
    be moved to conditional section.
    
    The postgresql.te allows sepgsql_client_type to modify sepgsql_table_t
    and sepgsql_sysobj_t when sepgsql_enable_users_ddl is enabled, but
    it should not be allowed.
    
    KaiGai Kohei
file modified
+8 -6
file modified
+1 -7

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation