Skip site navigation (1) Skip section navigation (2)

Re: [v9.2] Add GUC sepgsql.client_label

From: Yeb Havinga <yebhavinga(at)gmail(dot)com>
To: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-24 12:50:01
Message-ID: 4F478779.70003@gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On 2012-02-23 12:17, Kohei KaiGai wrote:
> 2012/2/20 Yeb Havinga<yebhavinga(at)gmail(dot)com>:
>> So maybe this is because my start domain is not s0-s0:c0.c1023
>>
>> However, when trying to run bash or psql in domain
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
>> denied.
>>
>> Distribution is FC15, sestatus
>> SELinux status:                 enabled
>> SELinuxfs mount:                /selinux
>> Current mode:                   enforcing
>> Mode from config file:          enforcing
>> Policy version:                 24
>> Policy from config file:        targeted
>>
> The "default" security policy does not permit dynamic domain transition
> even if unconfined domain, in contradiction to its name.
> (IMO, it is fair enough design to avoid single point of failure like root user.)
>
> The security policy of regression test contains a set of rules to reduce
> categories assigned to unconfined domain.
> So, could you try the following steps.
> 1. Build the latest policy
>      % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
> 2. Install the policy module
>      % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
> 3. Turn on the sepgsql_regression_test_mode
>      % sudo setsebool -P sepgsql_regression_test_mode=1
>
> I believe it allows to switch security label of the client, as long as we try to
> reduce categories.

I remember these commands from the sepgsql contrib module documentation 
(though the semodule invocation in the documentation is with -u and the 
setsebool does not have the -P flag). semodule -l showed I had already 
installed version 1.04.

I just repeated all steps with the new patch, and get the same result:

LOG:  SELinux: denied { dyntransition } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0 
tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
STATEMENT:  SELECT 
sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');

[mgrid(at)mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
sepgsql_regression_test_mode --> on
[root(at)mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
postgresql      1.12.1
sepgsql-regtest 1.04

Do I need Fedora 16 to run it?


-- 
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data


In response to

Responses

pgsql-hackers by date

Next:From: Alex ShulginDate: 2012-02-24 13:01:12
Subject: Re: WIP: URI connection string support for libpq
Previous:From: Rosario BordaDate: 2012-02-24 12:47:01
Subject: Format of raw files

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group