Skip site navigation (1) Skip section navigation (2)

Re: [v9.2] Add GUC sepgsql.client_label

From: Yeb Havinga <yebhavinga(at)gmail(dot)com>
To: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-24 14:17:12
Message-ID: 4F479BE8.1040809@gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
On 2012-02-24 14:20, Kohei KaiGai wrote:
>
> It seems to me you try to expand categories of the client.
> The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
> It is not an admitted operations because of increasion of categories.

Yes I had my eye on the missing c0.c1023 before but couldn't remember 
changing it, so wrongfully assumed that it would be semantically 
equivalent to c0.c1023.
>> LOG:  SELinux: denied { dyntransition }
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
> May I see your /etc/selinux/targeted/seusers ?
>
> I think "__default__" entry is configured to "unconfined_u:s0", instead of
> "unconfined_u:s0:c0.c1023" as default.
>
> In my environment, it is configured as follows:
>
>    [root(at)iwashi ~]# cat /etc/selinux/targeted/seusers
>    # This file is auto-generated by libsemanage
>    # Do not edit directly.
>
>    system_u:system_u:s0-s0:c0.c1023
>    root:unconfined_u:s0-s0:c0.c1023
>    __default__:unconfined_u:s0-s0:c0.c1023<=== (*)
>

[mgrid(at)mgfedora ~]$ cat /etc/selinux/targeted/seusers
# This file is auto-generated by libsemanage
# Do not edit directly.

system_u:system_u:s0-s0:c0.c1023
root:unconfined_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023

but still

[mgrid(at)mgfedora ~]$ id -Z
system_u:unconfined_r:unconfined_t:s0
(I changed bash to run in the unconfined_u context before starting the 
regression test)

and

[root(at)mgfedora targeted]# id -Z
system_u:unconfined_r:unconfined_t:s0

When I created a new test user, it's selinux context showed the c0.c1023 
- I don't know what's fishy about the mgrid user and root that causes 
c0.c1023 to be absent. Maybe I should reinstall this virtual machine. 
After setting the user "mgrid" on s0-s0:c0.c1023 with

semanage login -a -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 mgrid

the regression tests pass :-)

test label                    ... ok
test dml                      ... ok
test create                   ... ok
test misc                     ... ok

I'll continue reviewing the patch.

-- 
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data





In response to

Responses

pgsql-hackers by date

Next:From: Merlin MoncureDate: 2012-02-24 14:26:36
Subject: Re: Let's drop V2 protocol
Previous:From: Alex ShulginDate: 2012-02-24 13:52:51
Subject: Re: Reviewing patch "URI connection string support for libpq"

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group