Re: [v9.2] Add GUC sepgsql.client_label

2012/2/24 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-23 12:17, Kohei KaiGai wrote:
>>
>> 2012/2/20 Yeb Havinga<yebhavinga(at)gmail(dot)com>:
>>
>>> So maybe this is because my start domain is not s0-s0:c0.c1023
>>>
>>> However, when trying to run bash or psql in domain
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
>>> denied.
>>>
>>> Distribution is FC15, sestatus
>>> SELinux status:                 enabled
>>> SELinuxfs mount:                /selinux
>>> Current mode:                   enforcing
>>> Mode from config file:          enforcing
>>> Policy version:                 24
>>> Policy from config file:        targeted
>>>
>> The "default" security policy does not permit dynamic domain transition
>> even if unconfined domain, in contradiction to its name.
>> (IMO, it is fair enough design to avoid single point of failure like root
>> user.)
>>
>> The security policy of regression test contains a set of rules to reduce
>> categories assigned to unconfined domain.
>> So, could you try the following steps.
>> 1. Build the latest policy
>>     % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
>> 2. Install the policy module
>>     % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
>> 3. Turn on the sepgsql_regression_test_mode
>>     % sudo setsebool -P sepgsql_regression_test_mode=1
>>
>> I believe it allows to switch security label of the client, as long as we
>> try to
>> reduce categories.
>
>
> I remember these commands from the sepgsql contrib module documentation
> (though the semodule invocation in the documentation is with -u and the
> setsebool does not have the -P flag). semodule -l showed I had already
> installed version 1.04.
>
> I just repeated all steps with the new patch, and get the same result:
>
> LOG:  SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
> STATEMENT:  SELECT
> sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
>
> [mgrid(at)mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
> sepgsql_regression_test_mode --> on
> [root(at)mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
> postgresql      1.12.1
> sepgsql-regtest 1.04
>
> Do I need Fedora 16 to run it?
>
Thanks for your continuous testing.

It seems to me you try to expand categories of the client.
The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
It is not an admitted operations because of increasion of categories.

> LOG:  SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process

May I see your /etc/selinux/targeted/seusers ?

I think "__default__" entry is configured to "unconfined_u:s0", instead of
"unconfined_u:s0:c0.c1023" as default.

In my environment, it is configured as follows:

[root(at)iwashi ~]# cat /etc/selinux/targeted/seusers
# This file is auto-generated by libsemanage
# Do not edit directly.

system_u:system_u:s0-s0:c0.c1023
root:unconfined_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023 <=== (*)

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>