Skip site navigation (1) Skip section navigation (2)

Re: [v9.2] Add GUC sepgsql.client_label

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Yeb Havinga <yebhavinga(at)gmail(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-23 11:17:14
Message-ID: CADyhKSW-k9j8D1MTJ8kjy91L640Ux+qrQY5QQWYuG5ZqhiHHiA@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
2012/2/20 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-05 10:09, Kohei KaiGai wrote:
>>
>> The attached part-1 patch moves related routines from hooks.c to label.c
>> because of references to static variables. The part-2 patch implements above
>> mechanism.
>
>
> I took a short look at this patch but am stuck getting the regression test
> to run properly.
>
> First, patch 2 misses the file sepgsql.sql.in and therefore the creation
> function command for sepgsql_setcon is missing.
>
Thanks for your comments.

I added the definition of sepgsql_setcon function to sepgsql.sql.in file,
in addition to patch rebasing.

> So maybe this is because my start domain is not s0-s0:c0.c1023
>
> However, when trying to run bash or psql in domain
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
> denied.
>
> Distribution is FC15, sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
>
The "default" security policy does not permit dynamic domain transition
even if unconfined domain, in contradiction to its name.
(IMO, it is fair enough design to avoid single point of failure like root user.)

The security policy of regression test contains a set of rules to reduce
categories assigned to unconfined domain.
So, could you try the following steps.
1. Build the latest policy
    % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
2. Install the policy module
    % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
3. Turn on the sepgsql_regression_test_mode
    % sudo setsebool -P sepgsql_regression_test_mode=1

I believe it allows to switch security label of the client, as long as we try to
reduce categories.

Thanks,
-- 
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

Attachment: pgsql-v9.2-sepgsql-setcon.part-2.v3.patch
Description: application/octet-stream (24.6 KB)

In response to

Responses

pgsql-hackers by date

Next:From: Greg SmithDate: 2012-02-23 11:17:32
Subject: Re: Initial 9.2 pgbench write results
Previous:From: Peter GeogheganDate: 2012-02-23 11:09:18
Subject: Re: pg_stat_statements normalization: re-review

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group