Skip site navigation (1) Skip section navigation (2)

Re: [v9.2] Add GUC sepgsql.client_label

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Yeb Havinga <yebhavinga(at)gmail(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-24 13:20:25
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
2012/2/24 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-23 12:17, Kohei KaiGai wrote:
>> 2012/2/20 Yeb Havinga<yebhavinga(at)gmail(dot)com>:
>>> So maybe this is because my start domain is not s0-s0:c0.c1023
>>> However, when trying to run bash or psql in domain
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
>>> denied.
>>> Distribution is FC15, sestatus
>>> SELinux status:                 enabled
>>> SELinuxfs mount:                /selinux
>>> Current mode:                   enforcing
>>> Mode from config file:          enforcing
>>> Policy version:                 24
>>> Policy from config file:        targeted
>> The "default" security policy does not permit dynamic domain transition
>> even if unconfined domain, in contradiction to its name.
>> (IMO, it is fair enough design to avoid single point of failure like root
>> user.)
>> The security policy of regression test contains a set of rules to reduce
>> categories assigned to unconfined domain.
>> So, could you try the following steps.
>> 1. Build the latest policy
>>     % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
>> 2. Install the policy module
>>     % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
>> 3. Turn on the sepgsql_regression_test_mode
>>     % sudo setsebool -P sepgsql_regression_test_mode=1
>> I believe it allows to switch security label of the client, as long as we
>> try to
>> reduce categories.
> I remember these commands from the sepgsql contrib module documentation
> (though the semodule invocation in the documentation is with -u and the
> setsebool does not have the -P flag). semodule -l showed I had already
> installed version 1.04.
> I just repeated all steps with the new patch, and get the same result:
> LOG:  SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
> sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
> [mgrid(at)mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
> sepgsql_regression_test_mode --> on
> [root(at)mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
> postgresql      1.12.1
> sepgsql-regtest 1.04
> Do I need Fedora 16 to run it?
Thanks for your continuous testing.

It seems to me you try to expand categories of the client.
The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
It is not an admitted operations because of increasion of categories.

> LOG:  SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process

May I see your /etc/selinux/targeted/seusers ?

I think "__default__" entry is configured to "unconfined_u:s0", instead of
"unconfined_u:s0:c0.c1023" as default.

In my environment, it is configured as follows:

  [root(at)iwashi ~]# cat /etc/selinux/targeted/seusers
  # This file is auto-generated by libsemanage
  # Do not edit directly.

  __default__:unconfined_u:s0-s0:c0.c1023   <=== (*)

KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to


pgsql-hackers by date

Next:From: Marko KreenDate: 2012-02-24 13:52:10
Subject: Let's drop V2 protocol
Previous:From: Florian WeimerDate: 2012-02-24 13:18:44
Subject: Re: WIP: URI connection string support for libpq

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group