From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
---|---|
To: | Jaime Casanova <jcasanov(at)systemguards(dot)com(dot)ec> |
Cc: | Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Bruce Momjian <bruce(at)momjian(dot)us>, Joshua Brindle <method(at)manicmethod(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) |
Date: | 2009-03-10 03:44:53 |
Message-ID: | 49B5E235.5000203@ak.jp.nec.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Jaime Casanova wrote:
> On Mon, Mar 9, 2009 at 1:52 AM, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> wrote:
>> As I promised last week, SE-PostgreSQL patches are revised here:
>>
>> [1/5] http://sepgsql.googlecode.com/files/sepgsql-core-8.4devel-r1704.patch
>> [2/5] http://sepgsql.googlecode.com/files/sepgsql-utils-8.4devel-r1704.patch
>> [3/5] http://sepgsql.googlecode.com/files/sepgsql-policy-8.4devel-r1704.patch
>> [4/5] http://sepgsql.googlecode.com/files/sepgsql-docs-8.4devel-r1704.patch
>> [5/5] http://sepgsql.googlecode.com/files/sepgsql-tests-8.4devel-r1704.patch
>>
>
> has anyone noted that the links are malformed? in my browser they
> include the [x/5 part of the next line
Above URLs might be a bit long.
I'll omit the "[x/5]" part on the next submission.
> i want to try to isolate where is the difference... can someone
> explain me how can i trace that? (sorry for my ignorance but if i
> don't ask that ignorance will stay)
The "sepgsql_enable_auditallow" system boolean will help you to
understand what permissions are checked on the given query.
-------------------------
% make -C src/backend/security/sepgsql/policy
# su
# semodule -i src/backend/security/sepgsql/policy/sepostgresql-devel.pp
(installation of development purpose policy)
# setsebool sepgsql_enable_auditallow 1
% psql postgres
NOTICE: SELinux: granted { access } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_db_t:s0 tclass=db_database name=postgres
psql (8.4devel)
Type "help" for help.
postgres=# SELECT * FROM t1;
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.b
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
a | b | c
---+---+---
(0 rows)
postgres=# INSERT INTO t1 (a,c) VALUES (1,2);
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
INSERT 0 1
postgres=#
-------------------------
The meanings of each fields:
- The "scontext" is the client's privileges
- The "tcontext" is the security context of tables, columns and so on.
- The "tclass" shows the kind of target object.
- The "name" is the name of object.
I recommend you to turn off it in normal case due to noisy and disk
consumption with logs.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
From | Date | Subject | |
---|---|---|---|
Next Message | Josh Berkus | 2009-03-10 03:53:52 | Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) |
Previous Message | Jaime Casanova | 2009-03-10 03:24:53 | Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) |