Re: security labels on databases are bad for dump & restore

From: Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Ted Toth <txtoth(at)gmail(dot)com>
Cc: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, Robert Haas <robertmhaas(at)gmail(dot)com>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Subject: Re: security labels on databases are bad for dump & restore
Date: 2015-07-15 04:09:56
Message-ID: 9A28C8860F777E439AA12E8AEA7694F801116184@BPXM15GP.gisp.nec.co.jp
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> That doesn't answer my question. I'm talking about a client and server
> running on the same system with SELinux MLS policy so that getpeercon
> will return the context of the client process unless it has explicitly
> sets the socket create context . So again will postgresql if the
> sepgsql module is loaded call a function in sepgsql to compute the
> access vector for the source (getpeercon label) contexts access to the
> target context (tables context set by SECURITY LABEL) and fail the
> operation generating an AVC if access is denied because there is no
> policy?
>
Yes. You may see AVC denial/allowed message on PostgreSQL log, like:

LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table"

scontext comes from getpeercon(3),
tcontext comes from the configuration by SECURITY LABEL command.

Thanks,
--
NEC Business Creation Division / PG-Strom Project
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message Fujii Masao 2015-07-15 04:38:19 max_worker_processes on the standby
Previous Message Michael Paquier 2015-07-15 04:07:23 Re: creating extension including dependencies