Re: trust authentication behavior

On Thu, May 14, 2015 at 3:52 PM, David G. Johnston
<david(dot)g(dot)johnston(at)gmail(dot)com> wrote:
> On Thu, May 14, 2015 at 12:22 PM, Denis Kirjanov <kda(at)itsirius(dot)su> wrote:
>>
>> Yeah, but the idea is to do that without the pg_hba.conf
>
> You may want to try describing the problem and not just ask if the chosen
> solution is possible - of which I am doubtful but I have never used selinux
> or studied it in any depth. pg_hba.conf is the chosen tool for this kind of
> thing so pointing out why it cannot be used is a much more useful first
> step.

In mandatory access control systems like SE-Linux, the system security
policy is supposed to centralize all security decisions, and it should
be possible to enforce any necessary access control rule by modifying
that policy. At least that's my understanding. sepgsql lets the
kernel's mandatory access control policies filter down into access
control decisions that PostgreSQL makes. sepgsql consults the
operating system policy when faced with an access control decision of
a type that it supports, and accepts or rejects the connect based on
that.

So the question is whether the sepgsql integration points include
anything that can block a connection, rather than, say, allowing the
connection but blocking access to particular tables. Looking at the
code, it appears that it vaguely contemplates a db_database:{access}
permission, which sounds like about the right thing, and it's also
mentioned at https://wiki.postgresql.org/wiki/SEPostgreSQL/Permissions#Connection
as maybe being the right thing, but I can't find anyplace that it is
actually enforce. That's rather disappointing...

KaiGai, any thoughts?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company