Re: [v9.2] Add GUC sepgsql.client_label

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Yeb Havinga <yebhavinga(at)gmail(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-23 11:17:14
Message-ID: CADyhKSW-k9j8D1MTJ8kjy91L640Ux+qrQY5QQWYuG5ZqhiHHiA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

2012/2/20 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-05 10:09, Kohei KaiGai wrote:
>>
>> The attached part-1 patch moves related routines from hooks.c to label.c
>> because of references to static variables. The part-2 patch implements above
>> mechanism.
>
>
> I took a short look at this patch but am stuck getting the regression test
> to run properly.
>
> First, patch 2 misses the file sepgsql.sql.in and therefore the creation
> function command for sepgsql_setcon is missing.
>
Thanks for your comments.

I added the definition of sepgsql_setcon function to sepgsql.sql.in file,
in addition to patch rebasing.

> So maybe this is because my start domain is not s0-s0:c0.c1023
>
> However, when trying to run bash or psql in domain
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
> denied.
>
> Distribution is FC15, sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   enforcing
> Mode from config file:          enforcing
> Policy version:                 24
> Policy from config file:        targeted
>
The "default" security policy does not permit dynamic domain transition
even if unconfined domain, in contradiction to its name.
(IMO, it is fair enough design to avoid single point of failure like root user.)

The security policy of regression test contains a set of rules to reduce
categories assigned to unconfined domain.
So, could you try the following steps.
1. Build the latest policy
% make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
2. Install the policy module
% sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
3. Turn on the sepgsql_regression_test_mode
% sudo setsebool -P sepgsql_regression_test_mode=1

I believe it allows to switch security label of the client, as long as we try to
reduce categories.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

Attachment Content-Type Size
pgsql-v9.2-sepgsql-setcon.part-2.v3.patch application/octet-stream 24.6 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Greg Smith 2012-02-23 11:17:32 Re: Initial 9.2 pgbench write results
Previous Message Peter Geoghegan 2012-02-23 11:09:18 Re: pg_stat_statements normalization: re-review