Re: security labels on databases are bad for dump & restore

From: Ted Toth <txtoth(at)gmail(dot)com>
To: Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com>
Cc: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, Robert Haas <robertmhaas(at)gmail(dot)com>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>, Andres Freund <andres(at)anarazel(dot)de>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Subject: Re: security labels on databases are bad for dump & restore
Date: 2015-07-15 03:43:49
Message-ID: CAFPpqQEw4qL+RQfH__vvy5cJ1hqzipQNTQKqV8hudsyKzJWRcQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

That doesn't answer my question. I'm talking about a client and server
running on the same system with SELinux MLS policy so that getpeercon
will return the context of the client process unless it has explicitly
sets the socket create context . So again will postgresql if the
sepgsql module is loaded call a function in sepgsql to compute the
access vector for the source (getpeercon label) contexts access to the
target context (tables context set by SECURITY LABEL) and fail the
operation generating an AVC if access is denied because there is no
policy?

On Tue, Jul 14, 2015 at 8:35 PM, Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com> wrote:
>> So if I label a table with an SELinux context and the type of my
>> client connection does not have policy to be able to access the table
>> type will an AVC be generated and the access denied?
>>
> Of course, it depends on the policy of the system.
>
> If client connection come from none-SELinux system, use netlabelctl
> to configure default fallback security context. It gives getpeercon(3)
> the client label shall be applied when netlabel is not configured on
> the connection.
>
> Thanks,
> --
> NEC Business Creation Division / PG-Strom Project
> KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
>
>
>> -----Original Message-----
>> From: pgsql-hackers-owner(at)postgresql(dot)org
>> [mailto:pgsql-hackers-owner(at)postgresql(dot)org] On Behalf Of Ted Toth
>> Sent: Wednesday, July 15, 2015 2:59 AM
>> To: Kohei KaiGai
>> Cc: Robert Haas; Adam Brightwell; Andres Freund; pgsql-hackers(at)postgresql(dot)org;
>> Alvaro Herrera
>> Subject: Re: [HACKERS] security labels on databases are bad for dump & restore
>>
>> So if I label a table with an SELinux context and the type of my
>> client connection does not have policy to be able to access the table
>> type will an AVC be generated and the access denied?
>>
>> Ted
>>
>> On Tue, Jul 14, 2015 at 12:53 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> > 2015-07-15 2:39 GMT+09:00 Ted Toth <txtoth(at)gmail(dot)com>:
>> >> That's exactly what I'm talking about like I said KaiGais branch was
>> >> never merged into the mainline so I do not believe that it is used at
>> >> all.
>> >>
>> > It depends on the definition of "integrated".
>> > The PostgreSQL core offers an infrastructure for label based security
>> > mechanism, not only selinux. Also, one extension module that is
>> > usually distributed with PosgreSQL bridges the world of database and
>> > the world of selinux (even though all the features I initially designed
>> > are not yet implemented). I like to say it is integrated.
>> >
>> >> On Tue, Jul 14, 2015 at 12:28 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
>> >>> On Tue, Jul 14, 2015 at 1:22 PM, Ted Toth <txtoth(at)gmail(dot)com> wrote:
>> >>>> I'm sort of new to this so maybe I'm missing something but since the
>> >>>> sepgsql SELinux userspace object manager was never integrated into
>> >>>> postgresql (AFAIK KaiGais branch was never merged into the mainline)
>> >>>> who uses these labels? What use are they?
>> >>>
>> >>> See contrib/sepgsql
>> >>>
>> >>> --
>> >>> Robert Haas
>> >>> EnterpriseDB: http://www.enterprisedb.com
>> >>> The Enterprise PostgreSQL Company
>> >
>> >
>> >
>> > --
>> > KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
>>
>>
>> --
>> Sent via pgsql-hackers mailing list (pgsql-hackers(at)postgresql(dot)org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-hackers

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2015-07-15 04:07:23 Re: creating extension including dependencies
Previous Message Kouhei Kaigai 2015-07-15 01:35:46 Re: security labels on databases are bad for dump & restore