Re: [v9.1] sepgsql - userspace access vector cache

From: Kohei Kaigai <Kohei(dot)Kaigai(at)EMEA(dot)NEC(dot)COM>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Yeb Havinga <yebhavinga(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
Subject: Re: [v9.1] sepgsql - userspace access vector cache
Date: 2011-08-18 17:40:19
Message-ID: D0C1A1F8BF513F469926E6C71461D9EC03EEEC@EX10MBX02.EU.NEC.COM
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

> OK, I'm giving up for now. I hit two more snags:
>
> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
> include that. I fixed that by installing "which", but maybe we ought
> to be looking for a way to eliminate that dependency, like testing for
> the commands you need by running them with --help, or something like
> that.
>
Oops, I thought "which" is a part of coreutils.

I'll try to update chkselinuxenv to print a help message when necessary commands are not installed.

> 2. restorecon doesn't correctly set the permissions for me on
> ~/project/bin/psql. I get:
>
> [rhaas(at)f15selinux sepgsql]$ ls -Z ~/project/bin/psql
> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
> /home/rhaas/project/bin/psql
>
> Now I can fix that by applying bin_t manually, as suggested in the
> documentation. However, that just moves the failure to library load
> time. regression.diffs has multiple copies of this error message:
>
> /home/rhaas/project/bin/psql: error while loading shared libraries:
> libpq.so.5: failed to map segment from shared object: Permission
> denied
>
I guess it tries to mmap(2) libpq.so.5 (labeled as user_home_t) with executable mode.
The regression test switches domain of psql command on its execution from "unconfined_t" to "sepgsql_regtest_user_t", however, I didn't allow this domain to mmap(2) files in user's home directory with executable mode.
It may need to revise the security policy of regression test to support installation onto home directory.

As a quick avoidance, how about --prefix=/usr/local/sepgsql instead?

Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei(dot)kaigai(at)emea(dot)nec(dot)com>

> -----Original Message-----
> From: Robert Haas [mailto:robertmhaas(at)gmail(dot)com]
> Sent: 18. August 2011 18:22
> To: Kohei Kaigai
> Cc: Yeb Havinga; PgHacker; Kohei KaiGai
> Subject: Re: [HACKERS] [v9.1] sepgsql - userspace access vector cache
>
> On Thu, Aug 18, 2011 at 1:00 PM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> > [more problems]
>
> OK, I'm giving up for now. I hit two more snags:
>
> 1. chkselinuxenv uses "which", and a Fedora 15 minimal install doesn't
> include that. I fixed that by installing "which", but maybe we ought
> to be looking for a way to eliminate that dependency, like testing for
> the commands you need by running them with --help, or something like
> that.
>
> 2. restorecon doesn't correctly set the permissions for me on
> ~/project/bin/psql. I get:
>
> [rhaas(at)f15selinux sepgsql]$ ls -Z ~/project/bin/psql
> -rwxr-xr-x. rhaas rhaas unconfined_u:object_r:user_home_t:s0
> /home/rhaas/project/bin/psql
>
> Now I can fix that by applying bin_t manually, as suggested in the
> documentation. However, that just moves the failure to library load
> time. regression.diffs has multiple copies of this error message:
>
> /home/rhaas/project/bin/psql: error while loading shared libraries:
> libpq.so.5: failed to map segment from shared object: Permission
> denied
>
> Help!
>
> Thanks,
>
> --
> Robert Haas
> EnterpriseDB: http://www.enterprisedb.com
> The Enterprise PostgreSQL Company
>
>
> Click
> https://www.mailcontrol.com/sr/g7UEZIfD10rTndxI!oX7Unz1!gA0DCbilsfI53CIRke!PbNpuk4RnjmGfZ8cEe1DM1
> BV3YJKcc9jEfBJ2k7YZA== to report this email as spam.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2011-08-18 17:42:04 Re: [v9.1] sepgsql - userspace access vector cache
Previous Message David E. Wheeler 2011-08-18 17:22:53 Re: Full GUID support