Jaime Casanova wrote:
On Fri, Feb 13, 2009 at 9:07 AM, Joshua Brindle <met...@manicmethod.com> wrote:
KaiGai Kohei wrote:
KaiGai Kohei wrote:
The series of SE-PostgreSQL patches are updated:
[1/5]
http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1530.patch
[2/5]
http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1530.patch
[3/5]
http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1530.patch
[4/5]
http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1530.patch
[5/5]
http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1530.patch
BTW, what is the current status of revewing the patches?
Is it necessary to wait for a few days more?
If you have anything unclear, please feel free to ask me anything.
Yes, what was the decision about 8.4? Is this going to make it in?
can you try the functional parts of it? ie: compile with the patch
with --enable-selinux and test if the patch does wath you expect?
i will try it but i have to install a VM to install selinux on it...
then i will try some cases... can you give me an example of a typical
scenario to make those tests?
If you can help to test the patches, I recommend you to install Fedora 10
on your VM images, because it includes SELinux in the default and its
default security policy (selinux-policy-targeted) also supports SE-PostgreSQL.
Then, could you try the following steps?
1) installation
$ ./configure --enable-selinux
$ make
$ make -C src/backend/security/sepgsql/policy
(NOTE: We provide a policy module for development purpose)
$ su
# make install
# /usr/sbin/semodule -i
src/backend/security/sepgsql/policy/sepostgresql-devel.pp
(NOTE: It installs the development policy)
# /sbin/restorecon -R /usr/local/pgsql
(NOTE: It assigns correct security context for installed binaries)
$ export PGDATA=/path/to/database
$ chcon -t postgresql_db_t -R $PGDATA
(NOTE: It assigns correct security context for database files)
$ initdb --enable-selinux
(NOTE: --enable-selinux turns on SE-PostgreSQL feature)
$ pg_ctl start
2) check installation
2-1) Please confirm SE-PostgreSQL works
$ psql postgres
psql (8.4devel)
Type "help" for help.
postgres=# SHOW sepostgresql;
sepostgresql
--------------
on
(1 row)
2-2) Please confirm client's privileges
$ id -Z
unconfined_u:unconfined_r:unconfined_t
$ psql postgres
psql (8.4devel)
Type "help" for help.
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
----------------------------------------
unconfined_u:unconfined_r:unconfined_t
(1 row)
NOTE: It has to be matched with privileges on OS.
2-3) Please confirm server's privileges
postgres=# SELECT sepgsql_server_getcon();
sepgsql_server_getcon
------------------------------------
unconfined_u:system_r:postgresql_t
(1 row)
NOTE: It is necessary restricted domain (like PHP scripts) to connect
PostgreSQL server process.
2-4) Please confirm to connect from restricted domain
$ runcon -t sepgsql_test_t -- psql postgres
psql (8.4devel)
Type "help" for help.
postgres=# SELECT sepgsql_getcon();
sepgsql_getcon
------------------------------------------
unconfined_u:unconfined_r:sepgsql_test_t
(1 row)
NOTE: The "sepgsql_test_t" has restricted privileges same as PHP scripts
invoked from Apache web server.
NOTE: If SELinux denied to connect, please try the following command (in
root):
# setsebool -P allow_user_postgresql_connect 1
3) Example of a typical scenario
3-1) Setup of column level access controls
postgres=# CREATE TABLE customer (
cid int primary key,
cname text,
credit varchar(32)
SECURITY_LABEL = 'system_u:object_r:sepgsql_secret_table_t:s0'
);
NOTICE: CREATE TABLE / PRIMARY KEY will create implicit index "customer_pkey" for
table "customer"
CREATE TABLE
postgres=# INSERT INTO customer VALUES (1, 'kaigai', '1111-2222-3333-4444'),
(2, 'yamada', '5555-6666-7777-8888'),
(3, 'kimura', '9999-0000-1234-5678');
INSERT 0 3
postgres=# SELECT * FROM customer;
cid | cname | credit
-----+--------+---------------------
1 | kaigai | 1111-2222-3333-4444
2 | yamada | 5555-6666-7777-8888
3 | kimura | 9999-0000-1234-5678
(3 rows)
postgres=# CREATE OR REPLACE FUNCTION show_credit (int)
RETURNS text LANGUAGE 'sql'
SECURITY_LABEL = 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'
AS 'SELECT regexp_replace(credit, ''-[0-9]+'', ''-xxxx'', ''g'') FROM
customer WHERE cid = $1';
CREATE FUNCTION
3-2) Example of column level access controls
$ runcon -t sepgsql_test_t -- psql postgres
psql (8.4devel)
Type "help" for help.
postgres=# SELECT * FROM customer;
ERROR: SELinux: denied { select }
scontext=unconfined_u:unconfined_r:sepgsql_test_t
tcontext=system_u:object_r:sepgsql_secret_table_t tclass=db_column
name=customer.credit
(NOTE: SE-PostgreSQL prevent restricted domain to select a column
labeled as 'sepgsql_secret_table_t')
postgres=# SELECT cid, cname FROM customer;
cid | cname
-----+--------
1 | kaigai
2 | yamada
3 | kimura
(3 rows)
postgres=# SELECT cid, cname, show_credit(cid) FROM customer;
cid | cname | show_credit
-----+--------+---------------------
1 | kaigai | 1111-xxxx-xxxx-xxxx
2 | yamada | 5555-xxxx-xxxx-xxxx
3 | kimura | 9999-xxxx-xxxx-xxxx
(3 rows)
(NOTE: The show_credit() is labeled as 'sepgsql_trusted_proc_exec_t',
it enables to
switch client privilege during the function running.)
(NOTE: Please note that sepgsql_test_t has same privileges with PHP
script invoked
from web servers, so it means PHP script cannot show
"customer.credit" directly.)
Thanks,
--
KaiGai Kohei <kai...@kaigai.gr.jp>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
