Re: Updates of SE-PostgreSQL 8.4devel patches (r1704)

Jaime Casanova wrote:
> On Mon, Mar 9, 2009 at 1:52 AM, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> wrote:
>> As I promised last week, SE-PostgreSQL patches are revised here:
>>
>> [1/5] http://sepgsql.googlecode.com/files/sepgsql-core-8.4devel-r1704.patch
>> [2/5] http://sepgsql.googlecode.com/files/sepgsql-utils-8.4devel-r1704.patch
>> [3/5] http://sepgsql.googlecode.com/files/sepgsql-policy-8.4devel-r1704.patch
>> [4/5] http://sepgsql.googlecode.com/files/sepgsql-docs-8.4devel-r1704.patch
>> [5/5] http://sepgsql.googlecode.com/files/sepgsql-tests-8.4devel-r1704.patch
>>
>
> has anyone noted that the links are malformed? in my browser they
> include the [x/5 part of the next line

Above URLs might be a bit long.
I'll omit the "[x/5]" part on the next submission.

> i want to try to isolate where is the difference... can someone
> explain me how can i trace that? (sorry for my ignorance but if i
> don't ask that ignorance will stay)

The "sepgsql_enable_auditallow" system boolean will help you to
understand what permissions are checked on the given query.

-------------------------
% make -C src/backend/security/sepgsql/policy
# su
# semodule -i src/backend/security/sepgsql/policy/sepostgresql-devel.pp
(installation of development purpose policy)
# setsebool sepgsql_enable_auditallow 1
% psql postgres
NOTICE: SELinux: granted { access } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_db_t:s0 tclass=db_database name=postgres
psql (8.4devel)
Type "help" for help.

postgres=# SELECT * FROM t1;
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.b
NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
a | b | c
---+---+---
(0 rows)

postgres=# INSERT INTO t1 (a,c) VALUES (1,2);
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
INSERT 0 1
postgres=#
-------------------------

The meanings of each fields:
- The "scontext" is the client's privileges
- The "tcontext" is the security context of tables, columns and so on.
- The "tclass" shows the kind of target object.
- The "name" is the name of object.

I recommend you to turn off it in normal case due to noisy and disk
consumption with logs.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>