Re: [v9.2] Add GUC sepgsql.client_label - Mailing list pgsql-hackers
| From | Kohei KaiGai |
|---|---|
| Subject | Re: [v9.2] Add GUC sepgsql.client_label |
| Date | |
| Msg-id | CADyhKSVMrci-PVkuyxgBmLD9cCMFcKETVd1C4YZR+A1z_CM9JQ@mail.gmail.com Whole thread Raw |
| In response to | Re: [v9.2] Add GUC sepgsql.client_label (Yeb Havinga <yebhavinga@gmail.com>) |
| Responses |
Re: [v9.2] Add GUC sepgsql.client_label
|
| List | pgsql-hackers |
2012/2/24 Yeb Havinga <yebhavinga@gmail.com>:
> On 2012-02-23 12:17, Kohei KaiGai wrote:
>>
>> 2012/2/20 Yeb Havinga<yebhavinga@gmail.com>:
>>
>>> So maybe this is because my start domain is not s0-s0:c0.c1023
>>>
>>> However, when trying to run bash or psql in domain
>>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
>>> denied.
>>>
>>> Distribution is FC15, sestatus
>>> SELinux status: enabled
>>> SELinuxfs mount: /selinux
>>> Current mode: enforcing
>>> Mode from config file: enforcing
>>> Policy version: 24
>>> Policy from config file: targeted
>>>
>> The "default" security policy does not permit dynamic domain transition
>> even if unconfined domain, in contradiction to its name.
>> (IMO, it is fair enough design to avoid single point of failure like root
>> user.)
>>
>> The security policy of regression test contains a set of rules to reduce
>> categories assigned to unconfined domain.
>> So, could you try the following steps.
>> 1. Build the latest policy
>> % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
>> 2. Install the policy module
>> % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
>> 3. Turn on the sepgsql_regression_test_mode
>> % sudo setsebool -P sepgsql_regression_test_mode=1
>>
>> I believe it allows to switch security label of the client, as long as we
>> try to
>> reduce categories.
>
>
> I remember these commands from the sepgsql contrib module documentation
> (though the semodule invocation in the documentation is with -u and the
> setsebool does not have the -P flag). semodule -l showed I had already
> installed version 1.04.
>
> I just repeated all steps with the new patch, and get the same result:
>
> LOG: SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
> STATEMENT: SELECT
> sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
>
> [mgrid@mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
> sepgsql_regression_test_mode --> on
> [root@mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
> postgresql 1.12.1
> sepgsql-regtest 1.04
>
> Do I need Fedora 16 to run it?
>
Thanks for your continuous testing.
It seems to me you try to expand categories of the client.
The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
It is not an admitted operations because of increasion of categories.
> LOG: SELinux: denied { dyntransition }
> scontext=unconfined_u:unconfined_r:unconfined_t:s0
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
May I see your /etc/selinux/targeted/seusers ?
I think "__default__" entry is configured to "unconfined_u:s0", instead of
"unconfined_u:s0:c0.c1023" as default.
In my environment, it is configured as follows:
[root@iwashi ~]# cat /etc/selinux/targeted/seusers # This file is auto-generated by libsemanage # Do not edit
directly.
system_u:system_u:s0-s0:c0.c1023 root:unconfined_u:s0-s0:c0.c1023 __default__:unconfined_u:s0-s0:c0.c1023 <=== (*)
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
pgsql-hackers by date: