Re: [HACKERS] Updates of SE-PostgreSQL 8.4devel patches (r1704)

Mon, 09 Mar 2009 20:46:02 -0700 

Jaime Casanova wrote:

On Mon, Mar 9, 2009 at 1:52 AM, KaiGai Kohei <kai...@ak.jp.nec.com> wrote:

As I promised last week, SE-PostgreSQL patches are revised here:

[1/5] http://sepgsql.googlecode.com/files/sepgsql-core-8.4devel-r1704.patch
[2/5] http://sepgsql.googlecode.com/files/sepgsql-utils-8.4devel-r1704.patch
[3/5] http://sepgsql.googlecode.com/files/sepgsql-policy-8.4devel-r1704.patch
[4/5] http://sepgsql.googlecode.com/files/sepgsql-docs-8.4devel-r1704.patch
[5/5] http://sepgsql.googlecode.com/files/sepgsql-tests-8.4devel-r1704.patch



has anyone noted that the links are malformed? in my browser they
include the [x/5 part of the next line


Above URLs might be a bit long.
I'll omit the "[x/5]" part on the next submission.


i want to try to isolate where is the difference... can someone
explain me how can i trace that? (sorry for my ignorance but if i
don't ask that ignorance will stay)


The "sepgsql_enable_auditallow" system boolean will help you to
understand what permissions are checked on the given query.

-------------------------
% make -C src/backend/security/sepgsql/policy
# su
# semodule -i src/backend/security/sepgsql/policy/sepostgresql-devel.pp
  (installation of development purpose policy)
# setsebool sepgsql_enable_auditallow 1
% psql postgres
NOTICE:  SELinux: granted { access } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_db_t:s0 tclass=db_database name=postgres
psql (8.4devel)
Type "help" for help.

postgres=# SELECT * FROM t1;
NOTICE:  SELinux: granted { select } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE:  SELinux: granted { select } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE:  SELinux: granted { select } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.b
NOTICE:  SELinux: granted { select } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
 a | b | c
---+---+---
(0 rows)

postgres=# INSERT INTO t1 (a,c) VALUES (1,2);
NOTICE:  SELinux: granted { insert } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name=t1
NOTICE:  SELinux: granted { insert } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.a
NOTICE:  SELinux: granted { insert } 
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 
tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name=t1.c
INSERT 0 1
postgres=#
-------------------------

The meanings of each fields:
 - The "scontext" is the client's privileges
 - The "tcontext" is the security context of tables, columns and so on.
 - The "tclass" shows the kind of target object.
 - The "name" is the name of object.

I recommend you to turn off it in normal case due to noisy and disk
consumption with logs.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kai...@ak.jp.nec.com>

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to