Re: [HACKERS] [v9.2] Add GUC sepgsql.client_label

Fri, 24 Feb 2012 04:51:15 -0800 

On 2012-02-23 12:17, Kohei KaiGai wrote:

2012/2/20 Yeb Havinga<yebhavi...@gmail.com>:

So maybe this is because my start domain is not s0-s0:c0.c1023

However, when trying to run bash or psql in domain
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
denied.

Distribution is FC15, sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 24
Policy from config file:        targeted


The "default" security policy does not permit dynamic domain transition
even if unconfined domain, in contradiction to its name.
(IMO, it is fair enough design to avoid single point of failure like root user.)

The security policy of regression test contains a set of rules to reduce
categories assigned to unconfined domain.
So, could you try the following steps.
1. Build the latest policy
     % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
2. Install the policy module
     % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
3. Turn on the sepgsql_regression_test_mode
     % sudo setsebool -P sepgsql_regression_test_mode=1

I believe it allows to switch security label of the client, as long as we try to
reduce categories.
I remember these commands from the sepgsql contrib module documentation (though the semodule invocation in the documentation is with -u and the setsebool does not have the -P flag). semodule -l showed I had already installed version 1.04. 

I just repeated all steps with the new patch, and get the same result:
LOG: SELinux: denied { dyntransition } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process STATEMENT: SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15'); 

[mgrid@mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
sepgsql_regression_test_mode --> on
[root@mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
postgresql      1.12.1
sepgsql-regtest 1.04

Do I need Fedora 16 to run it?


--
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data


--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Reply via email to