Re: Updates of SE-PostgreSQL 8.4devel patches (r1530)

Jaime Casanova wrote:
> On Fri, Feb 13, 2009 at 9:07 AM, Joshua Brindle <method@manicmethod.com> wrote:
>> KaiGai Kohei wrote:
>>> KaiGai Kohei wrote:
>>>> The series of SE-PostgreSQL patches are updated:
>>>> [1/5]
>>>> http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1530.patch
>>>> [2/5]
>>>> http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1530.patch
>>>> [3/5]
>>>> http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1530.patch
>>>> [4/5]
>>>> http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1530.patch
>>>> [5/5]
>>>> http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1530.patch
>>> BTW, what is the current status of revewing the patches?
>>> Is it necessary to wait for a few days more?
>>>
>>> If you have anything unclear, please feel free to ask me anything.
>>>
>> Yes, what was the decision about 8.4? Is this going to make it in?
>>
> 
> can you try the functional parts of it? ie: compile with the patch
> with --enable-selinux and test if the patch does wath you expect?
> 
> i will try it but i have to install a VM to install selinux on it...
> then i will try some cases... can you give me an example of a typical
> scenario to make those tests?

If you can help to test the patches, I recommend you to install Fedora 10
on your VM images, because it includes SELinux in the default and its
default security policy (selinux-policy-targeted) also supports SE-PostgreSQL.

Then, could you try the following steps?

1) installation $ ./configure --enable-selinux $ make $ make -C src/backend/security/sepgsql/policy(NOTE: We provide a
policymodule for development purpose) $ su # make install # /usr/sbin/semodule -i
src/backend/security/sepgsql/policy/sepostgresql-devel.pp(NOTE:It installs the development policy) # /sbin/restorecon
-R/usr/local/pgsql(NOTE: It assigns correct security context for installed binaries) $ export PGDATA=/path/to/database
$chcon -t postgresql_db_t -R $PGDATA(NOTE: It assigns correct security context for database files) $ initdb
--enable-selinux(NOTE:--enable-selinux turns on SE-PostgreSQL feature) $ pg_ctl start
 

2) check installation 2-1) Please confirm SE-PostgreSQL works  $ psql postgres  psql (8.4devel)  Type "help" for help.
  postgres=# SHOW sepostgresql;   sepostgresql  --------------   on  (1 row)
 2-2) Please confirm client's privileges  $ id -Z  unconfined_u:unconfined_r:unconfined_t  $ psql postgres  psql
(8.4devel) Type "help" for help.
 
  postgres=# SELECT sepgsql_getcon();               sepgsql_getcon  ----------------------------------------
unconfined_u:unconfined_r:unconfined_t (1 row)
 
  NOTE: It has to be matched with privileges on OS.
 2-3) Please confirm server's privileges
  postgres=# SELECT sepgsql_server_getcon();         sepgsql_server_getcon  ------------------------------------
unconfined_u:system_r:postgresql_t (1 row)
 
  NOTE: It is necessary restricted domain (like PHP scripts) to connect        PostgreSQL server process.
 2-4) Please confirm to connect from restricted domain
  $ runcon -t sepgsql_test_t -- psql postgres  psql (8.4devel)  Type "help" for help.
  postgres=# SELECT sepgsql_getcon();                sepgsql_getcon  ------------------------------------------
unconfined_u:unconfined_r:sepgsql_test_t (1 row)
 
  NOTE: The "sepgsql_test_t" has restricted privileges same as PHP scripts        invoked from Apache web server.
NOTE:If SELinux denied to connect, please try the following command (in root):        # setsebool -P
allow_user_postgresql_connect1
 

3) Example of a typical scenario 3-1) Setup of column level access controls  postgres=# CREATE TABLE customer (
cid    int primary key,      cname   text,      credit  varchar(32)              SECURITY_LABEL =
'system_u:object_r:sepgsql_secret_table_t:s0' );  NOTICE:  CREATE TABLE / PRIMARY KEY will create implicit index
"customer_pkey"for table "customer"  CREATE TABLE  postgres=# INSERT INTO customer VALUES (1, 'kaigai',
'1111-2222-3333-4444'),                                        (2, 'yamada', '5555-6666-7777-8888'),
                    (3, 'kimura', '9999-0000-1234-5678');  INSERT 0 3  postgres=# SELECT * FROM customer;   cid | cname
|       credit  -----+--------+---------------------     1 | kaigai | 1111-2222-3333-4444     2 | yamada |
5555-6666-7777-8888    3 | kimura | 9999-0000-1234-5678  (3 rows)
 
  postgres=# CREATE OR REPLACE FUNCTION show_credit (int)      RETURNS text LANGUAGE 'sql'      SECURITY_LABEL =
'system_u:object_r:sepgsql_trusted_proc_exec_t:s0'     AS 'SELECT regexp_replace(credit, ''-[0-9]+'', ''-xxxx'', ''g'')
FROMcustomer WHERE cid = $1';  CREATE FUNCTION
 
 3-2) Example of column level access controls  $ runcon -t sepgsql_test_t -- psql postgres  psql (8.4devel)  Type
"help"for help.
 
  postgres=# SELECT * FROM customer;  ERROR:  SELinux: denied { select }
scontext=unconfined_u:unconfined_r:sepgsql_test_ttcontext=system_u:object_r:sepgsql_secret_table_t tclass=db_column
name=customer.credit(NOTE:SE-PostgreSQL prevent restricted domain to select a column labeled as
'sepgsql_secret_table_t') postgres=# SELECT cid, cname FROM customer;   cid | cname  -----+--------     1 | kaigai
2| yamada     3 | kimura  (3 rows)
 
  postgres=# SELECT cid, cname, show_credit(cid) FROM customer;   cid | cname  |     show_credit
-----+--------+---------------------    1 | kaigai | 1111-xxxx-xxxx-xxxx     2 | yamada | 5555-xxxx-xxxx-xxxx     3 |
kimura| 9999-xxxx-xxxx-xxxx  (3 rows)(NOTE: The show_credit() is labeled as 'sepgsql_trusted_proc_exec_t', it enables
to      switch client privilege during the function running.)(NOTE: Please note that sepgsql_test_t has same privileges
withPHP script invoked       from web servers, so it means PHP script cannot show "customer.credit" directly.)
 

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>