Re: security label support, part.2

Поиск
Список
Период
Сортировка
От KaiGai Kohei
Тема Re: security label support, part.2
Дата
Msg-id 4C6CA6BE.8000503@ak.jp.nec.com
обсуждение исходный текст
Ответ на Re: security label support, part.2  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Список pgsql-hackers
Дерево обсуждения 
>>> How about an idea to add a new flag in RangeTblEntry which shows where
>>> the RangeTblEntry came from, instead of clearing requiredPerms?
>>> If the flag is true, I think ExecCheckRTEPerms() can simply skip checks
>>> on the child tables.
>>
>> How about the external module just checks if the current object being
>> queried has parents, and if so, goes and checks the
>> labels/permissions/etc on those children?  That way the query either
>> always fails or never fails for a given caller, rather than sometimes
>> working and sometimes not depending on the query.
>>
> Hmm, this idea may be feasible. The RangeTblEntry->inh flag of the parent
> will give us a hint whether we also should check labels on its children.
> 

http://code.google.com/p/sepgsql/source/browse/trunk/sepgsql/relation.c#293

At least, it seems to me this logic works as expected.
 postgres=# CREATE TABLE tbl_p (a int, b text); CREATE TABLE postgres=# CREATE TABLE tbl_1 (check (a < 100)) inherits
(tbl_p);CREATE TABLE postgres=# CREATE TABLE tbl_2 (check (a >= 100 and a < 200)) inherits (tbl_p); CREATE TABLE
postgres=#CREATE TABLE tbl_3 (check (a >= 300)) inherits (tbl_p); CREATE TABLE postgres=# SECURITY LABEL on TABLE tbl_p
IS'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL postgres=# SECURITY LABEL on COLUMN tbl_p.a IS
'system_u:object_r:sepgsql_table_t:s0';SECURITY LABEL postgres=# SECURITY LABEL on COLUMN tbl_p.b IS
'system_u:object_r:sepgsql_table_t:s0';SECURITY LABEL
 
 postgres=# set sepgsql_debug_audit = on; SET
 postgres=# SELECT a FROM ONLY tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_tablename=tbl_p STATEMENT:  SELECT a FROM ONLY tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_columnname=tbl_p.a STATEMENT:  SELECT a FROM ONLY tbl_p WHERE a = 150;  a --- (0 rows)
 

-> ONLY tbl_p was not expanded
 postgres=# SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_tablename=tbl_p STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_columnname=tbl_p.a STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_tablename=tbl_1 STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_columnname=tbl_1.a STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_tablename=tbl_2 STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_columnname=tbl_2.a STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_tablename=tbl_3 STATEMENT:  SELECT a FROM tbl_p WHERE a = 150; LOG:  SELinux: allowed { select }
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023tcontext=system_u:object_r:sepgsql_table_t:s0
tclass=db_columnname=tbl_3.a STATEMENT:  SELECT a FROM tbl_p WHERE a = 150;  a --- (0 rows)
 

-> tbl_p was expanded to tbl_1, tbl_2 and tbl_3
 postgres=# set sepgsql_debug_audit = off; SET postgres=# EXPLAIN SELECT a FROM tbl_p WHERE a = 150;
           QUERY PLAN ------------------------------------------------------------------------  Result
(cost=0.00..50.75rows=12 width=4)    ->  Append  (cost=0.00..50.75 rows=12 width=4)          ->  Seq Scan on tbl_p
(cost=0.00..25.38rows=6 width=4)                Filter: (a = 150)          ->  Seq Scan on tbl_2 tbl_p
(cost=0.00..25.38rows=6 width=4)                Filter: (a = 150) (6 rows)
 

-> Actually, it does not scan tbl_1 and tbl_3 due to the a = 150.

-- 
KaiGai Kohei <kaigai@ak.jp.nec.com>

В списке pgsql-hackers по дате отправления:

Предыдущее
От: KaiGai Kohei
Дата:
Сообщение: Re: security label support, part.2
Следующее
От: Michael Haggerty
Дата:
Сообщение: Re: git: uh-oh