Re: sepgsql contrib module

The attached patch is the modular version of SE-PostgreSQL (take.2).

Its patch scale grew up to 4KL because of regression test inclusion,
although code size was not changed (2.6KL).

I had to add a small piece into pg_regress to launch psql command
using a launcher program that kicks psql with controlled privilege
set, because SE-PostgreSQL makes access control decision based on
security label of the peer process.

This enhancement allows to implement regression test according to
the framework currently we have, so additional setups to run
regression test got simplified.

I found several bugs during code revising, these were also killed.

How about feasibility to merge this 4KL chunks during the rest of
45 days? I think we should decide this general direction at first.

Simon,
A section of "Guide to Security Labels" is now under describing.
Please wait for a few days to revise documentation a bit more.

Thanks,

$ cat ~/sepgsql-v9.1-lite.2.patch | diffstat
 configure                          |  122 +++++++
 configure.in                       |   13
 contrib/Makefile                   |    4
 contrib/README                     |    4
 contrib/sepgsql/Makefile           |   25 +
 contrib/sepgsql/dml.c              |  353 +++++++++++++++++++++
 contrib/sepgsql/expected/dml.out   |  178 ++++++++++
 contrib/sepgsql/expected/label.out |  109 ++++++
 contrib/sepgsql/hooks.c            |  366 +++++++++++++++++++++
 contrib/sepgsql/label.c            |  477 ++++++++++++++++++++++++++++
 contrib/sepgsql/launcher           |   52 +++
 contrib/sepgsql/proc.c             |  158 +++++++++
 contrib/sepgsql/relation.c         |  267 +++++++++++++++
 contrib/sepgsql/schema.c           |   98 +++++
 contrib/sepgsql/selinux.c          |  618 +++++++++++++++++++++++++++++++++++++
 contrib/sepgsql/sepgsql-regtest.te |   59 +++
 contrib/sepgsql/sepgsql.h          |  287 +++++++++++++++++
 contrib/sepgsql/sepgsql.sql.in     |   36 ++
 contrib/sepgsql/sql/dml.sql        |  114 ++++++
 contrib/sepgsql/sql/label.sql      |   73 ++++
 doc/src/sgml/contrib.sgml          |    1
 doc/src/sgml/filelist.sgml         |    1
 doc/src/sgml/sepgsql.sgml          |  468 ++++++++++++++++++++++++++++
 src/Makefile.global.in             |    1
 src/test/regress/pg_regress.c      |    6
 src/test/regress/pg_regress.h      |    1
 src/test/regress/pg_regress_main.c |    7
 27 files changed, 3897 insertions(+), 1 deletion(-)


(2010/12/24 11:53), KaiGai Kohei wrote:
> The attached patch is the modular version of SE-PostgreSQL.
>
> Since I reduced the caching mechanism for access control decision,
> its code scale became about 2.6KL.
>
> [kaigai@saba sepgsql]$ wc -l *.[ch]
>    353 dml.c
>    366 hooks.c
>    477 label.c
>    158 proc.c
>    267 relation.c
>     98 schema.c
>    617 selinux.c
>    287 sepgsql.h
>   2623 total
>
> In addition, *.sgml file uses about 300 lines.
>
>
> There is one another issue to be discussed.
> We need a special form of regression test. Because SE-PostgreSQL
> makes access control decision based on security label of the peer
> process, we need to switch psql process during regression test.
> (So, I don't include test cases yet.)
>
> We have 'runcon' command to launch a child process with specified
> security label as long as the security policy allows. If we could
> launch 'psql' by 'runcon' with specified label, we can describe
> test-cases on the existing framework on 'make installcheck'.
>
> An idea is to add an option to pg_regress to launch psql command
> with a specified wrapper program (like 'runcon').
> In this case, each contrib modules kicks with REGRESS_OPTS setting.
> One thing to be considered is the security label to be given to
> the 'runcon' is flexible for each *.sql files.
>
> Thanks,
>
--
KaiGai Kohei <kaigai@ak.jp.nec.com>