From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: selinux@tycho.nsa.gov
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>,
russell@coker.com.au, jbrindle@tresys.com
Subject: Re: [RFC] SELinux and PostgreSQL (draft v2)
Date: Sun, 10 Sep 2006 13:55:30 +0900 [thread overview]
Message-ID: <45039AC2.3040309@kaigai.gr.jp> (raw)
In-Reply-To: <44FFEB42.90203@kaigai.gr.jp>
In recent days, I'm making a plan to enhance PostgreSQL with SELinux.
I posted the first draft of this plan a few days ago, and I got many
response. Thanks for your comments so much.
(Especially, Joshua and Russell)
The followings are the revised and summarized plan (draft v2).
I'm welcoming any comments to improve the project.
* New object classes and access vectors
Now, I plan to add some new object classes for databases, tables, stored
procedures, columns and rows. Those are defined as follows:
class database
{
create
alter
drop
relabelfrom
relabelto
access
create_table
drop_table
create_procedure
drop_procedure
create_object
drop_object
}
class table
{
create
alter
drop
relabelfrom
relabelto
select
update
insert
delete
}
class procedure
{
create
alter
drop
relabelfrom
relabelto
execute
entrypoint
}
class column
{
create
alter
drop
relabelfrom
relabelto
select
update
insert
# delete
}
class row
{
relabelfrom
relabelto
select
update
insert
delete
}
* Labeling behavior
Some of database objects are labeled according to SELinux security policy
implicitly or by hand explicitly. The followings are labeling behaviors for
each object class.
- Labeling of database
The initial label is determined from security_compute_create() with the
the client process's label obtained from getpeercon() as a subject, the
server process's label as a object and database class.
We can also use ALTER DATABASE statement enhanced or update system catalog
(pg_database) to relabel explicitly, if relabelfrom/relabelto on database
class are allowed.
- Labeling of table
The initial label is determined from security_compute_create() with the
client, the database and table class.
We can also use ALTER TABLE statement enhanced or update system catalog
(pg_class) to relabel explicitly, if relabelfrom/relabelto on table class
are allowed.
- Labeling of stored procedure
The initial label is determined from security_compute_create() with the
client, the database and procedure class.
We can also use ALTER FUNCTION statement enhanced or update system catalog
(pg_proc) to relabel explicitly, if relabelfrom/relabelto on procedure class
are allowed.
- Labeling of column
The initial label is determined from security_compute_create() with the
client, the table and column class.
We can also use ALTER TABLE statement enhanced or update system catalog
(pg_attribute) to relabel explicitly, if relabelfrom/relabelto on column
class are allowed.
- on rows insertion
The initial label is determined from security_compute_create() with the
client, the table and row class.
We can also update the security_context column to relabel explicitly,
if relabelfrom/relabelto on row class are allowed.
* Remarkable behavior
- connection to PostgreSQL and select database
database:access is evaluated at first when the client connect to PostgreSQL
and choice the target database. If it's denied, connection will be closed.
- stored procedure
A stored procedure can be an entry point of domain transition.
It requires procedure:entrypoint permission and type_transition rule.
Using 'trusted stored procedure' with domain transition provids a method
to access sensitive data from unauthorized process.
For example, if the client doesn't have a permission on PASSWORD column,
he can access PASSWORD column via CHECK_PASSWORD() function marked as
a trusted stored procedure and cause domain transition.
- insert a new row
When we try to insert a new row into the table contains a column which
is not allowed to insert, we can insert a new row if enumerated columns
didn't contains the unauthorized column.
Then, this column will have NULL or default value. Because the client
cannot overwrite it on insertion, consistency is kept.
For example, we have a table defined as FOO(ID, NAME, PASSWORD).
When the client didn't have insert permission on PASSWORD, the (A) and
(C) of the following queries are failed.
(A) insert into FOOBAR(ID, NAME, PASSWORD) values(123, 'KaiGai', 'xyz');
(B) insert into FOOBAR(ID, NAME) values(123, 'KaiGai');
(C) insert into FOOBAR(ID, NAME, PASSWORD) values(123, 'KaiGai', null);
- delete a row
Becaues the delete opetation involves the whole of one row, column:delete
is not evaluated when we try to delete a row.
(Thus, it's not defined.)
This behavior may be a bit controvertible.
For example, it's one of the solution that deletion is not allowed without
permissions on the whole of columns on which the row has.
- interaction with PostgreSQL ACL mechanism
The SELinux enhancement works independently on PostgreSQL ACL.
It's similar to the relationship between DAC and MAC on filesystem.
Thanks for reading the long description.
Any comments are welcome for me.
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2006-09-10 4:55 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-09-07 9:49 [RFC] SELinux and PostgreSQL KaiGai Kohei
2006-09-07 12:52 ` Joshua Brindle
2006-09-07 13:24 ` Russell Coker
2006-09-07 13:54 ` Joshua Brindle
2006-09-07 14:07 ` Russell Coker
2006-09-07 14:15 ` Joshua Brindle
2006-09-07 15:06 ` KaiGai Kohei
2006-09-07 14:28 ` KaiGai Kohei
2003-12-01 23:07 ` Joshua Brindle
2006-09-07 15:52 ` KaiGai Kohei
2006-09-07 17:02 ` Joshua Brindle
2006-09-07 17:18 ` Joshua Brindle
2006-09-08 12:25 ` KaiGai Kohei
2006-09-08 12:25 ` KaiGai Kohei
2006-09-08 0:48 ` Russell Coker
2006-09-08 1:06 ` Joshua Brindle
[not found] ` <6FE441CD9F0C0C479F2D88F959B015883C1638@exchange.columbia.t resys.com>
2006-09-08 2:01 ` James W. Hoeft
2006-09-08 2:10 ` Joshua Brindle
2006-09-08 12:05 ` Russell Coker
2006-09-08 13:19 ` Joshua Brindle
2006-09-08 13:46 ` KaiGai Kohei
2006-09-08 2:04 ` Joshua Brindle
2006-09-08 12:25 ` KaiGai Kohei
2006-09-07 19:08 ` Richard Hally
2006-09-08 12:25 ` KaiGai Kohei
2006-09-10 4:55 ` KaiGai Kohei [this message]
2006-09-10 7:08 ` [RFC] SELinux and PostgreSQL (draft v2) Russell Coker
2006-09-11 12:10 ` KaiGai Kohei
2006-09-11 12:16 ` Joshua Brindle
2006-09-11 13:03 ` KaiGai Kohei
2006-09-11 22:42 ` Russell Coker
2006-09-10 17:49 ` Richard Hally
2006-09-10 18:27 ` Joshua Brindle
2006-09-11 0:08 ` Russell Coker
2006-09-11 16:22 ` Richard Hally
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45039AC2.3040309@kaigai.gr.jp \
--to=kaigai@kaigai.gr.jp \
--cc=jbrindle@tresys.com \
--cc=russell@coker.com.au \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.