From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: Eamon Walsh <ewalsh@tycho.nsa.gov>,
Stephen Smalley <sds@tycho.nsa.gov>,
selinux@tycho.nsa.gov
Subject: Re: [PATCH] libselinux: add support for /contexts/postgresql_contexts
Date: Thu, 05 Jun 2008 10:18:04 +0900 [thread overview]
Message-ID: <48473ECC.6020501@ak.jp.nec.com> (raw)
In-Reply-To: <1212589930.4140.16.camel@gorn.columbia.tresys.com>
Christopher J. PeBenito wrote:
> On Wed, 2008-06-04 at 13:03 +0900, KaiGai Kohei wrote:
>> Christopher J. PeBenito wrote:
>>> On Tue, 2008-06-03 at 19:25 +0900, KaiGai Kohei wrote:
>>>> Christopher J. PeBenito wrote:
>>>>> I'm out of arguments; clearly I'm in the minority on this issue. I
>>>>> already said I wouldn't block the policy over this, so KaiGai, if you
>>>>> would send a last patch based on the revisions I made [1], let see if we
>>>>> can finally get this merged.
>>>>>
>>>>> [1] http://marc.info/?l=selinux&m=120999566809541&w=2
>>>> I'll submit a revised version later.
>>>> (Now we cannot update SVN repository, due to server maintenance.)
>>>>
>>>> Before this, I want to modify the following points:
>
>>>> - postgresql_unconfined() interface should also associate a domin
>>>> with sepgsql_client_type, not only sepgsql_unconfined_type.
>>>> dontaudit rules on row-level logs are not disabled for unconfined
>>>> clients. And, it's not useful to write additional policy module.
>>> I don't understand what you mean about the dontaudits. Otherwise, you
>>> should recheck the unconfined rules. I'm fairly sure I copied anything
>>> relevant from the client rules into unconfined so I didn't have to add
>>> both attributes in postgresql_unconfined().
>> A table can contain massive tuples in generally. If 50% of 1,000,000 tuples
>> are labaled as "Classified" and hidden from clients (includes unconfined
>> domain), tuple-level access denied log will make a flood of logs.
>> The dontaudit rule enables to restain the problem.
>>
>> I intended sepgsql_client_type means all domains connectable to SE-PostgreSQL.
>> If it dosen't contain unconfined domains, I think its name is a bit confusable
>> and something like "sepgsql_unpriv_type" is better for its name.
>
> The fact is that we need an interface for unconfined access. If the
> privileged client access is equivalent to unconfined access, then I feel
> that the unconfined interface is clearer.
OK, it is clear enough for me.
>> Then, the above dontaudit rule should be rewritten as follows:
>>
>> dontaudit { sepgsql_client_type sepgsql_unpriv_type postgresql_t } \
>> { sepgsql_table_type - sepgsql_sysobj_table_type } : db_tuple *;
>>
>> At first, I used a boolean (sepgsql_enable_audittuple) to turn on/off
>> tuple-level access logs, but you suggested it is unnecessary, so I removed it.
>
> I don't agree because of:
>
> +allow postgresql_t sepgsql_table_type:{ db_table db_column db_tuple } *;
> +allow sepgsql_unconfined_type sepgsql_table_type:{ db_table db_column db_tuple } *;
>
> so dontauditing for postgresql_t and sepgsql_unconfined_type doesn't do
> anything since the access is allowed.
It is correct in type enforcement.
But MCS/MLS can prevent to access by unconfined domains, and make flood of
access denied logs.
>> In addition, I found an unclear point which came from my original policy. :(
>>
>> allow sepgsql_unconfined_type postgresql_t:db_blob { import export };
>>
>> A blob import interface enables to read a file on a server host by the server
>> process (postgresql_t), and import to database as several frames of largeobject.
>> A export interface works for inversed direction.
>>
>> In the previous discussion, the meaning of these permission is to indicate
>> server process to start importing or exporting.
>> However, I'm now considering the following rules are more sensefull:
>>
>> 1. SE-PostgreSQL checks whether the client has db_blob:{import} for
>> the target large object.
>> 2. SE-PostgreSQL checks whether the client has file:{read} for
>> the target file.
>> 3. SELinux (kernel) checks whether postgresql_t has file:{read} for the
>> target file, because it uses read(2) system call.
>>
>> Could you tell me your opinion?
>
> I'll defer to Josh on this one since he knows much more about databases
> than I do.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2008-06-05 1:18 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-26 10:30 [PATCH] libselinux: add support for /contexts/postgresql_contexts KaiGai Kohei
2008-05-27 17:14 ` Stephen Smalley
2008-05-27 17:55 ` Christopher J. PeBenito
2008-05-27 18:34 ` Stephen Smalley
2008-05-27 18:55 ` Christopher J. PeBenito
2008-05-27 19:59 ` Stephen Smalley
2008-05-27 20:15 ` Eamon Walsh
2008-05-28 13:24 ` Christopher J. PeBenito
2008-05-29 18:05 ` Eamon Walsh
2008-05-29 18:20 ` Christopher J. PeBenito
2008-05-30 0:22 ` Eamon Walsh
2008-05-30 12:27 ` Christopher J. PeBenito
2008-06-02 10:27 ` KaiGai Kohei
2008-06-02 17:31 ` Eamon Walsh
2008-06-02 18:39 ` Christopher J. PeBenito
2008-06-03 10:25 ` KaiGai Kohei
2008-06-03 12:37 ` Christopher J. PeBenito
2008-06-04 4:03 ` KaiGai Kohei
2008-06-04 14:19 ` Joshua Brindle
2008-06-05 1:07 ` KaiGai Kohei
2008-06-05 18:09 ` Eamon Walsh
2008-06-06 5:32 ` KaiGai Kohei
2008-06-04 14:32 ` Christopher J. PeBenito
2008-06-05 1:18 ` KaiGai Kohei [this message]
2008-06-05 13:35 ` Chris PeBenito
2008-06-06 5:21 ` KaiGai Kohei
2008-06-09 3:07 ` KaiGai Kohei
2008-06-10 18:09 ` Christopher J. PeBenito
2008-06-13 10:39 ` KaiGai Kohei
2008-06-13 13:37 ` Christopher J. PeBenito
2008-06-18 6:53 ` KaiGai Kohei
2008-06-18 13:41 ` Christopher J. PeBenito
2008-06-20 6:48 ` KaiGai Kohei
2008-06-23 12:35 ` Christopher J. PeBenito
2008-06-23 12:48 ` KaiGai Kohei
2008-06-23 12:56 ` Christopher J. PeBenito
2008-06-24 2:35 ` KaiGai Kohei
2008-06-24 12:56 ` Christopher J. PeBenito
2008-05-28 1:49 ` KaiGai Kohei
2008-05-28 12:56 ` Christopher J. PeBenito
2008-05-28 16:12 ` KaiGai Kohei
2008-05-28 1:13 ` KaiGai Kohei
2008-05-28 15:12 ` Stephen Smalley
2008-05-28 16:18 ` KaiGai Kohei
2008-05-28 2:49 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48473ECC.6020501@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.