[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

All of lore.kernel.org
 help / color / mirror / Atom feed

From: andre@flonatel.org (Andreas Florath)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian
Date: Fri, 15 Aug 2014 23:42:06 +0200	[thread overview]
Message-ID: <53EE7EAE.2000409@flonatel.org> (raw)

Hello!

I was able to reproduce the problem that postgresql helper programs
are not accessible from confined users (here: user_u).

You can find your 'Debianized' patch:
https://github.com/flonatel/refpolicy-experimental/blob/test/postgres-labeling-scheme-01/debian/patches/1002-postgres-client-labeling

After applying the patch, the user is now able to access the binary, but is not allowed to access the postgresql port.
(Looks that 'bin_t' is not allowed to connect to postgresql.)
I don't know if this is a problem of refpolicy or Debian's adaptations.

@Russel: Do you need the image of a VM or access to a VM?
If you just need the image, I can provide one. (Accessing a running VM is somewhat more complicated...)
Do you need special configurations?

Kind regards

Andre


=== Technical Details ===

Steps done:

 1) Create VM with minimal and up to date Jessie (using SELinux set to enforcing).
 2) Optional: Patched the selinux-policy-default package
    with the patch you sent.
 3) root at debselinux01:~# se_apt-get update
 4) root at debselinux01:~# se_apt-get install postgresql
    [...]
    Building PostgreSQL dictionaries from installed myspell/hunspell packages...
    Removing obsolete dictionary files:
    Setting up postgresql-9.4 (9.4~beta2-1) ...
    Creating new cluster 9.4/main ...
      config /etc/postgresql/9.4/main
      data   /var/lib/postgresql/9.4/main
      locale en_US.UTF-8
      port   5432
    update-alternatives: using /usr/share/postgresql/9.4/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode
    Setting up postgresql (9.4+159) ...
 5) root at debselinux01:~# semanage login -a -s user_u dummy
 6) postgres at debselinux01:~$ createuser -d dummy
 7) dummy at debselinux01:~$ id -Z
    user_u:user_r:user_t:SystemLow
 8) dummy at debselinux01:~$ createdb tst01


Result when patch was not installed (using original Debian packet selinux-policy-default):
  Error: You must install at least one postgresql-client-<version> package.
strace showed:
  stat("/usr/lib/postgresql/9.4/bin/psql", 0x1cc5280) = -1 EACCES (Permission denied)


After applying the patch:
dummy at debselinux01:~$ createdb tst01
createdb: could not connect to database template1: could not connect to server: Permission denied
	Is the server running locally and accepting
	connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

Strace:
The stat works now:
stat("/usr/lib/postgresql/9.4/bin/psql", {st_mode=S_IFREG|0755, st_size=507128, ...}) = 0

But there is a 'Permission denied' in the connect:
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/postgresql/.s.PGSQL.5432"}, 110) = -1 EACCES (Permission denied)

And Postgres WAS listening:
root at debselinux01:~# netstat -nap  | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2531/postgres
tcp6       0      0 ::1:5432                :::*                    LISTEN      2531/postgres
unix  2      [ ACC ]     STREAM     LISTENING     13432    2531/postgres       /var/run/postgresql/.s.PGSQL.5432


Here is a listing of the appropriate dir when the patch is applied:

root at debselinux01:~# ls -lZ /usr/lib/postgresql/9.4/bin/
total 8088
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72224 Jul 24 13:57 clusterdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 createlang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72672 Jul 24 13:57 createuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63936 Jul 24 13:57 dropdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 droplang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63904 Jul 24 13:57 dropuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              110296 Jul 24 13:57 initdb
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   68416 Jul 24 13:57 pg_basebackup
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   30720 Jul 24 13:57 pg_controldata
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   43352 Jul 24 13:57 pg_ctl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              347808 Jul 24 13:57 pg_dump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               89352 Jul 24 13:57 pg_dumpall
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               30992 Jul 24 13:57 pg_isready
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               47600 Jul 24 13:57 pg_receivexlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               51928 Jul 24 13:57 pg_recvlogical
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   38920 Jul 24 13:57 pg_resetxlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              150848 Jul 24 13:57 pg_restore
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow  109104 Jul 24 13:57 pg_upgrade
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   51704 Jul 24 13:57 pg_xlogdump
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 5953344 Jul 24 13:57 postgres
lrwxrwxrwx. 1 root root system_u:object_r:postgresql_exec_t:SystemLow       8 Jul 24 13:57 postmaster -> postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              507128 Jul 24 13:57 psql
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72256 Jul 24 13:57 reindexdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72384 Jul 24 13:57 vacuumdb

next             reply	other threads:[~2014-08-15 21:42 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-08-15 21:42 Andreas Florath [this message]
2014-08-16 18:25 ` [refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian Andreas Florath
  -- strict thread matches above, loose matches on Subject: below --
2014-08-12 12:35 [refpolicy] Postgresql labeling revisited Luis Ressel
2014-08-12 12:35 ` [refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian Luis Ressel
2014-08-14  6:59   ` Russell Coker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53EE7EAE.2000409@flonatel.org \
    --to=andre@flonatel.org \
    --cc=refpolicy@oss.tresys.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.