[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

[Andreas Florath]

Hello!

I was able to reproduce the problem that postgresql helper programs
are not accessible from confined users (here: user_u).

You can find your 'Debianized' patch:
https://github.com/flonatel/refpolicy-experimental/blob/test/postgres-labeling-scheme-01/debian/patches/1002-postgres-client-labeling

After applying the patch, the user is now able to access the binary, but is not allowed to access the postgresql port.
(Looks that 'bin_t' is not allowed to connect to postgresql.)
I don't know if this is a problem of refpolicy or Debian's adaptations.

@Russel: Do you need the image of a VM or access to a VM?
If you just need the image, I can provide one. (Accessing a running VM is somewhat more complicated...)
Do you need special configurations?

Kind regards

Andre


=== Technical Details ===

Steps done:

 1) Create VM with minimal and up to date Jessie (using SELinux set to enforcing).
 2) Optional: Patched the selinux-policy-default package
    with the patch you sent.
 3) root at debselinux01:~# se_apt-get update
 4) root at debselinux01:~# se_apt-get install postgresql
    [...]
    Building PostgreSQL dictionaries from installed myspell/hunspell packages...
    Removing obsolete dictionary files:
    Setting up postgresql-9.4 (9.4~beta2-1) ...
    Creating new cluster 9.4/main ...
      config /etc/postgresql/9.4/main
      data   /var/lib/postgresql/9.4/main
      locale en_US.UTF-8
      port   5432
    update-alternatives: using /usr/share/postgresql/9.4/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode
    Setting up postgresql (9.4+159) ...
 5) root at debselinux01:~# semanage login -a -s user_u dummy
 6) postgres at debselinux01:~$ createuser -d dummy
 7) dummy at debselinux01:~$ id -Z
    user_u:user_r:user_t:SystemLow
 8) dummy at debselinux01:~$ createdb tst01


Result when patch was not installed (using original Debian packet selinux-policy-default):
  Error: You must install at least one postgresql-client-<version> package.
strace showed:
  stat("/usr/lib/postgresql/9.4/bin/psql", 0x1cc5280) = -1 EACCES (Permission denied)


After applying the patch:
dummy at debselinux01:~$ createdb tst01
createdb: could not connect to database template1: could not connect to server: Permission denied
	Is the server running locally and accepting
	connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

Strace:
The stat works now:
stat("/usr/lib/postgresql/9.4/bin/psql", {st_mode=S_IFREG|0755, st_size=507128, ...}) = 0

But there is a 'Permission denied' in the connect:
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/postgresql/.s.PGSQL.5432"}, 110) = -1 EACCES (Permission denied)

And Postgres WAS listening:
root at debselinux01:~# netstat -nap  | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2531/postgres
tcp6       0      0 ::1:5432                :::*                    LISTEN      2531/postgres
unix  2      [ ACC ]     STREAM     LISTENING     13432    2531/postgres       /var/run/postgresql/.s.PGSQL.5432


Here is a listing of the appropriate dir when the patch is applied:

root at debselinux01:~# ls -lZ /usr/lib/postgresql/9.4/bin/
total 8088
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72224 Jul 24 13:57 clusterdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 createlang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72672 Jul 24 13:57 createuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63936 Jul 24 13:57 dropdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 droplang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63904 Jul 24 13:57 dropuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              110296 Jul 24 13:57 initdb
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   68416 Jul 24 13:57 pg_basebackup
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   30720 Jul 24 13:57 pg_controldata
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   43352 Jul 24 13:57 pg_ctl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              347808 Jul 24 13:57 pg_dump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               89352 Jul 24 13:57 pg_dumpall
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               30992 Jul 24 13:57 pg_isready
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               47600 Jul 24 13:57 pg_receivexlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               51928 Jul 24 13:57 pg_recvlogical
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   38920 Jul 24 13:57 pg_resetxlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              150848 Jul 24 13:57 pg_restore
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow  109104 Jul 24 13:57 pg_upgrade
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   51704 Jul 24 13:57 pg_xlogdump
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 5953344 Jul 24 13:57 postgres
lrwxrwxrwx. 1 root root system_u:object_r:postgresql_exec_t:SystemLow       8 Jul 24 13:57 postmaster -> postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              507128 Jul 24 13:57 psql
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72256 Jul 24 13:57 reindexdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72384 Jul 24 13:57 vacuumdb

[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

[Andreas Florath]

Hello!

Sorry - forgot the 'allow_user_postgresql_connect' bool.
When applying your patch and setting this bool to on, the user can connect (as expected):

-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              507128 Jul 24 13:57 psql

root at debselinux01:~# setsebool -P allow_user_postgresql_connect on
root at debselinux01:~# getsebool allow_user_postgresql_connect
allow_user_postgresql_connect --> on
root at debselinux01:~# logout
Connection to 192.168.122.22 closed.
florath at pelias:~$ ssh -X dummy at 192.168.122.22
dummy at 192.168.122.22's password:
dummy at debselinux01:~$ id -Z
user_u:user_r:user_t:SystemLow
dummy at debselinux01:~$ createdb tst01
dummy at debselinux01:~$ psql tst01
psql (9.4beta2)
Type "help" for help.

tst01=>

Kind regards

Andre

[refpolicy] Postgresql labeling revisited

[Luis Ressel]

In the following mails, I'm resending two patches which I already submittted in
February. They were put on hold so that the developers of the postgresql policy
could comment on it, but there haven't been any answers since.

I'd really like to see these patches included, as it's impossible for normal
users to use the postgres client programs (e.g. psql) without them. Our
postgresql policy is supposed to protect postgresql servers running on the host,
not rendering the client programs inaccessible.


Regards,
Luis Ressel

[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

[Luis Ressel]

I'm sure this is the right thing to do; however, the Debian developers
might want to have a say in this, so I made a separate patch.
---
 policy/modules/services/postgresql.fc | 24 ++++++++++--------------
 1 file changed, 10 insertions(+), 14 deletions(-)

diff --git a/policy/modules/services/postgresql.fc b/policy/modules/services/postgresql.fc
index 78a7464..d3bc4bb 100644
--- a/policy/modules/services/postgresql.fc
+++ b/policy/modules/services/postgresql.fc
@@ -16,20 +16,16 @@
 /usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
 /usr/lib/pgsql/test/regress/pg_regress -- gen_context(system_u:object_r:postgresql_exec_t,s0)
 
-/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_standby	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_upgrade	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/pg_xlogdump	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-/usr/lib/postgresql(-.*)?/bin/postmaster	-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
-
-ifdef(`distro_debian', `
-/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
-')
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
 
 ifdef(`distro_redhat', `
 /usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

[Russell Coker]

Looks good to me. I don't have a PostgreSQL test machine now so I can't verify it. But I think it's best to apply this and I'll fix Debian later if things break.

As an aside what's a good design for PostgreSQL testing? Is there anyone who would like to setup a Debian VM for me for the purpose of testing this? I'm going to run a set of Debian VMs to test the most common daemons to avoid regression. 

Thanks to the person who offered to setup Nagios for me some weeks ago, I'll take you up on that soon.

On 12 August 2014 10:35:58 PM AEST, Luis Ressel <aranea@aixah.de> wrote:
>I'm sure this is the right thing to do; however, the Debian developers
>might want to have a say in this, so I made a separate patch.
>---
> policy/modules/services/postgresql.fc | 24 ++++++++++--------------
> 1 file changed, 10 insertions(+), 14 deletions(-)
>
>diff --git a/policy/modules/services/postgresql.fc
>b/policy/modules/services/postgresql.fc
>index 78a7464..d3bc4bb 100644
>--- a/policy/modules/services/postgresql.fc
>+++ b/policy/modules/services/postgresql.fc
>@@ -16,20 +16,16 @@
>/usr/lib/pgsql/test/regress(/.*)?	gen_context(system_u:object_r:postgresql_db_t,s0)
>/usr/lib/pgsql/test/regress/pg_regress --
>gen_context(system_u:object_r:postgresql_exec_t,s0)
> 
>-/usr/lib/postgresql(-.*)?/bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_standby	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_upgrade	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/pg_xlogdump	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-/usr/lib/postgresql(-.*)?/bin/postmaster	-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-
>-ifdef(`distro_debian', `
>-/usr/lib/postgresql/.*/bin/.*	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>-')
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_archivecleanup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_basebackup	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_controldata	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_ctl		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_resetxlog	--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_standby		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_upgrade		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/pg_xlogdump		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/postgres		--	gen_context(system_u:object_r:postgresql_exec_t,s0)
>+/usr/lib/postgresql(-.*)?/(.*/)?bin/postmaster		-l	gen_context(system_u:object_r:postgresql_exec_t,s0)
> 
> ifdef(`distro_redhat', `
>/usr/share/jonas/pgsql(/.*)?		gen_context(system_u:object_r:postgresql_db_t,s0)

-- 
Sent from my Samsung Galaxy Note 2 with K-9 Mail.