Hello!
I was able to reproduce the problem that postgresql helper programs
are not accessible from confined users (here: user_u).
You can find your 'Debianized' patch:
https://github.com/flonatel/refpolicy-experimental/blob/test/postgres-labeling-scheme-01/debian/patches/1002-postgres-client-labeling
After applying the patch, the user is now able to access the binary, but is not allowed to access the postgresql port.
(Looks that 'bin_t' is not allowed to connect to postgresql.)
I don't know if this is a problem of refpolicy or Debian's adaptations.
@Russel: Do you need the image of a VM or access to a VM?
If you just need the image, I can provide one. (Accessing a running VM is somewhat more complicated...)
Do you need special configurations?
Kind regards
Andre
=== Technical Details ===
Steps done:
1) Create VM with minimal and up to date Jessie (using SELinux set to enforcing).
2) Optional: Patched the selinux-policy-default package
with the patch you sent.
3) root at debselinux01:~# se_apt-get update
4) root at debselinux01:~# se_apt-get install postgresql
[...]
Building PostgreSQL dictionaries from installed myspell/hunspell packages...
Removing obsolete dictionary files:
Setting up postgresql-9.4 (9.4~beta2-1) ...
Creating new cluster 9.4/main ...
config /etc/postgresql/9.4/main
data /var/lib/postgresql/9.4/main
locale en_US.UTF-8
port 5432
update-alternatives: using /usr/share/postgresql/9.4/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode
Setting up postgresql (9.4+159) ...
5) root at debselinux01:~# semanage login -a -s user_u dummy
6) postgres at debselinux01:~$ createuser -d dummy
7) dummy at debselinux01:~$ id -Z
user_u:user_r:user_t:SystemLow
8) dummy at debselinux01:~$ createdb tst01
Result when patch was not installed (using original Debian packet selinux-policy-default):
Error: You must install at least one postgresql-client-<version> package.
strace showed:
stat("/usr/lib/postgresql/9.4/bin/psql", 0x1cc5280) = -1 EACCES (Permission denied)
After applying the patch:
dummy at debselinux01:~$ createdb tst01
createdb: could not connect to database template1: could not connect to server: Permission denied
Is the server running locally and accepting
connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?
Strace:
The stat works now:
stat("/usr/lib/postgresql/9.4/bin/psql", {st_mode=S_IFREG|0755, st_size=507128, ...}) = 0
But there is a 'Permission denied' in the connect:
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/postgresql/.s.PGSQL.5432"}, 110) = -1 EACCES (Permission denied)
And Postgres WAS listening:
root at debselinux01:~# netstat -nap | grep 5432
tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2531/postgres
tcp6 0 0 ::1:5432 :::* LISTEN 2531/postgres
unix 2 [ ACC ] STREAM LISTENING 13432 2531/postgres /var/run/postgresql/.s.PGSQL.5432
Here is a listing of the appropriate dir when the patch is applied:
root at debselinux01:~# ls -lZ /usr/lib/postgresql/9.4/bin/
total 8088
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72224 Jul 24 13:57 clusterdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63920 Jul 24 13:57 createlang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72672 Jul 24 13:57 createuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63936 Jul 24 13:57 dropdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63920 Jul 24 13:57 droplang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63904 Jul 24 13:57 dropuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 110296 Jul 24 13:57 initdb
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 68416 Jul 24 13:57 pg_basebackup
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 30720 Jul 24 13:57 pg_controldata
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 43352 Jul 24 13:57 pg_ctl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 347808 Jul 24 13:57 pg_dump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 89352 Jul 24 13:57 pg_dumpall
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 30992 Jul 24 13:57 pg_isready
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 47600 Jul 24 13:57 pg_receivexlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 51928 Jul 24 13:57 pg_recvlogical
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 38920 Jul 24 13:57 pg_resetxlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 150848 Jul 24 13:57 pg_restore
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 109104 Jul 24 13:57 pg_upgrade
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 51704 Jul 24 13:57 pg_xlogdump
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 5953344 Jul 24 13:57 postgres
lrwxrwxrwx. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 8 Jul 24 13:57 postmaster -> postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 507128 Jul 24 13:57 psql
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72256 Jul 24 13:57 reindexdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72384 Jul 24 13:57 vacuumdb
Hello!
Sorry - forgot the 'allow_user_postgresql_connect' bool.
When applying your patch and setting this bool to on, the user can connect (as expected):
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 507128 Jul 24 13:57 psql
root at debselinux01:~# setsebool -P allow_user_postgresql_connect on
root at debselinux01:~# getsebool allow_user_postgresql_connect
allow_user_postgresql_connect --> on
root at debselinux01:~# logout
Connection to 192.168.122.22 closed.
florath at pelias:~$ ssh -X dummy at 192.168.122.22
dummy at 192.168.122.22's password:
dummy at debselinux01:~$ id -Z
user_u:user_r:user_t:SystemLow
dummy at debselinux01:~$ createdb tst01
dummy at debselinux01:~$ psql tst01
psql (9.4beta2)
Type "help" for help.
tst01=>
Kind regards
Andre