This patch enables to transmit security label of the client to the
foreign database servers behalf on the primary server being
connected by the client process.
FDW (foreign data wrapper) is a feature that allows to define virtual
tables connected to remote servers, and handle queries to the remote
servers via the virtual table as if local queries.
If and when the virtual relation (managed by a particular connector
module; like pgsql_fdw, oracle_fdw, ...) is referenced, pgsql gives
a control to the connector module, then it opens the connection to
remote server to run a query.
This patch (conditionally) allows postgresql_t domain to set sockcreate
attribute, and it eventually enables to transmit security label of the
original client process to the remote node.
It is necessary feature to stack multiple sepgsql servers using FDW.
Thanks,
Signed-off-by: KaiGai Kohei <[email protected]>
--
policy/modules/services/postgresql.te | 10 ++++++++++
1 files changed, 10 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/postgresql.te
b/policy/modules/services/postgresql.te
index 2457d10..add0cd6 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -32,6 +32,13 @@ gen_tunable(sepgsql_enable_users_ddl, true)
## </desc>
gen_tunable(sepgsql_unconfined_dbadm, true)
+## <desc>
+## <p>
+## Allow transmit client label to foreign database
+## </p>
+## </desc>
+gen_tunable(sepgsql_transmit_client_label, false)
+
type postgresql_t;
type postgresql_exec_t;
init_daemon_domain(postgresql_t, postgresql_exec_t)
@@ -231,6 +238,9 @@ allow postgresql_t self:udp_socket
create_stream_socket_perms;
allow postgresql_t self:unix_dgram_socket create_socket_perms;
allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
allow postgresql_t self:netlink_selinux_socket create_socket_perms;
+tunable_policy(`sepgsql_transmit_client_label',`
+ allow postgresql_t self:process { setsockcreate };
+')
allow postgresql_t sepgsql_database_type:db_database *;
type_transition postgresql_t postgresql_t:db_database
sepgsql_db_t; # deprecated
--
KaiGai Kohei <[email protected]>