From: kaigai@kaigai.gr.jp (Kohei KaiGai) Date: Fri, 4 May 2012 15:23:43 +0200 Subject: [refpolicy] [1/4] sepgsql - add connection pooling server support In-Reply-To: References: Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com I noticed a miss on postgresql_unpriv_client() interface. Please check the newer one. Thanks, 2012/3/25 Kohei KaiGai : > This patch provides a new trusted procedure type that allows to > switch the security label of database client, with interaction of new > sepgsql_setcon() function being supported at upcoming v9.2 release. > > The original idea was given by Joshua Brindle. The sepgsql_setcon() > provides an analogy of dynamic domain transition on operating system. > Although we don't give privileges to switch security label on confined > domains, but it allows to switch via trusted procedure. > > The new sepgsql_ranged_proc_exec_t is an entrypoint of > sepgsql_ranged_proc_t that has mcssetcats and mlsprocsetsl. > > We assume its typical usage is sepgsql_setcon() getting invoked > via trusted procedure that references secret credential tables at > beginning of the database session by connection pooling server. > > Usage example) > > (*) The credential table is labeled as "sepgsql_secret_table_t", > ? ? that holds a pair of username, credential and security context. > > postgres=# CREATE OR REPLACE FUNCTION client_switch(text) > ? ?RETURNS bool LANGUAGE sql > ? ?AS 'SELECT sepgsql_setcon(ucontext) FROM credential > ? ? ? ? ? ? ?WHERE uname = current_user AND ucred = $1'; > CREATE FUNCTION > postgres=# SECURITY LABEL ON FUNCTION client_switch(text) IS > 'system_u:object_r:sepgsql_ranged_proc_exec_t:s0'; > SECURITY LABEL > postgres=# CREATE OR REPLACE FUNCTION client_reset() > ? ?RETURNS bool LANGUAGE sql AS 'SELECT sepgsql_setcon(NULL)'; > CREATE FUNCTION > postgres=# SECURITY LABEL ON FUNCTION client_reset() IS > 'system_u:object_r:sepgsql_ranged_proc_exec_t:s0'; > SECURITY LABEL > > Then, it shows a scenario to switch the client label via trusted procedure. > > [alice at iwashi ~]$ psql postgres -q > postgres=# SELECT sepgsql_getcon(); > ? ? ? sepgsql_getcon > ---------------------------- > ?staff_u:staff_r:staff_t:s0 > (1 row) > > postgres=# SELECT * FROM info_c0; > ERROR: ?SELinux: security policy violation > postgres=# SELECT * FROM info_c1; > ERROR: ?SELinux: security policy violation > -- client have no permission neither info_c0 nor info_c1 > > postgres=# SELECT client_switch('6384e2b2184bcbf58eccf10ca7a6563c'); > ?client_switch > --------------- > ?t > (1 row) > > postgres=# SELECT sepgsql_getcon(); > ? ? ? ?sepgsql_getcon > ------------------------------- > ?staff_u:staff_r:staff_t:s0:c1 > (1 row) > > postgres=# SELECT * FROM info_c0; > ERROR: ?SELinux: security policy violation > postgres=# SELECT * FROM info_c1; > ?a | ?b > ---+----- > ?3 | xxx > ?4 | yyy > (2 rows) > > -- needless to say, credential table is not visible > postgres=# SELECT * FROM credential ; > ERROR: ?SELinux: security policy violation > > Also see, > http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=523176cbf14a3414170a83dd43686c0eccdc61c6 > > ?Signed-off-by: KaiGai Kohei > -- > ?policy/modules/services/postgresql.if | ? 32 +++++++++++++++++++++++++++++++- > ?policy/modules/services/postgresql.te | ? 32 ++++++++++++++++++++++++++++---- > ?2 files changed, 59 insertions(+), 5 deletions(-) > > diff --git a/policy/modules/services/postgresql.if > b/policy/modules/services/postgresql.if > index 09aeffa..24e9958 100644 > --- a/policy/modules/services/postgresql.if > +++ b/policy/modules/services/postgresql.if > @@ -32,6 +32,7 @@ interface(`postgresql_role',` > ? ? ? ? ? ? ? ?attribute sepgsql_schema_type, sepgsql_sysobj_table_type; > > ? ? ? ? ? ? ? ?type sepgsql_trusted_proc_exec_t, sepgsql_trusted_proc_t; > + ? ? ? ? ? ? ? type sepgsql_ranged_proc_exec_t, sepgsql_ranged_proc_t; > ? ? ? ? ? ? ? ?type user_sepgsql_blob_t, user_sepgsql_proc_exec_t; > ? ? ? ? ? ? ? ?type user_sepgsql_schema_t, user_sepgsql_seq_t; > ? ? ? ? ? ? ? ?type user_sepgsql_sysobj_t, user_sepgsql_table_t; > @@ -45,6 +46,7 @@ interface(`postgresql_role',` > > ? ? ? ?typeattribute $2 sepgsql_client_type; > ? ? ? ?role $1 types sepgsql_trusted_proc_t; > + ? ? ? role $1 types sepgsql_ranged_proc_t; > > ? ? ? ?############################## > ? ? ? ?# > @@ -88,6 +90,10 @@ interface(`postgresql_role',` > > ? ? ? ?allow $2 sepgsql_trusted_proc_t:process transition; > ? ? ? ?type_transition $2 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; > + > + ? ? ? allow $2 sepgsql_ranged_proc_t:process transition; > + ? ? ? type_transition $2 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; > + ? ? ? allow sepgsql_ranged_proc_t $2:process dyntransition; > ?') > > ?######################################## > @@ -223,7 +229,7 @@ interface(`postgresql_view_object',` > ?## > ?## > ?## ? ? > -## ? ? Type marked as a database object type. > +## ? ? Type marked as a procedure object type. > ?## ? ? > ?## > ?# > @@ -237,6 +243,26 @@ interface(`postgresql_procedure_object',` > > ?######################################## > ?## > +## ? ? Marks as a SE-PostgreSQL trusted procedure object type > +## > +## > +## ? ? > +## ? ? Type marked as a trusted procedure object type. > +## ? ? > +## > +# > +interface(`postgresql_trusted_procedure_object',` > + ? ? ? gen_require(` > + ? ? ? ? ? ? ? attribute sepgsql_procedure_type; > + ? ? ? ? ? ? ? attribute sepgsql_trusted_procedure_type; > + ? ? ? ') > + > + ? ? ? typeattribute $1 sepgsql_procedure_type; > + ? ? ? typeattribute $1 sepgsql_trusted_procedure_type; > +') > + > +######################################## > +## > ?## ? ? Marks as a SE-PostgreSQL procedural language object type > ?## > ?## > @@ -459,6 +485,10 @@ interface(`postgresql_unpriv_client',` > ? ? ? ?type_transition $1 sepgsql_trusted_proc_exec_t:process sepgsql_trusted_proc_t; > ? ? ? ?allow $1 sepgsql_trusted_proc_t:process transition; > > + ? ? ? type_transition $1 sepgsql_ranged_proc_exec_t:process sepgsql_ranged_proc_t; > + ? ? ? allow $1 sepgsql_ranged_proc_t:process transition; > + ? ? ? allow sepgsql_ranged_proc_t $1:process dyntransition; > + > ? ? ? ?tunable_policy(`sepgsql_enable_users_ddl',` > ? ? ? ? ? ? ? ?allow $1 unpriv_sepgsql_schema_t:db_schema { create drop setattr }; > ? ? ? ? ? ? ? ?allow $1 unpriv_sepgsql_table_t:db_table { create drop setattr }; > diff --git a/policy/modules/services/postgresql.te > b/policy/modules/services/postgresql.te > index 4d71f89..2457d10 100644 > --- a/policy/modules/services/postgresql.te > +++ b/policy/modules/services/postgresql.te > @@ -70,6 +70,7 @@ attribute sepgsql_sysobj_table_type; > ?attribute sepgsql_sequence_type; > ?attribute sepgsql_view_type; > ?attribute sepgsql_procedure_type; > +attribute sepgsql_trusted_procedure_type; > ?attribute sepgsql_language_type; > ?attribute sepgsql_blob_type; > ?attribute sepgsql_module_type; > @@ -122,7 +123,10 @@ type sepgsql_table_t; > ?postgresql_table_object(sepgsql_table_t) > > ?type sepgsql_trusted_proc_exec_t; > -postgresql_procedure_object(sepgsql_trusted_proc_exec_t) > +postgresql_trusted_procedure_object(sepgsql_trusted_proc_exec_t) > + > +type sepgsql_ranged_proc_exec_t; > +postgresql_trusted_procedure_object(sepgsql_ranged_proc_exec_t) > > ?type sepgsql_view_t; > ?postgresql_view_object(sepgsql_view_t) > @@ -133,6 +137,26 @@ domain_type(sepgsql_trusted_proc_t) > ?postgresql_unconfined(sepgsql_trusted_proc_t) > ?role system_r types sepgsql_trusted_proc_t; > > +# Ranged Trusted Procedure Domain > +# > +# XXX - the purpose of this domain is to switch security context of > +# the database client using dynamic domain transition; typically, > +# used for connection pooling software that shall assign a security > +# context at beginning of the user session based on the credentials > +# being invisible from unprivileged domains. > +# > +type sepgsql_ranged_proc_t; > +domain_type(sepgsql_ranged_proc_t) > +postgresql_unconfined(sepgsql_ranged_proc_t) > +allow sepgsql_ranged_proc_t self:process { setcurrent }; > +role system_r types sepgsql_ranged_proc_t; > +optional_policy(` > + ? ? ? mcs_process_set_categories(sepgsql_ranged_proc_t) > +') > +optional_policy(` > + ? ? ? mls_process_set_level(sepgsql_ranged_proc_t) > +') > + > ?# Types for unprivileged client > ?type unpriv_sepgsql_blob_t; > ?postgresql_blob_object(unpriv_sepgsql_blob_t) > @@ -404,7 +428,7 @@ allow sepgsql_client_type > sepgsql_seq_t:db_sequence { getattr get_value next_val > ?allow sepgsql_client_type sepgsql_view_t:db_view { getattr expand }; > > ?allow sepgsql_client_type sepgsql_proc_exec_t:db_procedure { getattr > execute install }; > -allow sepgsql_client_type sepgsql_trusted_proc_exec_t:db_procedure { > getattr execute entrypoint }; > +allow sepgsql_client_type sepgsql_trusted_procedure_type:db_procedure > { getattr execute entrypoint }; > > ?allow sepgsql_client_type sepgsql_lang_t:db_language { getattr }; > ?allow sepgsql_client_type sepgsql_safe_lang_t:db_language { getattr execute }; > @@ -493,7 +517,7 @@ tunable_policy(`sepgsql_unconfined_dbadm',` > ? ? ? ?allow sepgsql_admin_type sepgsql_view_type:db_view *; > > ? ? ? ?allow sepgsql_admin_type sepgsql_proc_exec_t:db_procedure *; > - ? ? ? allow sepgsql_admin_type sepgsql_trusted_proc_exec_t:db_procedure ~install; > + ? ? ? allow sepgsql_admin_type sepgsql_trusted_procedure_type:db_procedure ~install; > ? ? ? ?allow sepgsql_admin_type sepgsql_procedure_type:db_procedure ~{ > execute install }; > > ? ? ? ?allow sepgsql_admin_type sepgsql_language_type:db_language ~implement; > @@ -528,7 +552,7 @@ allow sepgsql_unconfined_type sepgsql_view_type:db_view *; > ?# unconfined domain is not allowed to invoke user defined procedure directly. > ?# They have to confirm and relabel it at first. > ?allow sepgsql_unconfined_type sepgsql_proc_exec_t:db_procedure *; > -allow sepgsql_unconfined_type > sepgsql_trusted_proc_exec_t:db_procedure ~install; > +allow sepgsql_unconfined_type > sepgsql_trusted_procedure_type:db_procedure ~install; > ?allow sepgsql_unconfined_type sepgsql_procedure_type:db_procedure ~{ > execute install }; > > ?allow sepgsql_unconfined_type sepgsql_language_type:db_language ~implement; > > -- > KaiGai Kohei -- KaiGai Kohei -------------- next part -------------- A non-text attachment was scrubbed... Name: refpolicy-sepgsql-1of4-connection-pooling-support.20120502.patch Type: application/octet-stream Size: 7313 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20120504/a60ec9cb/attachment-0001.obj