From: andre@flonatel.org (Andreas Florath) Date: Fri, 15 Aug 2014 23:42:06 +0200 Subject: [refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian Message-ID: <53EE7EAE.2000409@flonatel.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello! I was able to reproduce the problem that postgresql helper programs are not accessible from confined users (here: user_u). You can find your 'Debianized' patch: https://github.com/flonatel/refpolicy-experimental/blob/test/postgres-labeling-scheme-01/debian/patches/1002-postgres-client-labeling After applying the patch, the user is now able to access the binary, but is not allowed to access the postgresql port. (Looks that 'bin_t' is not allowed to connect to postgresql.) I don't know if this is a problem of refpolicy or Debian's adaptations. @Russel: Do you need the image of a VM or access to a VM? If you just need the image, I can provide one. (Accessing a running VM is somewhat more complicated...) Do you need special configurations? Kind regards Andre === Technical Details === Steps done: 1) Create VM with minimal and up to date Jessie (using SELinux set to enforcing). 2) Optional: Patched the selinux-policy-default package with the patch you sent. 3) root at debselinux01:~# se_apt-get update 4) root at debselinux01:~# se_apt-get install postgresql [...] Building PostgreSQL dictionaries from installed myspell/hunspell packages... Removing obsolete dictionary files: Setting up postgresql-9.4 (9.4~beta2-1) ... Creating new cluster 9.4/main ... config /etc/postgresql/9.4/main data /var/lib/postgresql/9.4/main locale en_US.UTF-8 port 5432 update-alternatives: using /usr/share/postgresql/9.4/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode Setting up postgresql (9.4+159) ... 5) root at debselinux01:~# semanage login -a -s user_u dummy 6) postgres at debselinux01:~$ createuser -d dummy 7) dummy at debselinux01:~$ id -Z user_u:user_r:user_t:SystemLow 8) dummy at debselinux01:~$ createdb tst01 Result when patch was not installed (using original Debian packet selinux-policy-default): Error: You must install at least one postgresql-client- package. strace showed: stat("/usr/lib/postgresql/9.4/bin/psql", 0x1cc5280) = -1 EACCES (Permission denied) After applying the patch: dummy at debselinux01:~$ createdb tst01 createdb: could not connect to database template1: could not connect to server: Permission denied Is the server running locally and accepting connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"? Strace: The stat works now: stat("/usr/lib/postgresql/9.4/bin/psql", {st_mode=S_IFREG|0755, st_size=507128, ...}) = 0 But there is a 'Permission denied' in the connect: connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/postgresql/.s.PGSQL.5432"}, 110) = -1 EACCES (Permission denied) And Postgres WAS listening: root at debselinux01:~# netstat -nap | grep 5432 tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 2531/postgres tcp6 0 0 ::1:5432 :::* LISTEN 2531/postgres unix 2 [ ACC ] STREAM LISTENING 13432 2531/postgres /var/run/postgresql/.s.PGSQL.5432 Here is a listing of the appropriate dir when the patch is applied: root at debselinux01:~# ls -lZ /usr/lib/postgresql/9.4/bin/ total 8088 -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72224 Jul 24 13:57 clusterdb -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72288 Jul 24 13:57 createdb -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63920 Jul 24 13:57 createlang -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72672 Jul 24 13:57 createuser -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63936 Jul 24 13:57 dropdb -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63920 Jul 24 13:57 droplang -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 63904 Jul 24 13:57 dropuser -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 110296 Jul 24 13:57 initdb -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 68416 Jul 24 13:57 pg_basebackup -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 30720 Jul 24 13:57 pg_controldata -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 43352 Jul 24 13:57 pg_ctl -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 347808 Jul 24 13:57 pg_dump -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 89352 Jul 24 13:57 pg_dumpall -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 30992 Jul 24 13:57 pg_isready -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 47600 Jul 24 13:57 pg_receivexlog -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 51928 Jul 24 13:57 pg_recvlogical -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 38920 Jul 24 13:57 pg_resetxlog -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 150848 Jul 24 13:57 pg_restore -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 109104 Jul 24 13:57 pg_upgrade -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 51704 Jul 24 13:57 pg_xlogdump -rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 5953344 Jul 24 13:57 postgres lrwxrwxrwx. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 8 Jul 24 13:57 postmaster -> postgres -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 507128 Jul 24 13:57 psql -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72256 Jul 24 13:57 reindexdb -rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow 72384 Jul 24 13:57 vacuumdb