[0/4] Proposal of SE-PostgreSQL patches

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
64 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

[0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

 [1/4] sepostgresql-pgace-8.4devel-3.patch
         provides PGACE (PostgreSQL Access Control Extension) framework
 [2/4] sepostgresql-sepgsql-8.4devel-3.patch
         provides SE-PostgreSQL feature, based on PGACE framework.
 [3/4] sepostgresql-pg_dump-8.4devel-3.patch
         enables pg_dump to dump database with security attribute.
 [4/4] sepostgresql-policy-8.4devel-3.patch
         provides the default security policy for SE-PostgreSQL.

We can provide a quick overview of SE-PostgreSQL at:
    http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

Any comment and suggestion are welcome.
Thanks,


ENVIRONMENT
-----------
Please confirm your environment.
The followings are requriements of SE-PostgreSQL.
 * Fedora 8 or later system
 * SELinux is enabled and working
 * kernel-2.6.24 or later
 * selinux-policy and selinux-policy-devel v3.0.8 or later
 * libselinux, policycoreutils

INSTALLATION
------------
$ tar jxvf postgresql-snapshot.tar.bz2
$ cd postgresql-snapshot
$ patch -p1 < ../sepostgresql-pgace-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-sepgsql-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-pg_dump-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-policy-8.4devel-3.patch

$ ./configure --enable-selinux
$ make
$ make -C contrib/sepgsql-policy
$ su
# make install

# /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
  (NOTE: semodule is a utility to load/unload security policy modules.)

# /sbin/restorecon -R /usr/local/pgsql
  (NOTE: restorecon is a utilicy to initialize security context of files.)

SETUP
-----
# mkdir -p /opt/sepgsql
# chown foo_user:var_group /opt/sepgsql
# chcon -t postgresql_db_t /opt/sepgsql
  (NOTE: chcon is a utility to set up security context of files.)
# exit

$ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
  (NOTE: run_init is a utility to start a program, as if it is branched from init script.)
$ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start

--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

[3/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
[3/4] - sepostgresql-pg_dump-8.4devel-3.patch

This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
database. It it same when they tries to restore the database.

--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

diff -rpNU3 pgace/src/bin/pg_dump/pg_dump.c sepgsql/src/bin/pg_dump/pg_dump.c
--- pgace/src/bin/pg_dump/pg_dump.c 2008-02-03 01:18:48.000000000 +0900
+++ sepgsql/src/bin/pg_dump/pg_dump.c 2008-02-03 01:26:35.000000000 +0900
@@ -118,6 +118,9 @@ static int g_numNamespaces;
 /* flag to turn on/off dollar quoting */
 static int disable_dollar_quoting = 0;
 
+/* flag to tuen on/off SE-PostgreSQL support */
+#define SELINUX_SYSATTR_NAME "security_context"
+static int enable_selinux = 0;
 
 static void help(const char *progname);
 static void expand_schema_name_patterns(SimpleStringList *patterns,
@@ -267,6 +270,7 @@ main(int argc, char **argv)
  {"disable-dollar-quoting", no_argument, &disable_dollar_quoting, 1},
  {"disable-triggers", no_argument, &disable_triggers, 1},
  {"use-set-session-authorization", no_argument, &use_setsessauth, 1},
+ {"enable-selinux", no_argument, &enable_selinux, 1},
 
  {NULL, 0, NULL, 0}
  };
@@ -419,6 +423,8 @@ main(int argc, char **argv)
  disable_triggers = 1;
  else if (strcmp(optarg, "use-set-session-authorization") == 0)
  use_setsessauth = 1;
+ else if (strcmp(optarg, "enable-selinux") == 0)
+ enable_selinux = 1;
  else
  {
  fprintf(stderr,
@@ -549,6 +555,24 @@ main(int argc, char **argv)
  std_strings = PQparameterStatus(g_conn, "standard_conforming_strings");
  g_fout->std_strings = (std_strings && strcmp(std_strings, "on") == 0);
 
+ if (enable_selinux) {
+ /* confirm whther server support SELinux features */
+ const char *tmp = PQparameterStatus(g_conn, "security_sysattr_name");
+
+ if (!tmp) {
+ write_msg(NULL, "could not get security_sysattr_name from libpq\n");
+ exit(1);
+ }
+ if (!!strcmp(SELINUX_SYSATTR_NAME, tmp) != 0) {
+ write_msg(NULL, "server does not have SELinux feature\n");
+ exit(1);
+ }
+ if (g_fout->remoteVersion < 80204) {
+ write_msg(NULL, "server version is too old (%u)\n", g_fout->remoteVersion);
+ exit(1);
+ }
+ }
+
  /* Set the datestyle to ISO to ensure the dump's portability */
  do_sql_command(g_conn, "SET DATESTYLE = ISO");
 
@@ -771,6 +795,7 @@ help(const char *progname)
  printf(_("  --use-set-session-authorization\n"
  "                              use SESSION AUTHORIZATION commands instead of\n"
  "                              ALTER OWNER commands to set ownership\n"));
+ printf(_("  --enable-selinux            enable to dump security context in SE-PostgreSQL\n"));
 
  printf(_("\nConnection options:\n"));
  printf(_("  -h, --host=HOSTNAME      database server host or socket directory\n"));
@@ -1160,7 +1185,8 @@ dumpTableData_insert(Archive *fout, void
  if (fout->remoteVersion >= 70100)
  {
  appendPQExpBuffer(q, "DECLARE _pg_dump_cursor CURSOR FOR "
-  "SELECT * FROM ONLY %s",
+  "SELECT * %s FROM ONLY %s",
+  (!enable_selinux ? "" : "," SELINUX_SYSATTR_NAME),
   fmtQualifiedId(tbinfo->dobj.namespace->dobj.name,
  classname));
  }
@@ -1774,11 +1800,32 @@ dumpBlobComments(Archive *AH, void *arg)
  Oid blobOid;
  char   *comment;
 
+ blobOid = atooid(PQgetvalue(res, i, 0));
+
+ /* dump security context of binary large object */
+ if (enable_selinux) {
+ PGresult *__res;
+ char query[512];
+
+ snprintf(query, sizeof(query),
+ "SELECT lo_get_security(%u)", blobOid);
+ __res = PQexec(g_conn, query);
+ check_sql_result(__res, g_conn, query, PGRES_TUPLES_OK);
+
+ if (PQntuples(__res) != 1) {
+ write_msg(NULL, "lo_get_security(%u) returns %d tuples\n",
+  blobOid, PQntuples(__res));
+ exit_nicely();
+ }
+ archprintf(AH, "SELECT lo_set_security(%u, '%s');\n",
+   blobOid, PQgetvalue(__res, 0, 0));
+ PQclear(__res);
+ }
+
  /* ignore blobs without comments */
  if (PQgetisnull(res, i, 1))
  continue;
 
- blobOid = atooid(PQgetvalue(res, i, 0));
  comment = PQgetvalue(res, i, 1);
 
  printfPQExpBuffer(commentcmd, "COMMENT ON LARGE OBJECT %u IS ",
@@ -2886,6 +2933,7 @@ getTables(int *numTables)
  int i_owning_col;
  int i_reltablespace;
  int i_reloptions;
+ int i_selinux;
 
  /* Make sure we are in proper schema */
  selectSourceSchema("pg_catalog");
@@ -2926,6 +2974,7 @@ getTables(int *numTables)
   "d.refobjsubid as owning_col, "
   "(SELECT spcname FROM pg_tablespace t WHERE t.oid = c.reltablespace) AS reltablespace, "
   "array_to_string(c.reloptions, ', ') as reloptions "
+  "%s "
   "from pg_class c "
   "left join pg_depend d on "
   "(c.relkind = '%c' and "
@@ -2935,6 +2984,7 @@ getTables(int *numTables)
   "where relkind in ('%c', '%c', '%c', '%c') "
   "order by c.oid",
   username_subquery,
+  (!enable_selinux ? "" : ",c." SELINUX_SYSATTR_NAME),
   RELKIND_SEQUENCE,
   RELKIND_RELATION, RELKIND_SEQUENCE,
   RELKIND_VIEW, RELKIND_COMPOSITE_TYPE);
@@ -3101,6 +3151,7 @@ getTables(int *numTables)
  i_owning_col = PQfnumber(res, "owning_col");
  i_reltablespace = PQfnumber(res, "reltablespace");
  i_reloptions = PQfnumber(res, "reloptions");
+ i_selinux = PQfnumber(res, SELINUX_SYSATTR_NAME);
 
  for (i = 0; i < ntups; i++)
  {
@@ -3131,6 +3182,9 @@ getTables(int *numTables)
  }
  tblinfo[i].reltablespace = strdup(PQgetvalue(res, i, i_reltablespace));
  tblinfo[i].reloptions = strdup(PQgetvalue(res, i, i_reloptions));
+ tblinfo[i].relsecurity = NULL;
+ if (i_selinux >= 0)
+ tblinfo[i].relsecurity = strdup(PQgetvalue(res, i, i_selinux));
 
  /* other fields were zeroed above */
 
@@ -4319,6 +4373,7 @@ getTableAttrs(TableInfo *tblinfo, int nu
  int i_atthasdef;
  int i_attisdropped;
  int i_attislocal;
+ int i_attselinux;
  PGresult   *res;
  int ntups;
  bool hasdefaults;
@@ -4362,11 +4417,13 @@ getTableAttrs(TableInfo *tblinfo, int nu
  appendPQExpBuffer(q, "SELECT a.attnum, a.attname, a.atttypmod, a.attstattarget, a.attstorage, t.typstorage, "
   "a.attnotnull, a.atthasdef, a.attisdropped, a.attislocal, "
    "pg_catalog.format_type(t.oid,a.atttypmod) as atttypname "
+  "%s " /* security context, if required */
  "from pg_catalog.pg_attribute a left join pg_catalog.pg_type t "
   "on a.atttypid = t.oid "
   "where a.attrelid = '%u'::pg_catalog.oid "
   "and a.attnum > 0::pg_catalog.int2 "
   "order by a.attrelid, a.attnum",
+  (!enable_selinux ? "" : ",a." SELINUX_SYSATTR_NAME),
   tbinfo->dobj.catId.oid);
  }
  else if (g_fout->remoteVersion >= 70100)
@@ -4415,6 +4472,7 @@ getTableAttrs(TableInfo *tblinfo, int nu
  i_atthasdef = PQfnumber(res, "atthasdef");
  i_attisdropped = PQfnumber(res, "attisdropped");
  i_attislocal = PQfnumber(res, "attislocal");
+ i_attselinux = PQfnumber(res, SELINUX_SYSATTR_NAME);
 
  tbinfo->numatts = ntups;
  tbinfo->attnames = (char **) malloc(ntups * sizeof(char *));
@@ -4425,6 +4483,7 @@ getTableAttrs(TableInfo *tblinfo, int nu
  tbinfo->typstorage = (char *) malloc(ntups * sizeof(char));
  tbinfo->attisdropped = (bool *) malloc(ntups * sizeof(bool));
  tbinfo->attislocal = (bool *) malloc(ntups * sizeof(bool));
+ tbinfo->attsecurity = (char **) malloc(ntups * sizeof(char *));
  tbinfo->notnull = (bool *) malloc(ntups * sizeof(bool));
  tbinfo->attrdefs = (AttrDefInfo **) malloc(ntups * sizeof(AttrDefInfo *));
  tbinfo->inhAttrs = (bool *) malloc(ntups * sizeof(bool));
@@ -4456,6 +4515,11 @@ getTableAttrs(TableInfo *tblinfo, int nu
  tbinfo->inhAttrs[j] = false;
  tbinfo->inhAttrDef[j] = false;
  tbinfo->inhNotNull[j] = false;
+
+ /* security attribute, if defined */
+ tbinfo->attsecurity[j] = NULL;
+ if (i_attselinux >= 0 && !PQgetisnull(res, j, i_attselinux))
+ tbinfo->attsecurity[j] = strdup(PQgetvalue(res, j, i_attselinux));
  }
 
  PQclear(res);
@@ -6428,6 +6492,7 @@ dumpFunc(Archive *fout, FuncInfo *finfo)
  char   *proconfig;
  char   *procost;
  char   *prorows;
+ char   *proselinux = NULL;
  char   *lanname;
  char   *rettypename;
  int nallargs;
@@ -6459,8 +6524,10 @@ dumpFunc(Archive *fout, FuncInfo *finfo)
   "provolatile, proisstrict, prosecdef, "
   "proconfig, procost, prorows, "
   "(SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) as lanname "
+  "%s " /* security context, if required */
   "FROM pg_catalog.pg_proc "
   "WHERE oid = '%u'::pg_catalog.oid",
+  (!enable_selinux ? "" : "," SELINUX_SYSATTR_NAME),
   finfo->dobj.catId.oid);
  }
  else if (g_fout->remoteVersion >= 80100)
@@ -6562,6 +6629,13 @@ dumpFunc(Archive *fout, FuncInfo *finfo)
  prorows = PQgetvalue(res, 0, PQfnumber(res, "prorows"));
  lanname = PQgetvalue(res, 0, PQfnumber(res, "lanname"));
 
+ if (enable_selinux) {
+ int i_selinux = PQfnumber(res, "security_context");
+
+ if (i_selinux >= 0 && !PQgetisnull(res, 0, i_selinux))
+ proselinux = PQgetvalue(res, 0, i_selinux);
+ }
+
  /*
  * See backend/commands/define.c for details of how the 'AS' clause is
  * used.
@@ -6698,6 +6772,9 @@ dumpFunc(Archive *fout, FuncInfo *finfo)
  if (prosecdef[0] == 't')
  appendPQExpBuffer(q, " SECURITY DEFINER");
 
+ if (proselinux)
+ appendPQExpBuffer(q, " CONTEXT = '%s'", proselinux);
+
  /*
  * COST and ROWS are emitted only if present and not default, so as not to
  * break backwards-compatibility of the dump without need. Keep this code
@@ -8779,6 +8856,9 @@ dumpTableSchema(Archive *fout, TableInfo
  if (tbinfo->notnull[j] && !tbinfo->inhNotNull[j])
  appendPQExpBuffer(q, " NOT NULL");
 
+ if (enable_selinux && tbinfo->attsecurity[j])
+ appendPQExpBuffer(q, " CONTEXT = '%s'", tbinfo->attsecurity[j]);
+
  actual_atts++;
  }
  }
@@ -8826,6 +8906,9 @@ dumpTableSchema(Archive *fout, TableInfo
  if (tbinfo->reloptions && strlen(tbinfo->reloptions) > 0)
  appendPQExpBuffer(q, "\nWITH (%s)", tbinfo->reloptions);
 
+ if (enable_selinux && tbinfo->relsecurity)
+ appendPQExpBuffer(q, " CONTEXT = '%s'", tbinfo->relsecurity);
+
  appendPQExpBuffer(q, ";\n");
 
  /* Loop dumping statistics and storage statements */
@@ -10243,6 +10326,12 @@ fmtCopyColumnList(const TableInfo *ti)
 
  appendPQExpBuffer(q, "(");
  needComma = false;
+
+ if (enable_selinux) {
+ appendPQExpBuffer(q, SELINUX_SYSATTR_NAME);
+ needComma = true;
+ }
+
  for (i = 0; i < numatts; i++)
  {
  if (attisdropped[i])
diff -rpNU3 pgace/src/bin/pg_dump/pg_dump.h sepgsql/src/bin/pg_dump/pg_dump.h
--- pgace/src/bin/pg_dump/pg_dump.h 2008-01-08 01:39:49.000000000 +0900
+++ sepgsql/src/bin/pg_dump/pg_dump.h 2008-01-10 18:25:12.000000000 +0900
@@ -238,6 +238,7 @@ typedef struct _tableInfo
  char relkind;
  char   *reltablespace; /* relation tablespace */
  char   *reloptions; /* options specified by WITH (...) */
+ char   *relsecurity; /* security attribute of the relation */
  bool hasindex; /* does it have any indexes? */
  bool hasrules; /* does it have any rules? */
  bool hasoids; /* does it have OIDs? */
@@ -262,6 +263,7 @@ typedef struct _tableInfo
  char   *typstorage; /* type storage scheme */
  bool   *attisdropped; /* true if attr is dropped; don't dump it */
  bool   *attislocal; /* true if attr has local definition */
+ char  **attsecurity; /* security attribute of attribute (column) */
 
  /*
  * Note: we need to store per-attribute notnull, default, and constraint
diff -rpNU3 pgace/src/bin/pg_dump/pg_dumpall.c sepgsql/src/bin/pg_dump/pg_dumpall.c
--- pgace/src/bin/pg_dump/pg_dumpall.c 2008-01-08 01:39:49.000000000 +0900
+++ sepgsql/src/bin/pg_dump/pg_dumpall.c 2008-01-10 18:25:12.000000000 +0900
@@ -67,6 +67,10 @@ static int disable_triggers = 0;
 static int use_setsessauth = 0;
 static int server_version;
 
+/* flag to tuen on/off SE-PostgreSQL support */
+#define SELINUX_SYSATTR_NAME "security_context"
+static int  enable_selinux = 0;
+
 static FILE *OPF;
 static char *filename = NULL;
 
@@ -119,6 +123,7 @@ main(int argc, char *argv[])
  {"disable-dollar-quoting", no_argument, &disable_dollar_quoting, 1},
  {"disable-triggers", no_argument, &disable_triggers, 1},
  {"use-set-session-authorization", no_argument, &use_setsessauth, 1},
+ {"enable-selinux", no_argument, NULL, 1001},
 
  {NULL, 0, NULL, 0}
  };
@@ -290,6 +295,10 @@ main(int argc, char *argv[])
  appendPQExpBuffer(pgdumpopts, " --disable-triggers");
  else if (strcmp(optarg, "use-set-session-authorization") == 0)
  /* no-op, still allowed for compatibility */ ;
+ else if (strcmp(optarg, "enable-selinux") == 0) {
+ appendPQExpBuffer(pgdumpopts, " --enable-selinux");
+ enable_selinux = 1;
+ }
  else
  {
  fprintf(stderr,
@@ -300,6 +309,11 @@ main(int argc, char *argv[])
  }
  break;
 
+ case 1001:
+ appendPQExpBuffer(pgdumpopts, " --enable-selinux");
+ enable_selinux = 1;
+ break;
+
  case 0:
  break;
 
@@ -391,6 +405,24 @@ main(int argc, char *argv[])
  }
  }
 
+ if (enable_selinux) {
+        /* confirm whther server support SELinux features */
+        const char *tmp = PQparameterStatus(conn, "security_sysattr_name");
+
+        if (!tmp) {
+ fprintf(stderr, "could not get security_sysattr_name from libpq\n");
+            exit(1);
+        }
+        if (!!strcmp(SELINUX_SYSATTR_NAME, tmp) != 0) {
+ fprintf(stderr, "server does not have SELinux feature\n");
+            exit(1);
+        }
+        if (server_version < 80204) {
+ fprintf(stderr, "server version is too old (%u)\n", server_version);
+            exit(1);
+        }
+ }
+
  /*
  * Open the output file if required, otherwise use stdout
  */
@@ -505,6 +537,7 @@ help(void)
  printf(_("  --use-set-session-authorization\n"
  "                           use SESSION AUTHORIZATION commands instead of\n"
  "                           OWNER TO commands\n"));
+ printf(_("  --enable-selinux         enable to dump security attribute\n"));
 
  printf(_("\nConnection options:\n"));
  printf(_("  -h, --host=HOSTNAME      database server host or socket directory\n"));
@@ -915,16 +948,18 @@ dumpCreateDB(PGconn *conn)
  fprintf(OPF, "--\n-- Database creation\n--\n\n");
 
  if (server_version >= 80100)
- res = executeQuery(conn,
+ appendPQExpBuffer(buf,
    "SELECT datname, "
    "coalesce(rolname, (select rolname from pg_authid where oid=(select datdba from pg_database where datname='template0'))), "
    "pg_encoding_to_char(d.encoding), "
    "datistemplate, datacl, datconnlimit, "
    "(SELECT spcname FROM pg_tablespace t WHERE t.oid = d.dattablespace) AS dattablespace "
+   "%s "
   "FROM pg_database d LEFT JOIN pg_authid u ON (datdba = u.oid) "
-   "WHERE datallowconn ORDER BY 1");
+   "WHERE datallowconn ORDER BY 1",
+   (!enable_selinux ? "" : "d." SELINUX_SYSATTR_NAME));
  else if (server_version >= 80000)
- res = executeQuery(conn,
+ appendPQExpBuffer(buf,
    "SELECT datname, "
    "coalesce(usename, (select usename from pg_shadow where usesysid=(select datdba from pg_database where datname='template0'))), "
    "pg_encoding_to_char(d.encoding), "
@@ -933,7 +968,7 @@ dumpCreateDB(PGconn *conn)
    "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) "
    "WHERE datallowconn ORDER BY 1");
  else if (server_version >= 70300)
- res = executeQuery(conn,
+ appendPQExpBuffer(buf,
    "SELECT datname, "
    "coalesce(usename, (select usename from pg_shadow where usesysid=(select datdba from pg_database where datname='template0'))), "
    "pg_encoding_to_char(d.encoding), "
@@ -942,7 +977,7 @@ dumpCreateDB(PGconn *conn)
    "FROM pg_database d LEFT JOIN pg_shadow u ON (datdba = usesysid) "
    "WHERE datallowconn ORDER BY 1");
  else if (server_version >= 70100)
- res = executeQuery(conn,
+ appendPQExpBuffer(buf,
    "SELECT datname, "
    "coalesce("
  "(select usename from pg_shadow where usesysid=datdba), "
@@ -958,7 +993,7 @@ dumpCreateDB(PGconn *conn)
  * Note: 7.0 fails to cope with sub-select in COALESCE, so just deal
  * with getting a NULL by not printing any OWNER clause.
  */
- res = executeQuery(conn,
+ appendPQExpBuffer(buf,
    "SELECT datname, "
  "(select usename from pg_shadow where usesysid=datdba), "
    "pg_encoding_to_char(d.encoding), "
@@ -968,6 +1003,7 @@ dumpCreateDB(PGconn *conn)
    "FROM pg_database d "
    "ORDER BY 1");
  }
+ res = executeQuery(conn, buf->data);
 
  for (i = 0; i < PQntuples(res); i++)
  {
@@ -978,6 +1014,7 @@ dumpCreateDB(PGconn *conn)
  char   *dbacl = PQgetvalue(res, i, 4);
  char   *dbconnlimit = PQgetvalue(res, i, 5);
  char   *dbtablespace = PQgetvalue(res, i, 6);
+ char   *dbsecurity = PQgetvalue(res, i, 7);
  char   *fdbname;
 
  fdbname = strdup(fmtId(dbname));
@@ -1021,6 +1058,9 @@ dumpCreateDB(PGconn *conn)
  appendPQExpBuffer(buf, " CONNECTION LIMIT = %s",
   dbconnlimit);
 
+ if (enable_selinux && dbsecurity)
+ appendPQExpBuffer(buf, " CONTEXT = '%s'", dbsecurity);
+
  appendPQExpBuffer(buf, ";\n");
 
  if (strcmp(dbistemplate, "t") == 0)


--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

[4/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
In reply to this post by Kouhei Kaigai
[4/4] - sepostgresql-policy-8.4devel-3.patch

This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.

--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

diff -rpNU3 pgace/contrib/sepgsql-policy/Makefile sepgsql/contrib/sepgsql-policy/Makefile
--- pgace/contrib/sepgsql-policy/Makefile 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/Makefile 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,20 @@
+# SE-PostgreSQL Security Policy
+#------------------------------
+
+SHAREDIR := /usr/share/selinux
+
+AWK ?= gawk
+NAME ?= $(strip $(shell $(AWK) -F= '/^SELINUXTYPE/{ print $$2 }' /etc/selinux/config))
+
+SELINUX_POLICY := /usr/share/selinux
+
+all: sepostgresql.pp
+
+install: all
+ install -m 0644 sepostgresql.pp $(SELINUX_POLICY)/$(NAME)
+
+sepostgresql.pp: sepostgresql.te sepostgresql.if sepostgresql.fc
+ make -f $(SELINUX_POLICY)/devel/Makefile NAME=$(NAME)
+
+clean:
+ make -f $(SELINUX_POLICY)/devel/Makefile NAME=$(NAME) clean
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.fc sepgsql/contrib/sepgsql-policy/sepostgresql.fc
--- pgace/contrib/sepgsql-policy/sepostgresql.fc 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.fc 2008-03-13 10:21:48.000000000 +0900
@@ -0,0 +1,17 @@
+#
+# SE-PostgreSQL install path
+#
+/usr/bin/sepostgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/initdb.sepgsql -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+
+/var/lib/sepgsql(/.*)? gen_context(system_u:object_r:postgresql_db_t,s0)
+/var/lib/sepgsql/pgstartup\.log gen_context(system_u:object_r:postgresql_log_t,s0)
+/var/log/sepostgresql\.log.* -- gen_context(system_u:object_r:postgresql_log_t,s0)
+
+#
+# For source installation
+#
+/usr/local/pgsql/bin/postgres -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/local/pgsql/bin/initdb -- gen_context(system_u:object_r:postgresql_exec_t,s0)
+/usr/local/pgsql/bin/pg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.if sepgsql/contrib/sepgsql-policy/sepostgresql.if
--- pgace/contrib/sepgsql-policy/sepostgresql.if 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.if 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,88 @@
+########################################
+## <summary>
+##      Marks the specified domain as SE-PostgreSQL server process.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to be marked
+##      </summary>
+## </param>
+#
+interface(`sepgsql_server_domain',`
+ gen_require(`
+ attribute sepgsql_server_type;
+ ')
+ typeattribute $1 sepgsql_server_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unconfined accesses to any database objects
+##  managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sepgsql_unconfined_domain',`
+ gen_require(`
+ attribute sepgsql_unconfined_type;
+ attribute sepgsql_client_type;
+ ')
+ typeattribute $1 sepgsql_unconfined_type;
+ typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified domain unprivileged accesses to any database objects
+##  managed by SE-PostgreSQL,
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`sepgsql_client_domain',`
+ gen_require(`
+ attribute sepgsql_client_type;
+ ')
+ typeattribute $1 sepgsql_client_type;
+')
+
+########################################
+## <summary>
+##      Allow the specified role to invoke trusted procedures
+## </summary>
+## <param name="role">
+##  <summary>
+##  The role associated with the domain.
+##  </summary>
+## </param>
+#
+interface(`sepgsql_trusted_procedure_role',`
+ gen_require(`
+ type sepgsql_trusted_domain_t;
+ ')
+ role $1 types sepgsql_trusted_domain_t;
+')
+
+########################################
+## <summary>
+##     Marks as a SE-PostgreSQL loadable shared library module
+## </summary>
+## <param name="type">
+##     <summary>
+##     Type marked as a database object type.
+##     </summary>
+## </param>
+#
+interface(`sepgsql_loadable_module',`
+ gen_require(`
+ attribute sepgsql_module_type;
+ ')
+ typeattribute $1 sepgsql_module_type;
+')
diff -rpNU3 pgace/contrib/sepgsql-policy/sepostgresql.te sepgsql/contrib/sepgsql-policy/sepostgresql.te
--- pgace/contrib/sepgsql-policy/sepostgresql.te 1970-01-01 09:00:00.000000000 +0900
+++ sepgsql/contrib/sepgsql-policy/sepostgresql.te 2008-03-12 20:00:04.000000000 +0900
@@ -0,0 +1,353 @@
+policy_module(sepostgresql, 3.01)
+
+gen_require(`
+        class db_database all_db_database_perms;
+        class db_table all_db_table_perms;
+        class db_procedure all_db_procedure_perms;
+        class db_column all_db_column_perms;
+        class db_tuple all_db_tuple_perms;
+        class db_blob all_db_blob_perms;
+
+ type postgresql_t, unlabeled_t;
+ attribute domain, file_type;
+
+ role system_r;
+')
+
+#################################
+#
+# SE-PostgreSQL Boolean declarations
+#
+
+## <desc>
+## <p>
+## Allow to enable unconfined domains
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_unconfined, true)
+
+## <desc>
+## <p>
+## Allow to generate auditallow logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditallow, false)
+
+## <desc>
+## <p>
+## Allow to generate auditdeny logs
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_auditdeny,  true)
+
+## <desc>
+## <p>
+## Allow to generate audit(allow|deny) logs for tuples
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_audittuple, false)
+
+## <desc>
+## <p>
+## Allow unprivileged users to execute DDL statement
+## </p>
+## </desc>
+gen_tunable(sepgsql_enable_users_ddl,  true)
+
+#################################
+#
+# SE-PostgreSQL Type/Attribute declarations
+#
+
+# database subjects
+attribute sepgsql_server_type;
+attribute sepgsql_client_type;
+attribute sepgsql_unconfined_type;
+
+# database objects attribute
+attribute sepgsql_database_type;
+attribute sepgsql_table_type;
+attribute sepgsql_procedure_type;
+attribute sepgsql_blob_type;
+attribute sepgsql_module_type;
+
+# database trusted domain
+type sepgsql_trusted_domain_t;
+
+# database object types
+type sepgsql_db_t, sepgsql_database_type;
+
+type sepgsql_table_t, sepgsql_table_type;
+type sepgsql_sysobj_t, sepgsql_table_type;
+type sepgsql_secret_table_t, sepgsql_table_type;
+type sepgsql_ro_table_t, sepgsql_table_type;
+type sepgsql_fixed_table_t, sepgsql_table_type;
+
+type sepgsql_proc_t, sepgsql_procedure_type;
+type sepgsql_user_proc_t, sepgsql_procedure_type;
+type sepgsql_trusted_proc_t, sepgsql_procedure_type;
+
+type sepgsql_blob_t, sepgsql_blob_type;
+type sepgsql_ro_blob_t, sepgsql_blob_type;
+type sepgsql_secret_blob_t, sepgsql_blob_type;
+
+typeattribute unlabeled_t sepgsql_database_type;
+typeattribute unlabeled_t sepgsql_table_type;
+typeattribute unlabeled_t sepgsql_procedure_type;
+typeattribute unlabeled_t sepgsql_blob_type;
+
+########################################
+#
+# SE-PostgreSQL Server Local policy
+#                    (sepgsql_server_type)
+allow sepgsql_server_type self : netlink_selinux_socket create_socket_perms;
+selinux_get_fs_mount(sepgsql_server_type)
+selinux_get_enforce_mode(sepgsql_server_type)
+selinux_validate_context(sepgsql_server_type)
+selinux_compute_access_vector(sepgsql_server_type)
+selinux_compute_create_context(sepgsql_server_type)
+selinux_compute_relabel_context(sepgsql_server_type)
+
+allow sepgsql_server_type sepgsql_database_type : db_database *;
+allow sepgsql_server_type sepgsql_module_type : db_database { install_module };
+allow sepgsql_server_type sepgsql_table_type : { db_table db_column db_tuple } *;
+allow sepgsql_server_type sepgsql_procedure_type : db_procedure *;
+allow sepgsql_server_type sepgsql_blob_type : db_blob *;
+
+# server specific type transitions
+type_transition sepgsql_server_type sepgsql_database_type : db_table sepgsql_sysobj_t;
+type_transition sepgsql_server_type sepgsql_database_type : db_procedure sepgsql_proc_t;
+
+########################################
+#
+# SE-PostgreSQL Administrative domain local policy
+#                    (sepgsql_unconfined_type)
+
+tunable_policy(`sepgsql_enable_unconfined',`
+ allow sepgsql_unconfined_type sepgsql_database_type : db_database *;
+ allow sepgsql_unconfined_type sepgsql_module_type : db_database { install_module };
+ allow sepgsql_unconfined_type sepgsql_table_type : { db_table db_column db_tuple } *;
+ allow sepgsql_unconfined_type { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure *;
+ allow sepgsql_unconfined_type sepgsql_user_proc_t : db_procedure { create drop getattr setattr relabelfrom relabelto };
+ allow sepgsql_unconfined_type sepgsql_blob_type : db_blob *;
+ allow sepgsql_unconfined_type postgresql_t : db_blob { import export };
+
+ type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_proc_t;
+',`
+ type_transition { sepgsql_unconfined_type - sepgsql_server_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+')
+
+########################################
+#
+# SE-PostgreSQL Users domain local policy
+#                     (sepgsql_client_type)
+
+allow sepgsql_client_type sepgsql_db_t : db_database { getattr access get_param set_param};
+
+allow sepgsql_client_type sepgsql_table_t : db_table { getattr use select update insert delete };
+allow sepgsql_client_type sepgsql_table_t : db_column { getattr use select update insert };
+allow sepgsql_client_type sepgsql_table_t : db_tuple { use select update insert delete };
+
+allow sepgsql_client_type sepgsql_sysobj_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { use select };
+tunable_policy(`sepgsql_enable_users_ddl',`
+ allow sepgsql_client_type sepgsql_table_t : db_table { create drop setattr };
+ allow sepgsql_client_type sepgsql_table_t : db_column { create drop setattr };
+ allow sepgsql_client_type sepgsql_sysobj_t : db_tuple { update insert delete };
+')
+
+allow sepgsql_client_type sepgsql_secret_table_t : db_table { getattr };
+allow sepgsql_client_type sepgsql_secret_table_t : db_column { getattr };
+
+allow sepgsql_client_type sepgsql_ro_table_t : db_table { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_column { getattr use select };
+allow sepgsql_client_type sepgsql_ro_table_t : db_tuple { use select };
+
+allow sepgsql_client_type sepgsql_fixed_table_t : db_table { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_column { getattr use select insert };
+allow sepgsql_client_type sepgsql_fixed_table_t : db_tuple { use select insert };
+
+allow sepgsql_client_type sepgsql_proc_t : db_procedure { getattr execute };
+allow { sepgsql_client_type - sepgsql_unconfined_type } sepgsql_user_proc_t : db_procedure { create drop getattr setattr execute };
+allow sepgsql_client_type sepgsql_trusted_proc_t : db_procedure { getattr execute entrypoint };
+
+allow sepgsql_client_type sepgsql_blob_t : db_blob { create drop getattr setattr read write };
+allow sepgsql_client_type sepgsql_ro_blob_t : db_blob { getattr read };
+allow sepgsql_client_type sepgsql_secret_blob_t : db_blob { getattr };
+
+# call trusted procedure
+type_transition sepgsql_client_type sepgsql_trusted_proc_t : process sepgsql_trusted_domain_t;
+allow sepgsql_client_type sepgsql_trusted_domain_t : process { transition };
+
+# type transitions for rest of domains
+type_transition domain domain : db_database sepgsql_db_t;
+type_transition { domain - sepgsql_server_type } sepgsql_database_type : db_table sepgsql_table_t;
+type_transition { domain - sepgsql_server_type - sepgsql_unconfined_type } sepgsql_database_type : db_procedure sepgsql_user_proc_t;
+type_transition domain sepgsql_database_type : db_blob sepgsql_blob_t;
+
+########################################
+#
+# SE-PostgreSQL Misc policies
+#
+
+# Trusted Procedure Domain
+domain_type(sepgsql_trusted_domain_t)
+role system_r types sepgsql_trusted_domain_t;
+sepgsql_unconfined_domain(sepgsql_trusted_domain_t)
+
+# The following permissions are allowed, even if sepgsql_enable_unconfined is disabled.
+allow sepgsql_trusted_domain_t sepgsql_database_type : db_database { getattr setattr access get_param set_param};
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_table { getattr use select update insert delete lock };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_column { getattr use select update insert };
+allow sepgsql_trusted_domain_t sepgsql_table_type : db_tuple { use select update insert delete };
+
+allow sepgsql_trusted_domain_t { sepgsql_procedure_type - sepgsql_user_proc_t } : db_procedure { getattr execute };
+allow sepgsql_trusted_domain_t sepgsql_user_proc_t : db_procedure { getattr };
+allow sepgsql_trusted_domain_t sepgsql_blob_type : db_blob { getattr setattr read write };
+
+# Database/Loadable module
+allow sepgsql_database_type sepgsql_module_type : db_database { load_module };
+
+########################################
+#
+# SE-PostgreSQL audit switch
+#
+tunable_policy(`sepgsql_enable_auditallow',`
+ auditallow domain sepgsql_database_type  : db_database all_db_database_perms;
+ auditallow domain sepgsql_table_type     : db_table all_db_table_perms;
+ auditallow domain sepgsql_table_type     : db_column all_db_column_perms;
+ auditallow domain sepgsql_procedure_type : db_procedure all_db_procedure_perms;
+ auditallow domain sepgsql_blob_type      : db_blob all_db_blob_perms;
+ auditallow domain sepgsql_server_type    : db_blob { import export };
+ auditallow domain sepgsql_module_type    : db_database { install_module };
+')
+tunable_policy(`sepgsql_enable_audittuple && sepgsql_enable_auditallow',`
+ auditallow domain sepgsql_table_type     : db_tuple all_db_tuple_perms;
+')
+tunable_policy(`! sepgsql_enable_auditdeny',`
+ dontaudit domain sepgsql_database_type   : db_database all_db_database_perms;
+ dontaudit domain sepgsql_table_type      : db_table all_db_table_perms;
+ dontaudit domain sepgsql_table_type      : db_column all_db_column_perms;
+ dontaudit domain sepgsql_procedure_type  : db_procedure all_db_procedure_perms;
+ dontaudit domain sepgsql_blob_type       : db_blob all_db_blob_perms;
+ dontaudit domain sepgsql_server_type     : db_blob { import export };
+ dontaudit domain sepgsql_module_type     : db_database { install_module };
+')
+tunable_policy(`! sepgsql_enable_audittuple || ! sepgsql_enable_auditdeny',`
+ dontaudit domain sepgsql_table_type      : db_tuple all_db_tuple_perms;
+')
+########################################
+#
+# Allow permission to external domains
+#
+
+# server domains
+optional_policy(`
+ gen_require(`
+ type postgresql_t;
+ ')
+ sepgsql_server_domain(postgresql_t)
+')
+
+# unconfined client domain
+optional_policy(`
+ gen_require(`
+ type unconfined_t;
+ ')
+ sepgsql_unconfined_domain(unconfined_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type sysadm_t;
+ ')
+ sepgsql_unconfined_domain(sysadm_t)
+')
+
+# generic client domain
+optional_policy(`
+ gen_require(`
+ type user_t;
+ role user_r;
+ ')
+ sepgsql_client_domain(user_t)
+ sepgsql_trusted_procedure_role(user_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type staff_t;
+ role staff_r;
+ ')
+ sepgsql_client_domain(staff_t)
+ sepgsql_trusted_procedure_role(staff_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type user_t;
+ role user_r;
+ ')
+ sepgsql_client_domain(user_t)
+ sepgsql_trusted_procedure_role(user_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type guest_t;
+ role guest_r;
+ ')
+ sepgsql_client_domain(guest_t)
+ sepgsql_trusted_procedure_role(guest_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type xguest_t;
+ role xguest_r;
+ ')
+ sepgsql_client_domain(xguest_t)
+ sepgsql_trusted_procedure_role(xguest_r)
+')
+
+optional_policy(`
+ gen_require(`
+ type httpd_sys_script_t;
+ ')
+ sepgsql_client_domain(httpd_sys_script_t)
+')
+
+# RBAC
+optional_policy(`
+ gen_require(`
+ role unconfined_r;
+ ')
+ sepgsql_trusted_procedure_role(unconfined_r)
+')
+
+# loadable module types
+optional_policy(`
+ gen_require(`
+ type lib_t;
+ ')
+ sepgsql_loadable_module(lib_t)
+')
+
+optional_policy(`
+ gen_require(`
+ type textrel_shlib_t;
+ ')
+ sepgsql_loadable_module(textrel_shlib_t)
+')
+
+########################################
+#
+# Hotfixes for labeled networking
+#
+# NOTE: These changes are to be merged in the later releases.
+corenet_tcp_recvfrom_labeled(sepgsql_server_type, sepgsql_client_type)
+optional_policy(`
+ ipsec_match_default_spd(sepgsql_server_type)
+ ipsec_match_default_spd(sepgsql_client_type)
+')


--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
In reply to this post by Kouhei Kaigai
It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.

Does anti-spam system caught my previous three messages?
If necessary, I will send them again.

Thanks,

Kohei KaiGai wrote:

> The series of patches are the proposal of Security-Enhanced PostgreSQL
> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
>
>  [1/4] sepostgresql-pgace-8.4devel-3.patch
>          provides PGACE (PostgreSQL Access Control Extension) framework
>  [2/4] sepostgresql-sepgsql-8.4devel-3.patch
>          provides SE-PostgreSQL feature, based on PGACE framework.
>  [3/4] sepostgresql-pg_dump-8.4devel-3.patch
>          enables pg_dump to dump database with security attribute.
>  [4/4] sepostgresql-policy-8.4devel-3.patch
>          provides the default security policy for SE-PostgreSQL.
 - snip -

--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Zdenek Kotala
Kohei KaiGai napsal(a):
> It seems to me some of SE-PostgreSQL patches are not delivered yet,
> although [3/4] and [4/4] were already done.
>
> Does anti-spam system caught my previous three messages?
> If necessary, I will send them again.

There is a file size limitation. If your patch is too big (I guess over
40kB), please gzip it or send only url for download.

                Zdenek

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
Zdenek Kotala wrote:

> Kohei KaiGai napsal(a):
>> It seems to me some of SE-PostgreSQL patches are not delivered yet,
>> although [3/4] and [4/4] were already done.
>>
>> Does anti-spam system caught my previous three messages?
>> If necessary, I will send them again.
>
> There is a file size limitation. If your patch is too big (I guess over
> 40kB), please gzip it or send only url for download.
>
> Zdenek

Thanks for your information,

Your estimation is correct. Two of them are over the limitaion.
So, I'll send it again with gzip'ed attachment.

[kaigai@saba a]$ ls -lh *-8.4devel-*.patch
-rw-r--r-- 1 kaigai users  17K 2008-03-17 13:01 sepostgresql-pg_dump-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 134K 2008-03-17 13:01 sepostgresql-pgace-8.4devel-3.patch
-rw-r--r-- 1 kaigai users  17K 2008-03-17 13:01 sepostgresql-policy-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 138K 2008-03-17 13:01 sepostgresql-sepgsql-8.4devel-3.patch

--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

[2/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
In reply to this post by Kouhei Kaigai
[2/4] - sepostgresql-sepgsql-8.4devel-3.patch.gz

This patch provides SE-PostgreSQL facilities based on PGACE.

Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied security policy of
SELinux for both operating system and database management system.
In addition, it also provides fine-grained mandatory access which
includes column-/row- level non-bypassable access control even if
privileged database users.

  Quick overview at:
    http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

(This patch is gzip'ed, bacause it overed the limitation of filesize.)

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>


--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

sepostgresql-sepgsql-8.4devel-3.patch.gz (39K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Alvaro Herrera-7
In reply to this post by Kouhei Kaigai
Kohei KaiGai wrote:
> The series of patches are the proposal of Security-Enhanced PostgreSQL
> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Before we go any further, is this work derived from SELinux?  If so, is
it covered under the GPL?  If so, can it be licensed under BSD terms?

Obviously, if it's not BSD, we cannot include it in Postgres.

--
Alvaro Herrera                                http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kohei KaiGai-3
Alvaro Herrera wrote:
> Kohei KaiGai wrote:
>> The series of patches are the proposal of Security-Enhanced PostgreSQL
>> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
>
> Before we go any further, is this work derived from SELinux?  If so, is
> it covered under the GPL?  If so, can it be licensed under BSD terms?
>
> Obviously, if it's not BSD, we cannot include it in Postgres.

All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.

Thanks,
--
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kohei KaiGai-3
In reply to this post by Kouhei Kaigai
I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
messages are filtered due to attachment and I cannot provide whole of patches yet.
Please refer the pointed URL, as follows.

------
The series of patches are the proposal of Security-Enhanced PostgreSQL (SE-PostgreSQL)
for the upstreamed PostgreSQL 8.4 development cycle.

 [1/4] sepostgresql-pgace-8.4devel-3.patch
         provides PGACE (PostgreSQL Access Control Extension) framework
    http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch

 [2/4] sepostgresql-sepgsql-8.4devel-3.patch
         provides SE-PostgreSQL feature, based on PGACE framework.
    http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch

 [3/4] sepostgresql-pg_dump-8.4devel-3.patch
         enables pg_dump to dump database with security attribute.
    http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch

 [4/4] sepostgresql-policy-8.4devel-3.patch
         provides the default security policy for SE-PostgreSQL.
    http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch

We can provide a quick overview for SE-PostgreSQL at:
    http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

ENVIRONMENT
-----------
Please confirm your environment.
The followings are requriements of SE-PostgreSQL.
 * Fedora 8 or later system
 * SELinux is enabled and working
 * kernel-2.6.24 or later
 * selinux-policy and selinux-policy-devel v3.0.8 or later
 * libselinux, policycoreutils

INSTALLATION
------------
$ tar jxvf postgresql-snapshot.tar.bz2
$ cd postgresql-snapshot
$ patch -p1 < ../sepostgresql-pgace-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-sepgsql-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-pg_dump-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-policy-8.4devel-3.patch

$ ./configure --enable-selinux
$ make
$ make -C contrib/sepgsql-policy
$ su
# make install

# /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
  (NOTE: semodule is a utility to load/unload security policy modules.)

# /sbin/restorecon -R /usr/local/pgsql
  (NOTE: restorecon is a utilicy to initialize security context of files.)

SETUP
-----
# mkdir -p /opt/sepgsql
# chown foo_user:var_group /opt/sepgsql
# chcon -t postgresql_db_t /opt/sepgsql
  (NOTE: chcon is a utility to set up security context of files.)
# exit

$ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
  (NOTE: run_init is a utility to start a program, as if it is branched from init script.)
$ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start


SUMMARYS FOR EVERY PATCHES
--------------------------
[1/4] - sepostgresql-pgace-8.4devel-3.patch

This patch provides PGACE (PostgreSQL Access Control Extension) framework.

It has a similar idea of LSM (Linu Security Module).
It can provide a guest module several hooks at strategic points.
The guest module can make its decision whether required actions should be
allowed, or not.
In addition, PGACE also provides falicilites to manage security attribute
of database objects. Any tuple can have a its security attribute, and the
guest module can refer it to control accesses.

  A more conprehensive memo at:
    http://code.google.com/p/sepgsql/wiki/WhatIsPGACE

[2/4] - sepostgresql-sepgsql-8.4devel-3.patch

This patch provides SE-PostgreSQL facilities based on PGACE.

Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied security policy of
SELinux for both operating system and database management system.
In addition, it also provides fine-grained mandatory access which
includes column-/row- level non-bypassable access control even if
privileged database users.

  Quick overview at:
    http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

[3/4] - sepostgresql-pg_dump-8.4devel-3.patch

This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
database. It it same when they tries to restore the database.

[4/4] - sepostgresql-policy-8.4devel-3.patch

This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.

--
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Alvaro Herrera-7
In reply to this post by Kohei KaiGai-3
KaiGai Kohei wrote:
> Alvaro Herrera wrote:

>> Before we go any further, is this work derived from SELinux?  If so, is
>> it covered under the GPL?  If so, can it be licensed under BSD terms?
>
> All of SE-PostgreSQL works are licensed unser BSD terms.
> We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
> the beginning, and we understand to choose GPL makes it impossible.

Right.  The question is: since this is derived from SE-Linux, is it
affected by SE-Linux license?

--
Alvaro Herrera                                http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kohei KaiGai-3
Alvaro Herrera wrote:

> KaiGai Kohei wrote:
>> Alvaro Herrera wrote:
>
>>> Before we go any further, is this work derived from SELinux?  If so, is
>>> it covered under the GPL?  If so, can it be licensed under BSD terms?
>> All of SE-PostgreSQL works are licensed unser BSD terms.
>> We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
>> the beginning, and we understand to choose GPL makes it impossible.
>
> Right.  The question is: since this is derived from SE-Linux, is it
> affected by SE-Linux license?

No, SE-PostgreSQL does not derivered from SELinux.

I guess you worry about SE-PostgreSQL contains a part of SELinux licensed
as GPL, but it is incorrect.
SE-PostgreSQL communicate with SELinux to make its decision in access control,
via an official interface provided by libselinux, because it does not have
information to make its decision.
The libselinux is linked with SE-PostgreSQL, but it is licensed as public
domain software by NSA.

Therefore, we have no issues related to imcompatible licenses.

Thanks,
--
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Greg Smith-12
In reply to this post by Kohei KaiGai-3
On Mon, 17 Mar 2008, KaiGai Kohei wrote:

> I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
> messages are filtered due to attachment and I cannot provide whole of patches yet.

This is actually what you should have done from the beginning.  And it
only should have gone to the pgsql-hackers list, which is the only one I'm
replying to.  Your patches are at this point a proposal, as you say in the
subject, and those go to the pgsql-hackers list with the minimum of files
necessary to support them.  pgsql-patches is generally aimed at patches
that have already been discussed on the hackers list, ones that are
basically ready to apply to the source code.

> The libselinux is linked with SE-PostgreSQL, but it is licensed as
> public domain software by NSA.

As for the licensing issues here, what everyone is looking for is a clear
statement of the SELinux license from the source of that code.  The
official NSA statment at http://www.nsa.gov/selinux/info/license.cfm says:

"All source code found on this site is released under the same terms and
conditions as the original sources. For example, the patches to the Linux
kernel, patches to many existing utilities, and some of the new programs
available here are released under the terms and conditions of the GNU
General Public License (GPL). Please refer to the source code for specific
license information."

GPL is a perfectly good license, but it's far from clear whether code
derived from it can be incorporated into PostgreSQL even if you wrote all
of it yourself.  I just checked libselinux, and as you say it includes a
LICENSE file that states "This library (libselinux) is public domain
software, i.e. not copyrighted.".  That's good, but a similar independant
review will need to happen for every component you interact with here, on
top of a technical review.  Luckily this is something a lot of people
would like and that should all get taken care of.

--
* Greg Smith [hidden email] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Josh berkus
In reply to this post by Kouhei Kaigai
KaiGai,

> The series of patches are the proposal of Security-Enhanced PostgreSQL
> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into
PostgreSQL as well this year, I'm going to ask them to look over PGACE to see
if this implementation is (still) generic enough to support TS as well.  If
it is, then it's probably generic enough to be a general building block.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Gregory Stark-2
In reply to this post by Greg Smith-12
"Greg Smith" <[hidden email]> writes:

> On Mon, 17 Mar 2008, KaiGai Kohei wrote:
>
>> I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
>> messages are filtered due to attachment and I cannot provide whole of patches yet.
>
> This is actually what you should have done from the beginning.  And it only
> should have gone to the pgsql-hackers list, which is the only one I'm replying
> to.  Your patches are at this point a proposal, as you say in the subject, and
> those go to the pgsql-hackers list with the minimum of files necessary to
> support them.  pgsql-patches is generally aimed at patches that have already
> been discussed on the hackers list, ones that are basically ready to apply to
> the source code.

Some people shout any time you send patches to -hackers. For the -patches is
there mainly to catch large attachments regardless of their maturity.

But it's true that it's best to post a plan and have discussion prior to
developing big patches.

--
  Gregory Stark
  EnterpriseDB          http://www.enterprisedb.com
  Ask me about EnterpriseDB's PostGIS support!

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Greg Smith-12
On Mon, 17 Mar 2008, Gregory Stark wrote:

> Some people shout any time you send patches to -hackers.

Right, but if you note the improved version I give the thumbs-up to didn't
include any patches--just links to where you could get them.  There's
little reason to include any code as an attachment for a proposal if you
can direct people to the web for them.  That's why I suggested sending
"the minimum of files necessary", which in this case was zero.

--
* Greg Smith [hidden email] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
In reply to this post by Josh berkus
Josh Berkus wrote:
> KaiGai,
>
>> The series of patches are the proposal of Security-Enhanced PostgreSQL
>> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
>
> Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into
> PostgreSQL as well this year, I'm going to ask them to look over PGACE to see
> if this implementation is (still) generic enough to support TS as well.  If
> it is, then it's probably generic enough to be a general building block.

We can extend PGACE framework to mount TrustedSolaris features.
If they need new hooks which is not used in SE-PostgreSQL, it can
remain the default behavior.
The default PGACE behavior gives us no effects in access controls.

A flexible framework is worthwhile for both operating systems.
Please confirm it to the TS folks.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
In reply to this post by Greg Smith-12
Greg Smith wrote:

> On Mon, 17 Mar 2008, KaiGai Kohei wrote:
>
>> I'll submit the proposal of SE-PostgreSQL patches again, because some
>> of previous
>> messages are filtered due to attachment and I cannot provide whole of
>> patches yet.
>
> This is actually what you should have done from the beginning.  And it
> only should have gone to the pgsql-hackers list, which is the only one
> I'm replying to.  Your patches are at this point a proposal, as you say
> in the subject, and those go to the pgsql-hackers list with the minimum
> of files necessary to support them.  pgsql-patches is generally aimed at
> patches that have already been discussed on the hackers list, ones that
> are basically ready to apply to the source code.

OK, I can understand the purpose of pgsql-hackers and pgsql-patches list.
At first, I'll have a discussion here.

>> The libselinux is linked with SE-PostgreSQL, but it is licensed as
>> public domain software by NSA.
>
> As for the licensing issues here, what everyone is looking for is a
> clear statement of the SELinux license from the source of that code.  
> The official NSA statment at http://www.nsa.gov/selinux/info/license.cfm 
> says:
>
> "All source code found on this site is released under the same terms and
> conditions as the original sources. For example, the patches to the
> Linux kernel, patches to many existing utilities, and some of the new
> programs available here are released under the terms and conditions of
> the GNU General Public License (GPL). Please refer to the source code
> for specific license information."
>
> GPL is a perfectly good license, but it's far from clear whether code
> derived from it can be incorporated into PostgreSQL even if you wrote
> all of it yourself.  I just checked libselinux, and as you say it
> includes a LICENSE file that states "This library (libselinux) is public
> domain software, i.e. not copyrighted.".  That's good, but a similar
> independant review will need to happen for every component you interact
> with here, on top of a technical review.  Luckily this is something a
> lot of people would like and that should all get taken care of.

SE-PostgreSQL internally uses libselinux, glibc and PostgreSQL internal
APIs like SearchSysCache().
I'm not a lawyer, but I believe they cannot enforce us to apply a specific
lisence. So, I clearly say SE-PostgreSQL feature is licensed with the same
one of PostgreSQL.
No need to say, more conprehensive checks and reviews are welcome.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Joshua D. Drake
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 18 Mar 2008 10:41:42 +0900
KaiGai Kohei <[hidden email]> wrote:

> > GPL is a perfectly good license, but it's far from clear whether
> > code derived from it can be incorporated into PostgreSQL even if
> > you wrote all of it yourself.  I just checked libselinux, and as
> > you say it includes a LICENSE file that states "This library
> > (libselinux) is public domain software, i.e. not copyrighted.".
> > That's good, but a similar independant review will need to happen
> > for every component you interact with here, on top of a technical
> > review.  Luckily this is something a lot of people would like and
> > that should all get taken care of.
>
> SE-PostgreSQL internally uses libselinux, glibc and PostgreSQL
> internal APIs like SearchSysCache().
> I'm not a lawyer, but I believe they cannot enforce us to apply a
> specific lisence. So, I clearly say SE-PostgreSQL feature is licensed
> with the same one of PostgreSQL.
> No need to say, more conprehensive checks and reviews are welcome.

Hmmm,

Everything that I read says that libselinux is GPL. That could present
a problem for anyone that wants to use the BSD features of
PostgreSQL :).

I can check with SFLC if people are really curious.

Sincerely,

Joshua D. Drake


- --
The PostgreSQL Company since 1997: http://www.commandprompt.com/ 
PostgreSQL Community Conference: http://www.postgresqlconference.org/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
      PostgreSQL political pundit | Mocker of Dolphins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3x/wATb/zqfZUUQRAq6WAJ9h2ecrYrsZ5bJUTJGhyS2LZSOqkACfeGoB
EHwcHtq7Ow5k3AlKNPwOVzs=
=yamT
-----END PGP SIGNATURE-----

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] [0/4] Proposal of SE-PostgreSQL patches

Kouhei Kaigai
Joshua D. Drake wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 18 Mar 2008 10:41:42 +0900
> KaiGai Kohei <[hidden email]> wrote:
>
>>> GPL is a perfectly good license, but it's far from clear whether
>>> code derived from it can be incorporated into PostgreSQL even if
>>> you wrote all of it yourself.  I just checked libselinux, and as
>>> you say it includes a LICENSE file that states "This library
>>> (libselinux) is public domain software, i.e. not copyrighted.".
>>> That's good, but a similar independant review will need to happen
>>> for every component you interact with here, on top of a technical
>>> review.  Luckily this is something a lot of people would like and
>>> that should all get taken care of.
>> SE-PostgreSQL internally uses libselinux, glibc and PostgreSQL
>> internal APIs like SearchSysCache().
>> I'm not a lawyer, but I believe they cannot enforce us to apply a
>> specific lisence. So, I clearly say SE-PostgreSQL feature is licensed
>> with the same one of PostgreSQL.
>> No need to say, more conprehensive checks and reviews are welcome.
>
> Hmmm,
>
> Everything that I read says that libselinux is GPL. That could present
> a problem for anyone that wants to use the BSD features of
> PostgreSQL :).

It is incorrect.
SELinux is indeed GPL because it is a part of kernel feature.
But libselinux is a public domain software, as follows:
   https://selinux.svn.sourceforge.net/svnroot/selinux/trunk/libselinux/LICENSE

SE-PostgreSQL is linked with *ONLY* libselinux. It communicate to SELinux
via system call. As you know, GPL does not consider invokation of system calls
as a "link". Thus, we can release SE-PostgreSQL as a BSD licensed software.

Thanks,

> I can check with SFLC if people are really curious.
>
> Sincerely,
>
> Joshua D. Drake
--
OSS Platform Development Division, NEC
KaiGai Kohei <[hidden email]>

--
Sent via pgsql-hackers mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
1234