add a MAC check for TRUNCATE

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
39 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Tom Lane-2
Joe Conway <[hidden email]> writes:
> On 9/6/19 2:18 PM, Tom Lane wrote:
>> sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
>> a newer version of libselinux than what ships in RHEL6.  So I'm not
>> concerned about that.  We do need to worry about RHEL7, and whatever
>> is the oldest version of Fedora that is running the sepgsql tests
>> in the buildfarm.

> I could be wrong, but as far as I know rhinoceros is the only buildfarm
> animal running sepgsql tests.

It seems reasonable to define RHEL7 as the oldest SELinux version we
still care about.  But it'd be a good idea for somebody to be running
a fairly bleeding-edge Fedora animal with sepgsql enabled, so we get
coverage of the other end of the scale.

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 9/6/19 8:07 PM, Tom Lane wrote:

> Joe Conway <[hidden email]> writes:
>> On 9/6/19 2:18 PM, Tom Lane wrote:
>>> sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
>>> a newer version of libselinux than what ships in RHEL6.  So I'm not
>>> concerned about that.  We do need to worry about RHEL7, and whatever
>>> is the oldest version of Fedora that is running the sepgsql tests
>>> in the buildfarm.
>
>> I could be wrong, but as far as I know rhinoceros is the only buildfarm
>> animal running sepgsql tests.
>
> It seems reasonable to define RHEL7 as the oldest SELinux version we
> still care about.  But it'd be a good idea for somebody to be running
> a fairly bleeding-edge Fedora animal with sepgsql enabled, so we get
> coverage of the other end of the scale.


Yeah -- I was planning to eventually register a RHEL8 animal, but I
should probably do one for Fedora as well. I'll bump the priority for
that on my personal TODO.

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Yuli Khodorkovskiy
On Fri, Sep 6, 2019 at 9:09 PM Joe Conway <[hidden email]> wrote:

>
> On 9/6/19 8:07 PM, Tom Lane wrote:
> > Joe Conway <[hidden email]> writes:
> >> On 9/6/19 2:18 PM, Tom Lane wrote:
> >>> sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
> >>> a newer version of libselinux than what ships in RHEL6.  So I'm not
> >>> concerned about that.  We do need to worry about RHEL7, and whatever
> >>> is the oldest version of Fedora that is running the sepgsql tests
> >>> in the buildfarm.
> >
> >> I could be wrong, but as far as I know rhinoceros is the only buildfarm
> >> animal running sepgsql tests.
> >
> > It seems reasonable to define RHEL7 as the oldest SELinux version we
> > still care about.  But it'd be a good idea for somebody to be running
> > a fairly bleeding-edge Fedora animal with sepgsql enabled, so we get
> > coverage of the other end of the scale.
>
>
> Yeah -- I was planning to eventually register a RHEL8 animal, but I
> should probably do one for Fedora as well. I'll bump the priority for
> that on my personal TODO.
>
> Joe
> --
> Crunchy Data - http://crunchydata.com
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development
Hello,

I have included an updated version of the sepgql patch. The
Truncate-Hook patch is unchanged from the last version.

The sepgsql changes now check if the db_table:{ truncate } permission
exists in the loaded SELinux policy before running the truncate
regression test. If the permission does not exist, then the new
regression test will not run.

Testing the TRUNCATE regression test can be done by manually adding
the permission with CIL:

```
sudo semodule -cE base
sudo sed -i -E 's/(class db_table.*?) \)/\1 truncate\)/' base.cil
sudo semodule -i base.cil
```

Thanks,

Yuli

Truncate-Hook.patch (4K) Download Attachment
v2-Sepgsql-Truncate.patch (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Álvaro Herrera
In reply to this post by Yuli Khodorkovskiy
Hello,

I moved this patch from "Bug Fixes" to Security.

Thanks,

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Alvaro Herrera-9
In reply to this post by Yuli Khodorkovskiy
Hello

On 2019-Sep-09, Yuli Khodorkovskiy wrote:

> I have included an updated version of the sepgql patch. The
> Truncate-Hook patch is unchanged from the last version.

This patch no longer applies.  Can you please rebase?

Joe, do you plan on being committer for this patch?  There seems to be
substantial agreement on it.

Thanks

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 9/25/19 3:56 PM, Alvaro Herrera wrote:

> Hello
>
> On 2019-Sep-09, Yuli Khodorkovskiy wrote:
>
>> I have included an updated version of the sepgql patch. The
>> Truncate-Hook patch is unchanged from the last version.
>
> This patch no longer applies.  Can you please rebase?
>
> Joe, do you plan on being committer for this patch?  There seems to be
> substantial agreement on it.


I should be able to do that.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Yuli Khodorkovskiy
In reply to this post by Alvaro Herrera-9
On Wed, Sep 25, 2019 at 3:57 PM Alvaro Herrera <[hidden email]> wrote:
>
> Hello
>
> On 2019-Sep-09, Yuli Khodorkovskiy wrote:
>
> > I have included an updated version of the sepgql patch. The
> > Truncate-Hook patch is unchanged from the last version.
>
> This patch no longer applies.  Can you please rebase?

Hi Alvaro,

I have attached the updated patches which should rebase.

Since all existing DAC checks should have MAC, should these patches be
considered a bug fix and therefore back patched?

Thank you

Truncate-Hook.patch (4K) Download Attachment
v3-Sepgsql-Truncate.patch (11K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Alvaro Herrera-9
On 2019-Sep-25, Yuli Khodorkovskiy wrote:

> Hi Alvaro,
>
> I have attached the updated patches which should rebase.

Great, thanks.

> Since all existing DAC checks should have MAC, should these patches be
> considered a bug fix and therefore back patched?

I don't know the answer to that.  My impression from earlier discussion
is that this was seen as a non-backpatchable change, but I defer to Joe
on that as committer.  If it were up to me, the ultimate question would
be: would such a change adversely affect existing running systems?

Thanks,

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Tom Lane-2
Alvaro Herrera <[hidden email]> writes:
> On 2019-Sep-25, Yuli Khodorkovskiy wrote:
>> Since all existing DAC checks should have MAC, should these patches be
>> considered a bug fix and therefore back patched?

> I don't know the answer to that.  My impression from earlier discussion
> is that this was seen as a non-backpatchable change, but I defer to Joe
> on that as committer.  If it were up to me, the ultimate question would
> be: would such a change adversely affect existing running systems?

I don't see how the addition of a new permissions check could sanely
be back-patched unless it were to default to "allow", which seems like
an odd choice.

                        regards, tom lane


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Yuli Khodorkovskiy
On Wed, Sep 25, 2019 at 5:57 PM Tom Lane <[hidden email]> wrote:
<snip>

> I don't see how the addition of a new permissions check could sanely
> be back-patched unless it were to default to "allow", which seems like
> an odd choice.
>
>                         regards, tom lane

That makes sense. Alternatively, we could back patch just the hook to
at least allow the option for an integrator to implement MAC using an
extension. Then the sepgsql changes could be back patched once the
SELinux policy has been merged into Fedora.

Thank you


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
In reply to this post by Joe Conway
On 9/25/19 4:47 PM, Joe Conway wrote:

> On 9/25/19 3:56 PM, Alvaro Herrera wrote:
>> Hello
>>
>> On 2019-Sep-09, Yuli Khodorkovskiy wrote:
>>
>>> I have included an updated version of the sepgql patch. The
>>> Truncate-Hook patch is unchanged from the last version.
>>
>> This patch no longer applies.  Can you please rebase?
>>
>> Joe, do you plan on being committer for this patch?  There seems to be
>> substantial agreement on it.
>
>
> I should be able to do that.


I am not sure I will get to this today. I assume it is ok for me to move
it forward e.g. next weekend, or is that not in line with commitfest rules?

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Alvaro Herrera-9
On 2019-Sep-30, Joe Conway wrote:

> I am not sure I will get to this today. I assume it is ok for me to move
> it forward e.g. next weekend, or is that not in line with commitfest rules?

You can commit whatever patch whenever you feel like it.  I will
probably move this patch to the next commitfest before that, but you can
mark it committed there as soon as you commit it.

--
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Michael Paquier-2
On Mon, Sep 30, 2019 at 11:38:05AM -0300, Alvaro Herrera wrote:
> On 2019-Sep-30, Joe Conway wrote:
>
> > I am not sure I will get to this today. I assume it is ok for me to move
> > it forward e.g. next weekend, or is that not in line with commitfest rules?
>
> You can commit whatever patch whenever you feel like it.  I will
> probably move this patch to the next commitfest before that, but you can
> mark it committed there as soon as you commit it.

One month later, nothing has happened here.  Joe, are you planning to
look at this patch?

The last patch I found does not apply properly, so please provide a
rebase.  I am switching the patch as waiting on author.
--
Michael

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Yuli Khodorkovskiy
On Thu, Nov 7, 2019 at 7:46 PM Michael Paquier <[hidden email]> wrote:

>
> On Mon, Sep 30, 2019 at 11:38:05AM -0300, Alvaro Herrera wrote:
> > On 2019-Sep-30, Joe Conway wrote:
> >
> > > I am not sure I will get to this today. I assume it is ok for me to move
> > > it forward e.g. next weekend, or is that not in line with commitfest rules?
> >
> > You can commit whatever patch whenever you feel like it.  I will
> > probably move this patch to the next commitfest before that, but you can
> > mark it committed there as soon as you commit it.
>
> One month later, nothing has happened here.  Joe, are you planning to
> look at this patch?
>
> The last patch I found does not apply properly, so please provide a
> rebase.  I am switching the patch as waiting on author.
Michael,

I was able to apply the latest patches in the thread (9/25/19) on top
of master. I have attached them for convenience.

⇒  git rev-parse HEAD
879c1176157175e0a83742b810f137aebccef4a4
⇒  md5sum Truncate-Hook.patch v3-Sepgsql-Truncate.patch
3b8c2b03e30f519f32ebb9fcbc943c70  Truncate-Hook.patch
728e90596b99cfb8eef74dc1effce46d  v3-Sepgsql-Truncate.patch
⇒  git am Truncate-Hook.patch
Applying: Add a hook to allow MAC check for TRUNCATE
⇒  git am v3-Sepgsql-Truncate.patch
Applying: Update sepgsql to add MAC for TRUNCATE

Thank you,

Yuli

v3-Sepgsql-Truncate.patch (11K) Download Attachment
Truncate-Hook.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 11/8/19 9:02 AM, Yuli Khodorkovskiy wrote:

> On Thu, Nov 7, 2019 at 7:46 PM Michael Paquier <[hidden email]> wrote:
>>
>> On Mon, Sep 30, 2019 at 11:38:05AM -0300, Alvaro Herrera wrote:
>> > On 2019-Sep-30, Joe Conway wrote:
>> >
>> > > I am not sure I will get to this today. I assume it is ok for me to move
>> > > it forward e.g. next weekend, or is that not in line with commitfest rules?
>> >
>> > You can commit whatever patch whenever you feel like it.  I will
>> > probably move this patch to the next commitfest before that, but you can
>> > mark it committed there as soon as you commit it.
>>
>> One month later, nothing has happened here.  Joe, are you planning to
>> look at this patch?
>>
>> The last patch I found does not apply properly, so please provide a
>> rebase.  I am switching the patch as waiting on author.
>
> Michael,
>
> I was able to apply the latest patches in the thread (9/25/19) on top
> of master. I have attached them for convenience.


Yes, I will look when I am able. Hopefully this weekend, almost
certainly before the end of this commitfest.

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 11/8/19 9:16 AM, Joe Conway wrote:

> On 11/8/19 9:02 AM, Yuli Khodorkovskiy wrote:
>> On Thu, Nov 7, 2019 at 7:46 PM Michael Paquier <[hidden email]> wrote:
>>>
>>> On Mon, Sep 30, 2019 at 11:38:05AM -0300, Alvaro Herrera wrote:
>>> > On 2019-Sep-30, Joe Conway wrote:
>>> >
>>> > > I am not sure I will get to this today. I assume it is ok for me to move
>>> > > it forward e.g. next weekend, or is that not in line with commitfest rules?
>>> >
>>> > You can commit whatever patch whenever you feel like it.  I will
>>> > probably move this patch to the next commitfest before that, but you can
>>> > mark it committed there as soon as you commit it.
>>>
>>> One month later, nothing has happened here.  Joe, are you planning to
>>> look at this patch?
>>>
>>> The last patch I found does not apply properly, so please provide a
>>> rebase.  I am switching the patch as waiting on author.
>>
>> Michael,
>>
>> I was able to apply the latest patches in the thread (9/25/19) on top
>> of master. I have attached them for convenience.
>
> Yes, I will look when I am able. Hopefully this weekend, almost
> certainly before the end of this commitfest.
I tested this successfully on Rhinoceros, both with and without
"db_table: { truncate }" loaded in the policy. Updated patches attached
here with some editorialization. If there are no objections I will
commit/push both in about a day or two.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Truncate-Hook-jc00.patch (3K) Download Attachment
Truncate-Sepgsql-v3-jc00.patch (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 11/20/19 2:30 PM, Joe Conway wrote:

> On 11/8/19 9:16 AM, Joe Conway wrote:
>> On 11/8/19 9:02 AM, Yuli Khodorkovskiy wrote:
>>> On Thu, Nov 7, 2019 at 7:46 PM Michael Paquier <[hidden email]> wrote:
>>>>
>>>> On Mon, Sep 30, 2019 at 11:38:05AM -0300, Alvaro Herrera wrote:
>>>> > On 2019-Sep-30, Joe Conway wrote:
>>>> >
>>>> > > I am not sure I will get to this today. I assume it is ok for me to move
>>>> > > it forward e.g. next weekend, or is that not in line with commitfest rules?
>>>> >
>>>> > You can commit whatever patch whenever you feel like it.  I will
>>>> > probably move this patch to the next commitfest before that, but you can
>>>> > mark it committed there as soon as you commit it.
>>>>
>>>> One month later, nothing has happened here.  Joe, are you planning to
>>>> look at this patch?
>>>>
>>>> The last patch I found does not apply properly, so please provide a
>>>> rebase.  I am switching the patch as waiting on author.
>>>
>>> Michael,
>>>
>>> I was able to apply the latest patches in the thread (9/25/19) on top
>>> of master. I have attached them for convenience.
>>
>> Yes, I will look when I am able. Hopefully this weekend, almost
>> certainly before the end of this commitfest.
>
> I tested this successfully on Rhinoceros, both with and without
> "db_table: { truncate }" loaded in the policy. Updated patches attached
> here with some editorialization. If there are no objections I will
> commit/push both in about a day or two.

...and I managed to drop the new files from the sepgsql patch. Complete
version attached.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development

Truncate-Hook-jc00.patch (3K) Download Attachment
Truncate-Sepgsql-v3-jc01.patch (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Michael Paquier-2
In reply to this post by Joe Conway
On Wed, Nov 20, 2019 at 02:30:12PM -0500, Joe Conway wrote:
> I tested this successfully on Rhinoceros, both with and without
> "db_table: { truncate }" loaded in the policy. Updated patches attached
> here with some editorialization. If there are no objections I will
> commit/push both in about a day or two.

Thanks for the update, Joe.  I have switched the patch as ready for
committer, with your name as committer of the entry to reflect this
status.
--
Michael

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: add a MAC check for TRUNCATE

Joe Conway
On 11/22/19 3:07 AM, Michael Paquier wrote:
> On Wed, Nov 20, 2019 at 02:30:12PM -0500, Joe Conway wrote:
>> I tested this successfully on Rhinoceros, both with and without
>> "db_table: { truncate }" loaded in the policy. Updated patches attached
>> here with some editorialization. If there are no objections I will
>> commit/push both in about a day or two.
>
> Thanks for the update, Joe.  I have switched the patch as ready for
> committer, with your name as committer of the entry to reflect this
> status.

Pushed.

Thanks,

Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development


12