http://www.selinuxproject.org/w/?title=NB_SQL_9.0&limit=50&action=history&feed=atom NB SQL 9.0 - Revision history 2024-03-28T22:28:15Z Revision history for this page on the wiki MediaWiki 1.23.13 http://www.selinuxproject.org/w/?title=NB_SQL_9.0&diff=1073&oldid=prev RichardHaines: /* SE-PostgreSQL Walk-through */ 2011-06-27T14:41:07Z <p>‎<span dir="auto"><span class="autocomment">SE-PostgreSQL Walk-through</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:41, 27 June 2011</td> </tr><tr><td colspan="2" class="diff-lineno">Line 519:</td> <td colspan="2" class="diff-lineno">Line 519:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>testdb=# ALTER TABLE info ALTER COLUMN <del class="diffchange diffchange-inline">user_name </del>SECURITY LABEL</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>testdb=# ALTER TABLE info ALTER COLUMN <ins class="diffchange diffchange-inline">email_addr </ins>SECURITY LABEL</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>TO 'unconfined_u:object_r:sepgsql_table_t:s0:<del class="diffchange diffchange-inline">c20</del>';</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>TO 'unconfined_u:object_r:sepgsql_table_t:s0:<ins class="diffchange diffchange-inline">c30</ins>';</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>ALTER TABLE</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>ALTER TABLE</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> </table> RichardHaines http://www.selinuxproject.org/w/?title=NB_SQL_9.0&diff=1072&oldid=prev RichardHaines: /* Internal Tables */ 2011-06-27T14:39:37Z <p>‎<span dir="auto"><span class="autocomment">Internal Tables</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 14:39, 27 June 2011</td> </tr><tr><td colspan="2" class="diff-lineno">Line 247:</td> <td colspan="2" class="diff-lineno">Line 247:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;pre&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>SELECT datname, secid, relid, <del class="diffchange diffchange-inline">secattr </del>FROM pg_seclabel, pg_stat_database WHERE pg_seclabel.datid = pg_stat_database.datid AND</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>SELECT datname, secid, relid, <ins class="diffchange diffchange-inline">label </ins>FROM pg_seclabel, pg_stat_database WHERE pg_seclabel.datid = pg_stat_database.datid AND</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; datname='testdb';</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&#160; datname='testdb';</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td colspan="2" class="diff-lineno">Line 336:</td> <td colspan="2" class="diff-lineno">Line 336:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>secid | datid | relid | label &#160;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>secid | datid | relid | label &#160;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>------+-------+-------+--------------------------------------------</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>------+-------+-------+--------------------------------------------</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>16386 | 16384 | 1249&#160; | unconfined_u:object_r:sepgsql_table_t:s0</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>16386 | 16384 | 1249&#160; | unconfined_u:object_r:sepgsql_table_t:s0<ins class="diffchange diffchange-inline">:c20</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>&lt;/pre&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> RichardHaines http://www.selinuxproject.org/w/?title=NB_SQL_9.0&diff=1068&oldid=prev RichardHaines: New page: = SELinux PostgreSQL Support (9.0) = This section gives an overview of the SE-PostgreSQL version 9.0.1 extensions to support SELinux in F-14 and how the database context information is man... 2011-01-15T16:33:37Z <p>New page: = SELinux PostgreSQL Support (9.0) = This section gives an overview of the SE-PostgreSQL version 9.0.1 extensions to support SELinux in F-14 and how the database context information is man...</p> <p><b>New page</b></p><div>= SELinux PostgreSQL Support (9.0) =<br /> This section gives an overview of the SE-PostgreSQL version 9.0.1 extensions to support SELinux in F-14 and how the database context information is managed. It assumes some basic knowledge of PostrgreSQL that can be found at the following web site:<br /> <br /> : [http://wiki.postgresql.org/wiki/Main_Page http://wiki.postgresql.org/wiki/Main_Page]<br /> <br /> For a more in-depth overview of SE-PostgreSQL the &quot;[http://wiki.postgresql.org/wiki/SEPostgreSQL_Development Security-Enhanced PostgreSQL Security Wiki]&quot; is recommended, however some areas require updating to reflect SE-PostgreSQL version 9.0.<br /> <br /> == SE-PostgreSQL Overview ==<br /> SE-PostgreSQL adds SELinux mandatory access controls (MAC) to database objects such as databases, tables, columns, rows (tuples), procedures and blobs (binary large objects). Figure 1 shows a simple database with one table, two columns and three rows, each with their object class and associated security context. The database object classes and permissions are described in the [[ObjectClassesPerms | Object Classes and Permissions]] section.<br /> <br /> {| border=&quot;1&quot;<br /> | colspan=&quot;5&quot; | <br /> <br /> |-<br /> | <br /> | colspan=&quot;3&quot; | &lt;center&gt;'''database''' (db_database)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_db_t:s0:c999'&lt;/center&gt;<br /> | <br /> <br /> |-<br /> | colspan=&quot;3&quot; | &lt;center&gt;'''table ('''db_table)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c10'&lt;/center&gt;<br /> <br /> |-<br /> | <br /> | &lt;center&gt;'''column 1''' (db_column)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c20'&lt;/center&gt;<br /> | &lt;center&gt;'''column 2''' (db_column)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c30'&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''row 1''' (db_tuple)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c100'&lt;/center&gt;<br /> | &lt;center&gt;1:1 Information&lt;/center&gt;<br /> | &lt;center&gt;1:2 Information&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''row 2''' (db_tuple)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c200'&lt;/center&gt;<br /> | &lt;center&gt;2:1 Information&lt;/center&gt;<br /> | &lt;center&gt;2:2 Information&lt;/center&gt;<br /> <br /> |-<br /> | &lt;center&gt;'''row 3''' (db_tuple)&lt;/center&gt;<br /> &lt;center&gt;security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c300'&lt;/center&gt;<br /> | &lt;center&gt;3:1 Information&lt;/center&gt;<br /> | &lt;center&gt;3:2 Information&lt;/center&gt;<br /> <br /> |}<br /> <br /> {| border=&quot;1&quot;<br /> | <br /> | <br /> | <br /> <br /> |}<br /> ''Figure 1: Database Security Context Information - Showing the security contexts that can be associated to a database, table, columns and rows. It is also possible to associate security contexts to procedures and blobs.''<br /> <br /> <br /> [[#SE-PostgreSQL Database Example | SE-PostgreSQL Database Example]] has a walk-through on how to install SE-PostgreSQL on F-14 with setting up a database, adding tables etc. to show how the security context is used to enforce access control. <br /> <br /> To use SE-PostgreSQL each GNU / Linux user must have a valid PostgreSQL database role (not to be confused with an SELinux role). The default installation shown in the [[#SE-PostgreSQL_Database_Example| SE-PostgreSQL Database Example]] section automatically adds a user called &lt;tt&gt;sepgsql&lt;/tt&gt; with a suitable database role.<br /> <br /> If a client is connecting remotely and labeled networking is required, then it is possible to use IPSec or NetLabel as discussed in the [[NB_Networking | SELinux Networking Support]] section (the &quot;[http://wiki.postgresql.org/wiki/SEPostgreSQL_Development Security-Enhanced PostgreSQL Security Wiki]&quot; also covers these methods of connectivity with examples). <br /> <br /> Using the [http://taiga.selinuxproject.org/~rhaines/diagrams/28-sepostgresql.png SE-PostgreSQL Services] diagram, the database client application (that could be provided by an API for Perl/PHP or some other programming language) connects to a database and executes SQL commands. As the SQL commands are processed by PostgreSQL, each operation performed on an object managed by the object manager (OM) is checked to see if this is allowed by the security policy or not. If the internal AVC does not hold the cached decision then the SELinux kernel Security Server is asked to resolve the query, with the result being cached internally by the OM.<br /> <br /> Because PostgreSQL (and therefore SE-PostgreSQL) handles processes, files and directories as part of database operations, the OM also handles permissions for these objects where needed (see the &lt;tt&gt;sepostgresql-9.0.1-20101007.fc14.src&lt;/tt&gt; rpm - &lt;tt&gt;selinux.c&lt;/tt&gt; source code) by re-mapping these permissions internally.<br /> <br /> SE-PostgreSQL supports SELinux services via the &lt;tt&gt;libselinux&lt;/tt&gt; library, however it does not use the &lt;tt&gt;libselinux&lt;/tt&gt; AVC API functions as it provides its own services. The AVC audits are logged into the &lt;tt&gt;sepostgresql.log&lt;/tt&gt; file as described in the [[#Logging Security Events|Logging Security Events]] section.<br /> <br /> The SE-PostgreSQL extensions to support MAC access control are described in the SE-PostgreSQL Extensions section below.<br /> <br /> <br /> == SE-PostgreSQL Extensions ==<br /> SE-PostgreSQL is implemented as a patch to the standard PostgreSQL service and in order to keep the intrusion to a mimimum, the 9.0.1 version has some minor features removed that were in the 8.4 version. It is expected that the 9.1 version will resolve these. The changes from 8.4 to 9.0 are:<br /> <br /> * The &lt;tt&gt;CREATE&lt;/tt&gt; SQL command (e.g &lt;tt&gt;CREATE TABLE..&lt;/tt&gt;) does not support adding a new security context. The &lt;tt&gt;ALTER&lt;/tt&gt; command should be used instead (examples given below).<br /> *The &lt;tt&gt;SECURITY_CONTEXT&lt;/tt&gt; keyword has now been replaced by &lt;tt&gt;SECURITY LABEL&lt;/tt&gt;. See the &lt;tt&gt;ALTER&lt;/tt&gt; command example given below.<br /> *The column name that references the security context (&lt;tt&gt;security_context&lt;/tt&gt;) is now called &lt;tt&gt;security_label&lt;/tt&gt;.<br /> *The internal table that contains security context strings and pointers (&lt;tt&gt;pg_security&lt;/tt&gt;) is now called &lt;tt&gt;pg_seclabel&lt;/tt&gt;.<br /> *A number of functions have been removed to keep the patch at a reasonable level.<br /> <br /> The following sections describe the areas that have been extended to manage the security context information and enforce access control. There are a number of examples shown in the [[#SE-PostgreSQL_Database_Example | SE-PostgreSQL Database Example]] section that contains a walk-through of the installation, set-up and using SE-PostgreSQL to build a simple database with a single table, two columns and then adding a number of rows.<br /> <br /> The main areas expanded are:<br /> <br /> * Adding an object manager that utilises SELinux support for policy enforcement via &lt;tt&gt;libselinux&lt;/tt&gt; as shown in the [http://taiga.selinuxproject.org/~rhaines/diagrams/28-sepostgresql.png SE-PostgreSQL Services] diagram. This runs as the &lt;tt&gt;sepostgresql&lt;/tt&gt; server (replacing the &lt;tt&gt;postgresql&lt;/tt&gt; server).<br /> <br /> : The PostgreSQL internal tables (the system catalog) have also been enhanced to support security context information and are described in the [[#Internal_Tables | Internal Tables]] section.<br /> <br /> * Extending SQL statements to support a security context field.<br /> * Adding additional SQL functions to support viewing and updating security context information.<br /> * Modifying utilities to support security context information.<br /> <br /> The sections that follow give a brief overview of the extensions added to support SE-PostgreSQL.<br /> <br /> === Extended SQL Statements ===<br /> The following SQL Statements have been extended to add a &lt;tt&gt; SECURITY LABEL TO 'security_context'&lt;/tt&gt; field to support SE-PostgreSQL: <br /> <br /> {| border=&quot;1&quot;<br /> | ALTER DATABASE<br /> <br /> |-<br /> | ALTER TABLE<br /> <br /> |-<br /> | ALTER FUNCTION<br /> <br /> |}<br /> <br /> <br /> For example to create a table with a specific security context, execute:<br /> &lt;pre&gt;<br /> testdb=# CREATE TABLE info ();<br /> CREATE TABLE<br /> &lt;/pre&gt;<br /> The table will be created with the default context, therefore the ALTER command is used to set the required context as follows:<br /> &lt;pre&gt;<br /> testdb=# ALTER TABLE info SECURITY LABEL TO 'unconfined_u:object_r:sepgsql_table_t:s0:c10';<br /> ALTER TABLE<br /> &lt;/pre&gt;<br /> <br /> <br /> === Additional SQL Functions ===<br /> The following function has been added (with an example shown in [[#SE-PostgreSQL_Database_Example | SE-PostgreSQL Database Example]] section):<br /> <br /> {| border=&quot;1&quot;<br /> | sepgsql_getcon<br /> | Returns the client security context.<br /> <br /> |}<br /> <br /> === Additional Utilities ===<br /> The &lt;tt&gt;pg_dump&lt;/tt&gt; and &lt;tt&gt;pg_dumpall&lt;/tt&gt; backup and restore utilities have been made SELinux-aware so that the security context is maintained.<br /> <br /> An additional utility called &lt;tt&gt;sepg_ctl&lt;/tt&gt; is also supplied that can be used to start, stop, restart, reload configuration files and report the status of a &lt;tt&gt;postgresql&lt;/tt&gt; or &lt;tt&gt;sepostgresql&lt;/tt&gt; server. &lt;tt&gt;sepg_ctl --help&lt;/tt&gt; will list all the options.<br /> <br /> === Additional postgresql.conf Entries ===<br /> The &lt;tt&gt;postgresql.conf&lt;/tt&gt; file has the following additional entry added to manage the &lt;tt&gt;sepostgresql&lt;/tt&gt; process&lt;ref name=&quot;ftn33&quot;&gt;For the default installation described in the [[#SE-PostgreSQL_Database_Example | SE-PostgreSQL Database Example]] section, the configuration file is located at &lt;tt&gt;/var/lib/sepgsql/data/postgresql.conf&lt;/tt&gt;.&lt;/ref&gt;: <br /> <br /> &lt;pre&gt;<br /> sepostgresql = [option]<br /> &lt;/pre&gt;<br /> <br /> {| border=&quot;1&quot;<br /> | &lt;tt&gt;sepostgresql&lt;/tt&gt;<br /> | The entry specifying the SE-PostgreSQL run time configuration.<br /> <br /> |-<br /> | &lt;tt&gt;option&lt;/tt&gt;<br /> | SE-PostgreSQL activation option that can be set to one of the following:<br /> &lt;tt&gt;default&lt;/tt&gt; - Follow the SELinux enforcement mode setting.<br /> &lt;tt&gt;enforcing&lt;/tt&gt; - SE-PostgreSQL is always in enforcing mode.<br /> &lt;tt&gt;permissive&lt;/tt&gt; - SE-PostgreSQL is always in permissive mode.<br /> &lt;tt&gt;disabled&lt;/tt&gt; - SE-PostgreSQL is disabled.<br /> The default setting is '&lt;tt&gt;default&lt;/tt&gt;'.<br /> <br /> |}<br /> <br /> <br /> === Internal Tables ===<br /> To support the overall database operation PostgreSQL has internal tables in the system catalog that hold information relating to user databases, tables etc. This section will only highlight the internal tables and their columns used by SE-PostgreSQL to support the object classes and security context entries using examples taken from the [[#SE-PostgreSQL_Database_Example | SE-PostgreSQL Database Example]] section.<br /> <br /> Table 1 describes each of the tables used by SE-PostgreSQL to support security context relationships with example &lt;tt&gt;SELECT&lt;/tt&gt; statements to retrieve the relevant information. The only internal table to actually hold security context strings is the &lt;tt&gt;pg_seclabel&lt;/tt&gt; table as all others reference these strings using identifiers as described in Table 2. <br /> <br /> {| border=&quot;1&quot;<br /> | '''Internal Table Name'''<br /> | '''Object'''<br /> | '''Object Class'''<br /> | '''Comments'''<br /> <br /> |-<br /> | pg_database<br /> | Database<br /> | db_database<br /> | The &lt;tt&gt;datname&lt;/tt&gt; column holds the database name.<br /> <br /> &lt;pre&gt;<br /> SELECT datname, security_label FROM pg_database WHERE datname = 'testdb';<br /> <br /> datname | security_label<br /> ---------+-------------------------------------<br /> testdb | unconfined_u:object_r:sepgsql_db_t:s0<br /> &lt;/pre&gt;<br /> <br /> |-<br /> | pg_class<br /> | Table<br /> | db_table<br /> | The &lt;tt&gt;relname&lt;/tt&gt; column holds the table name.<br /> <br /> The &lt;tt&gt;relnatts&lt;/tt&gt; column holds the number of columns in this table.<br /> <br /> The &lt;tt&gt;relfilenode&lt;/tt&gt; column value is that contained in the &lt;tt&gt;pg_security.relid&lt;/tt&gt; entry for each row of the table (as they are related). <br /> <br /> &lt;pre&gt;<br /> SELECT relname, security_label, relnatts, relfilenode FROM pg_class WHERE relname = 'info';<br /> <br /> relname | security_label | relnatts | relfilenode<br /> ---------+-----------------------------------------------+------------+-------------<br /> info | unconfined_u:object_r:sepgsql_table_t:s0:c10 | 2 | 16389<br /> &lt;/pre&gt;<br /> <br /> |-<br /> | pg_attribute<br /> | Column<br /> | db_column<br /> | The &lt;tt&gt;attname&lt;/tt&gt; column holds the column name.<br /> <br /> The &lt;tt&gt;attnum&lt;/tt&gt; column holds the column number.<br /> <br /> The &lt;tt&gt;attrelid&lt;/tt&gt; column value is that contained in the &lt;tt&gt;pg_security.relid&lt;/tt&gt; entry for each row of the table (as they are related). <br /> <br /> &lt;pre&gt;<br /> SELECT attname, security_label, attnum, attrelid FROM pg_attribute WHERE attrelid = 'info'::regclass AND attnum &gt; 0;<br /> <br /> attname | security_label | attnum | attrelid<br /> -------------+-----------------------------------------------+--------+-----------<br /> user_name | unconfined_u:object_r:sepgsql_table_t:s0:c20 | 1 | 16389<br /> email_addr | unconfined_u:object_r:sepgsql_table_t:s0:c30 | 2 | 16389<br /> &lt;/pre&gt;<br /> <br /> |-<br /> | pg_seclabel<br /> | Row<br /> | db_tuple<br /> | The &lt;tt&gt;pg_seclabel&lt;/tt&gt; table holds the security context strings and pointers for all objects including the rows (or tuples) as described in Table 2.<br /> <br /> |}<br /> ''Table 1: PostgreSQL Internal Tables - Note that each table has other columns containing information, however only that relevant to the overview are described.''<br /> <br /> <br /> Table 2 describes each of the columns defined in the &lt;tt&gt;pg_seclabel&lt;/tt&gt; table with example entries after the table.<br /> <br /> {| border=&quot;1&quot;<br /> ! &lt;center&gt;pg_seclabel Column&lt;/center&gt;<br /> ! Comment<br /> <br /> |-<br /> | secid<br /> | The unique identifier for this security context. The context is unique for this database (the &lt;tt&gt;datid&lt;/tt&gt; column) and related OID (the &lt;tt&gt;relid&lt;/tt&gt; column for the table, procedure, row etc.).<br /> <br /> |-<br /> | datid<br /> | The OID of the database to which this entry refers. This can be obtained from the &lt;tt&gt;pg_stat_database&lt;/tt&gt; table as shown in the following example (that will list all contexts used by this instance of the database):<br /> <br /> &lt;pre&gt;<br /> SELECT datname, secid, relid, secattr FROM pg_seclabel, pg_stat_database WHERE pg_seclabel.datid = pg_stat_database.datid AND<br /> datname='testdb';<br /> &lt;/pre&gt;<br /> <br /> |-<br /> | relid<br /> | The OID of an object (table, column etc.) or the related ID of a row. <br /> <br /> This section will only describe the table, column and row entries for &lt;tt&gt;relid&lt;/tt&gt;. There are many others that relate to internal OIDs used by PostgreSQL that are beyond the scope of this Notebook&lt;ref name=&quot;ftn34&quot;&gt;Note that the database context (OID = &lt;tt&gt;1262&lt;/tt&gt; in the &lt;tt&gt;relid&lt;/tt&gt; column) is listed as being under the &lt;tt&gt;datid&lt;/tt&gt; of database '0'. The best way to retrieve the actual database context is by: &lt;tt&gt;SELECT security_label FROM pg_database WHERE datname = '...'&lt;/tt&gt;;&lt;/ref&gt;.<br /> <br /> For tables an OID of '&lt;tt&gt;1259&lt;/tt&gt;' is assigned. These relate to table names in the &lt;tt&gt;pg_class&lt;/tt&gt; internal table. <br /> <br /> For columns an OID of '&lt;tt&gt;1249&lt;/tt&gt;' is assigned. These relate to column names in the &lt;tt&gt;pg_attribute&lt;/tt&gt; internal table. <br /> <br /> For rows inserted into a table this is the related &lt;tt&gt;pg_class.relfilenode&lt;/tt&gt; and &lt;tt&gt;pg_attribute.attrelid&lt;/tt&gt; entry for that table / column.<br /> <br /> |-<br /> | label<br /> | Text string of the security context for the object (database, table etc.).<br /> <br /> |}<br /> ''Table 2: &lt;tt&gt;pg_seclabel&lt;/tt&gt; Table Columns''<br /> <br /> <br /> <br /> The following are example entries with comments taken from the &lt;tt&gt;pg_seclabel table&lt;/tt&gt; columns that were displayed using &lt;tt&gt;SELECT * FROM pg_seclabel;&lt;/tt&gt;:<br /> &lt;pre&gt;<br /> # datid '1' is for an internal PostgreSQL database.<br /> # relid '3764' is the pg_ts_template OID<br /> # Therefore this context is assigned to a system template object.<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 3380 | 1 | 3764 | unconfined_u:object_r:sepgsql_sysobj_t:s0<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # datid '1' is for an internal PostgreSQL database.<br /> # relid '1255' is the pg_proc (procedure) OID<br /> # Therefore this context is assigned to a system procedure object.<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 3397 | 1 | 1255 | unconfined_u:object_r:sepgsql_db_t:s0<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # datid '0' is assigned to an internal database.<br /> # relid '1262' is the pg_database (database) OID<br /> # Therefore this context entry is assigned to database objects. <br /> #<br /> # Note that datid = 0 and relid = 1262 entries define contexts assigned to <br /> # database instances including 'testdb' (but see next example).<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 3399 | 0 | 1262 | unconfined_u:object_r:sepgsql_db_t:s0<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # This example is for the 'testdb' database after altering its context from the<br /> # above default to 'unconfined_u:object_r:sepgsql_db_t:s0:c888' using:<br /> <br /> ALTER DATABASE testdb SECURITY LABEL TO 'unconfined_u:object_r:sepgsql_db_t:s0:c888'<br /> <br /> # This will insert an additional entry into the pg_seclabel table as follows:<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 3400 | 0 | 1262 | unconfined_u:object_r:sepgsql_db_t:s0:c888<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # datid '16384' is assigned by the system as the identifier for testdb database.<br /> # relid '1259' is the pg_class (table) OID<br /> # Therefore this entry is for a table in the testdb database.<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 16385 | 16384 | 1259 | unconfined_u:object_r:sepgsql_table_t:s0:c10<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # datid '16384' is assigned by the system as the identifier for testdb database.<br /> # relid '1249' is the pg_attribute (column) OID<br /> # Therefore this entry is for a column in a table in the testdb database.<br /> <br /> secid | datid | relid | label <br /> ------+-------+-------+--------------------------------------------<br /> 16386 | 16384 | 1249 | unconfined_u:object_r:sepgsql_table_t:s0<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> # datid '16384' is assigned by the system as the identifier for testdb database.<br /> # relid '16389' is a system pointer back to the table (pg_class.relfilenode) and<br /> # column (pg_attribute.attrelid) in testdb database for a row of data.<br /> # Therefore this entry represents the context for a row (tuple) of data in a<br /> # table of the testdb database.<br /> <br /> secid | datid | relid | label <br /> -------+-------+-------+--------------------------------------------<br /> 16393 | 16384 | 16389 | unconfined_u:object_r:sepgsql_table_t:s0:c110<br /> &lt;/pre&gt;<br /> <br /> === Logging Security Events ===<br /> SE-PostgreSQL manages its own AVC audit entries in the &lt;tt&gt;/var/log/sepostgresql.log&lt;/tt&gt; file and by default only errors are logged (i.e. it does not add AVC entries into the standard &lt;tt&gt;audit.log&lt;/tt&gt;). <br /> <br /> <br /> = SE-PostgreSQL Database Example =<br /> == Introduction ==<br /> This section gives a run through installing and running a very simple database to show some of the SE-PostgreSQL features.<br /> <br /> The areas covered are:<br /> * Install &lt;tt&gt;sepostgresql&lt;/tt&gt; using &lt;tt&gt;yum&lt;/tt&gt;. It assumes that &lt;tt&gt;postgresql&lt;/tt&gt; or &lt;tt&gt;sepostgresql&lt;/tt&gt; are not installed.<br /> * Initialise a database cluster so that &lt;tt&gt;sepostgresql&lt;/tt&gt; can be started.<br /> * Create a database called &lt;tt&gt;testdb&lt;/tt&gt;.<br /> * Using the PostgreSQL terminal client &lt;tt&gt;psql&lt;/tt&gt; create a simple table with two columns and insert 4 rows (or tuples) of data demonstrating how to add and show the security context information associated with these objects. To enable the security context information to be distinguished between the various objects the following will be used:<br /> <br /> {| border=&quot;1&quot;<br /> | '''Name'''<br /> | '''Object'''<br /> | '''Context used'''<br /> <br /> |-<br /> | Database (&lt;tt&gt;testdb&lt;/tt&gt;)<br /> | db_database<br /> | unconfined_u:object_r:sepgsql_db_t:s0<br /> <br /> |-<br /> | Table (&lt;tt&gt;info&lt;/tt&gt;)<br /> | db_table<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c10<br /> <br /> |-<br /> | Column 1 (&lt;tt&gt;user_name&lt;/tt&gt;)<br /> | db_column<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c20<br /> <br /> |-<br /> | Column 2 (&lt;tt&gt;email_addr&lt;/tt&gt;)<br /> | db_column<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c30<br /> <br /> |-<br /> | Row 1<br /> | db_tuple<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c100<br /> <br /> |-<br /> | Row 2<br /> | db_tuple<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c110<br /> <br /> |-<br /> | Row 3<br /> | db_tuple<br /> | unconfined_u:object_r:sepgsql_table_t:s0:c120<br /> <br /> |-<br /> | Row 4<br /> | db_tuple<br /> | unconfined_u:object_r::unconfined_t:s0:c130<br /> <br /> |}<br /> <br /> * Finally run some &lt;tt&gt;sepostgresql&lt;/tt&gt; specific functions and explain their results.<br /> <br /> <br /> The following assumptions have been made:<br /> # The user has a basic knowledge of databases and the SQL language.<br /> # SE-PostgreSQL or PostgreSQL are not installed.<br /> # The system used is Fedora 14 with the targeted policy (&lt;tt&gt;selinux-policy-targeted-3.9.7-16.fc14.noarch&lt;/tt&gt;). This would have installed the postgresql policy modules by default.<br /> # Generally when adding entries to a database SE-PostgreSQL will use a default security context, however in this walk-through all entries will have specific security context defined for them (except the database (&lt;tt&gt;testdb&lt;/tt&gt;) that will use the SE-PostgreSQL default).<br /> <br /> == SE-PostgreSQL Walk-through ==<br /> Install &lt;tt&gt;sepostgresql&lt;/tt&gt; using &lt;tt&gt;yum&lt;/tt&gt;. This will install all the required components including &lt;tt&gt;postgresql&lt;/tt&gt;:<br /> &lt;pre&gt;<br /> yum install postgresql<br /> yum install sepostgresql<br /> &lt;/pre&gt;<br /> <br /> On the authors machine, the following were installed:<br /> &lt;pre&gt;<br /> rpm -qa | grep postgresql<br /> <br /> sepostgresql-9.0.1-2010007.fc14.i686<br /> postgresql-8.4.6-1.fc14.i686<br /> postgresql-libs-8.4.6-1.fc14.i686<br /> &lt;/pre&gt;<br /> <br /> Ensure SELinux is in enforcing mode:<br /> &lt;pre&gt;<br /> setenforce 1<br /> &lt;/pre&gt;<br /> <br /> Once &lt;tt&gt;sepostgresql&lt;/tt&gt; is installed a database cluster needs to be initialised. As part of the &lt;tt&gt;sepostgresql&lt;/tt&gt; installation an init script (&lt;tt&gt;/etc/init.d/sepostgresql&lt;/tt&gt;) was added that will manage this process:<br /> &lt;pre&gt;<br /> service sepostgresql initdb<br /> Initializing database:<br /> &lt;/pre&gt;<br /> <br /> For information, the database cluster will be built by the above process in &lt;tt&gt;/var/lib/sepgsql/data&lt;/tt&gt;. Note that an &lt;tt&gt;sepgsql&lt;/tt&gt; user and group were also added as a part of the installation process:<br /> &lt;pre&gt;<br /> ls -lZ /var/lib/sepgsql<br /> drwx------. sepgsql sepgsql system_u:object_r:postgresql_db_t:s0 backups<br /> drwx------. sepgsql sepgsql unconfined_u:object_r:postgresql_db_t:s0 data<br /> &lt;/pre&gt;<br /> <br /> Once the database cluster has been initialised it can be started by:<br /> &lt;pre&gt;<br /> service sepostgresql start<br /> Starting sepostgresql service: [ OK ]<br /> &lt;/pre&gt;<br /> <br /> This demo will create the test database and tables etc. as the &lt;tt&gt;sepgsql&lt;/tt&gt; user:<br /> &lt;pre&gt;<br /> su - sepgsql<br /> &lt;/pre&gt;<br /> <br /> Optionally, once logged on as the &lt;tt&gt;sepgsql&lt;/tt&gt; user, the PostgreSQL &lt;tt&gt;createuser&lt;/tt&gt; command can be used to allow other GNU / Linux users to access PostgreSQL by:<br /> &lt;pre&gt;<br /> createuser [login_name]<br /> <br /> # for example:<br /> createuser root<br /> Shall the new role be a superuser? (y/n) y<br /> # This would allow root to use the PostgreSQL commands to manage<br /> # the database as a superuser.<br /> &lt;/pre&gt;<br /> <br /> Now the &lt;tt&gt;testdb&lt;/tt&gt; database itself needs to be created by the PostgreSQL &lt;tt&gt;createdb&lt;/tt&gt; command:<br /> &lt;pre&gt;<br /> createdb testdb<br /> &lt;/pre&gt;<br /> <br /> Once created, the PostgreSQL interactive terminal (&lt;tt&gt;psql&lt;/tt&gt;) needs to be loaded so that SQL statements can be run against the database:<br /> &lt;pre&gt;<br /> # This command will load psql and connect it to the testdb database:<br /> psql testdb<br /> &lt;/pre&gt;<br /> <br /> Now that &lt;tt&gt;psql&lt;/tt&gt; is active and connected to the &lt;tt&gt;testdb&lt;/tt&gt; database SQL statements can be run. The first one is to display the security context of the database that requires some knowledge of how SE-PostgreSQL holds its internal parameters. As explained in the [[NB_SQL | SELinux PostgreSQL Support]] section the main internal tables of interest are &lt;tt&gt;pg_database&lt;/tt&gt;, &lt;tt&gt;pg_class&lt;/tt&gt;, &lt;tt&gt;pg_attribute&lt;/tt&gt; and &lt;tt&gt;pg_seclabel&lt;/tt&gt;, with &lt;tt&gt;pg_database&lt;/tt&gt; holding the database name. Therefore if the following SQL statement is executed, the security context of the &lt;tt&gt;testdb&lt;/tt&gt; database will be returned:<br /> &lt;pre&gt;<br /> testdb=# SELECT datname, security_label FROM pg_database <br /> WHERE datname = 'testdb';<br /> <br /> datname | security_label <br /> ---------+---------------------------------------<br /> testdb | unconfined_u:object_r:sepgsql_db_t:s0<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> Now a table (&lt;tt&gt;info&lt;/tt&gt;) will be created that will have two columns (&lt;tt&gt;user_name&lt;/tt&gt; and &lt;tt&gt;email_addr&lt;/tt&gt;). A unique security context will be given to each object created as follows:<br /> <br /> &lt;pre&gt;<br /> testdb=# CREATE TABLE info (user_name CHAR(10), email_addr CHAR(20));<br /> CREATE TABLE<br /> &lt;/pre&gt;<br /> <br /> The above command will have created the table and its columns with the default context, therefore the &lt;tt&gt;ALTER&lt;/tt&gt; SQL command will be used to set the context to those specified above:<br /> &lt;pre&gt;<br /> testdb=# ALTER TABLE info SECURITY LABEL TO 'unconfined_u:object_r:sepgsql_table_t:s0:c10';<br /> ALTER TABLE<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> testdb=# ALTER TABLE info ALTER COLUMN user_name SECURITY LABEL<br /> TO 'unconfined_u:object_r:sepgsql_table_t:s0:c20';<br /> ALTER TABLE<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> testdb=# ALTER TABLE info ALTER COLUMN user_name SECURITY LABEL<br /> TO 'unconfined_u:object_r:sepgsql_table_t:s0:c20';<br /> ALTER TABLE<br /> &lt;/pre&gt;<br /> <br /> Now that the table has been created, the security context of each object can be displayed by querying SE-PostgreSQL internal tables.<br /> <br /> The SQL statement to retrieve the table object &lt;tt&gt;info&lt;/tt&gt; security context is as follows, note that the &lt;tt&gt;pg_class&lt;/tt&gt; internal table holds the table name:<br /> &lt;pre&gt;<br /> testdb=# SELECT relname, security_label FROM pg_class WHERE relname = 'info'; <br /> <br /> relname | security_label <br /> ---------+----------------------------------------------<br /> info | unconfined_u:object_r:sepgsql_table_t:s0:c10<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> The SQL statement to retrieve the column object &lt;tt&gt;user_name&lt;/tt&gt; is as follows, note that the &lt;tt&gt;pg_attribute&lt;/tt&gt; internal table holds the column name:<br /> &lt;pre&gt;<br /> testdb=# SELECT attname, security_label FROM pg_attribute WHERE attname = 'user_name';<br /> <br /> attname | security_label <br /> -----------+----------------------------------------------<br /> user_name | unconfined_u:object_r:sepgsql_table_t:s0:c20<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> And the SQL statement to retrieve the column object &lt;tt&gt;email_addr&lt;/tt&gt; is as follows:<br /> &lt;pre&gt;<br /> testdb=# SELECT attname, security_label FROM pg_attribute WHERE attname = 'email_addr';<br /> <br /> attname | security_label <br /> ------------+----------------------------------------------<br /> email_addr | unconfined_u:object_r:sepgsql_table_t:s0:c30<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> Now that the table and its columns have been created, it is now possible to insert information into the database. Each row (or tuple) will now be added with its own unique security context.<br /> <br /> Insert Row 1:<br /> &lt;pre&gt;<br /> testdb=# INSERT INTO info (security_label, user_name, email_addr) <br /> VALUES ('unconfined_u:object_r:sepgsql_table_t:s0:c100', 'fred', 'fred@yahoo.com');<br /> INSERT 0 1<br /> &lt;/pre&gt;<br /> <br /> Show Row 1 security context, note that only the table name info is specified (i.e. no internal table name required):<br /> &lt;pre&gt;<br /> testdb=# SELECT user_name, email_addr, security_label FROM info;<br /> <br /> user_name | email_addr | security_label <br /> -----------+-----------------+-------------------------------------------<br /> fred | fred@yahoo.com | unconfined_u:object_r:sepgsql_table_t:s0:c100<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> Insert Rows 2 and 3 each with a unique security context:<br /> &lt;pre&gt;<br /> testdb=# INSERT INTO info (security_label, user_name, email_addr) VALUES <br /> ('unconfined_u:object_r:sepgsql_table_t:s0:c110', 'derf', 'derf@hotmail.com');<br /> INSERT 0 1<br /> <br /> testdb=# INSERT INTO info (security_label, user_name, email_addr) VALUES<br /> ('unconfined_u:object_r:sepgsql_table_t:s0:c120', 'george', 'george@hotmail.com');<br /> INSERT 0 1<br /> &lt;/pre&gt;<br /> <br /> Show Rows 1, 2 and 3 security context:<br /> &lt;pre&gt;<br /> testdb=# SELECT user_name, email_addr, security_label FROM info;<br /> <br /> user_name | email_addr | security_label <br /> ----------+--------------------+--------------------------------------------<br /> fred | fred@yahoo.com | unconfined_u:object_r:sepgsql_table_t:s0:c100<br /> derf | derf@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c110<br /> george | george@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c120<br /> (3 rows)<br /> &lt;/pre&gt;<br /> <br /> To demonstrate that SE-PostgreSQL will not allow entries to be entered unless the security context is valid, an entry will be made with a type of &lt;tt&gt;unconfined_t&lt;/tt&gt; as this is not valid for the standard targeted policy. It is assumed that SELinux is in enforcing mode:<br /> &lt;pre&gt;<br /> testdb=# INSERT INTO info (security_label, user_name, email_addr) VALUES 'unconfined_u:object_r:unconfined_t:s0:c130', 'hidden', 'hidden@hotmail.com');<br /> ERROR: SELinux: security policy violation<br /> &lt;/pre&gt;<br /> <br /> Now to demonstrate that SE-PostgreSQL will not display information that is not allowed by the policy, set SELinux to permissive mode:<br /> &lt;pre&gt;<br /> setenforce 0<br /> &lt;/pre&gt;<br /> <br /> Now insert the row again:<br /> &lt;pre&gt;<br /> testdb=# INSERT INTO info (security_label, user_name, email_addr)<br /> VALUES 'unconfined_u:object_r:unconfined_t:s0:c130', 'hidden', 'hidden@hotmail.com');<br /> INSERT 0 1<br /> &lt;/pre&gt;<br /> <br /> And then display the information:<br /> &lt;pre&gt;<br /> testdb=# SELECT user_name, email_addr, security_label FROM info;<br /> <br /> user_name | email_addr | security_label <br /> ----------+--------------------+-----------------------------------------<br /> fred | fred@yahoo.com | unconfined_u:object_r:sepgsql_table_t:s0:c100<br /> derf | derf@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c110<br /> george | george@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c120<br /> hidden | hidden@hotmail.com | unconfined_u:object_r:unconfined_t:s0:c130<br /> (4 rows)<br /> &lt;/pre&gt;<br /> <br /> Now set SELinux to enforcing mode:<br /> &lt;pre&gt;<br /> setenforce 1<br /> &lt;/pre&gt;<br /> <br /> And then display the information, note that the 4&lt;sup&gt;th&lt;/sup&gt; row is not displayed:<br /> &lt;pre&gt;<br /> testdb=# SELECT user_name, email_addr, security_label FROM info;<br /> <br /> user_name | email_addr | security_label <br /> ----------+--------------------+-------------------------------------------<br /> fred | fred@yahoo.com | unconfined_u:object_r:sepgsql_table_t:s0:c100<br /> derf | derf@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c110<br /> george | george@hotmail.com | unconfined_u:object_r:sepgsql_table_t:s0:c120<br /> (3 rows)<br /> &lt;/pre&gt;<br /> <br /> <br /> === SE-PostgreSQL Functions ===<br /> Because the SE-Postgresql services are implemented via a patch, for version 9.0.1 the number of functions has been limited, therefore the only function currently supported is &lt;tt&gt;sepgsql_getcon&lt;/tt&gt; that will retrieve the client context as follows:<br /> <br /> &lt;pre&gt;<br /> testdb=# SELECT sepgsql_getcon();<br /> <br /> sepgsql_getcon <br /> -------------------------------------------------------<br /> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023<br /> (1 row)<br /> &lt;/pre&gt;<br /> <br /> <br /> <br /> ----<br /> &lt;references/&gt;<br /> <br /> [[Category:Notebook]]</div> RichardHaines