Re: [v9.2] Add GUC sepgsql.client_label
| От | Yeb Havinga |
|---|---|
| Тема | Re: [v9.2] Add GUC sepgsql.client_label |
| Дата | |
| Msg-id | 4F478779.70003@gmail.com обсуждение исходный текст |
| Ответ на | Re: [v9.2] Add GUC sepgsql.client_label (Kohei KaiGai <kaigai@kaigai.gr.jp>) |
| Ответы |
Re: [v9.2] Add GUC sepgsql.client_label
|
| Список | pgsql-hackers |
On 2012-02-23 12:17, Kohei KaiGai wrote:
> 2012/2/20 Yeb Havinga<yebhavinga@gmail.com>:
>> So maybe this is because my start domain is not s0-s0:c0.c1023
>>
>> However, when trying to run bash or psql in domain
>> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 I get permission
>> denied.
>>
>> Distribution is FC15, sestatus
>> SELinux status: enabled
>> SELinuxfs mount: /selinux
>> Current mode: enforcing
>> Mode from config file: enforcing
>> Policy version: 24
>> Policy from config file: targeted
>>
> The "default" security policy does not permit dynamic domain transition
> even if unconfined domain, in contradiction to its name.
> (IMO, it is fair enough design to avoid single point of failure like root user.)
>
> The security policy of regression test contains a set of rules to reduce
> categories assigned to unconfined domain.
> So, could you try the following steps.
> 1. Build the latest policy
> % make -f /usr/share/selinux/devel/Makefile -C contrib/sepgsql
> 2. Install the policy module
> % sudo semodule -i contrib/sepgsql/sepgsql-regtest.pp
> 3. Turn on the sepgsql_regression_test_mode
> % sudo setsebool -P sepgsql_regression_test_mode=1
>
> I believe it allows to switch security label of the client, as long as we try to
> reduce categories.
I remember these commands from the sepgsql contrib module documentation
(though the semodule invocation in the documentation is with -u and the
setsebool does not have the -P flag). semodule -l showed I had already
installed version 1.04.
I just repeated all steps with the new patch, and get the same result:
LOG: SELinux: denied { dyntransition }
scontext=unconfined_u:unconfined_r:unconfined_t:s0
tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
STATEMENT: SELECT
sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0:c0.c15');
[mgrid@mgfedora sepgsql]$ getsebool sepgsql_regression_test_mode
sepgsql_regression_test_mode --> on
[root@mgfedora sepgsql]# semodule -l | egrep 'pgsql|postgres'
postgresql 1.12.1
sepgsql-regtest 1.04
Do I need Fedora 16 to run it?
--
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data
В списке pgsql-hackers по дате отправления: