Re: [PATCH] SE-PostgreSQL Security Policy

Kohei KaiGai <kaigai@xxxxxxxxxxxxx> · Mon, 10 Mar 2008 16:52:22 +0900

Chris,

>>> * Tunables to turn on/off audit are remained now, because database
>>>    folks told me fine-grained logs are worthwhile feature.
>> I'm still not very compelled by this, as I doubt people who do want more
>> auditing will want to to enable it so coarsely.
> 
> Hmm...
> OK, I'll remove these tunable, and add a documentation to collect
> fine-grained database access logs.

When we apply tuple-level access control, access denied logs of filtered
tuples are noisy, and it gives adversed effect for performance.
For example, if a table contains 1,000,000 tuples and half of them are
labeled as ":s0:c0", unclassified users will look a flood of logs
on every accesses.

At least, is it necessary to be controlable on tuples?

--------
[kaigai@saba ~]$ psql postgres -q
postgres=# SELECT * FROM drink;
 id | name  | price | alcohol
----+-------+-------+---------
  1 | water |   100 | f
  2 | coke  |   120 | f
  3 | juice |   130 | f
  4 | cofee |   180 | f
  5 | beer  |   240 | t
  6 | sake  |   320 | t
(6 rows)

postgres=#
[kaigai@saba ~]$ runcon -l s0 psql postgres -q
postgres=# SELECT * FROM drink;
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16490
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16491
NOTICE:  SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c0 tclass=db_tuple name=relid:16482,oid:16492
 id | name  | price | alcohol
----+-------+-------+---------
  1 | water |   100 | f
  2 | coke  |   120 | f
  3 | juice |   130 | f
(3 rows)

postgres=#
--------

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.