James Morris wrote:
On Tue, 27 Jan 2009, KaiGai Kohei wrote:
It seems to me some of pgsql-hackers concerned about security experts
don't join to its review process (except for me :), so it is unclear
whether the SE-PostgreSQL feature is really desired, or not, and
whether its security design is really appropriate, or not.
It's a pity you couldn't make it to LCA, as I had a question which I
suspect only you could answer.
One thing I noticed was the use of MCS for labels relating to external
subjects, and the type field being used apparently for internal purposes.
Is this correct?
(From memory, the type field of some rows were along the lines of
fixed_table_t, presumably for internal db use).
There are no specific discrimination like internal/external.
SE-PostgreSQL simply assigns a default security context based
on type_transition rules, or inherits upper class obejct.
At the LCA example, I assigned sepgsql_fixed_table_t on the
"drink" table, so newly inserted tuples also inherit it.
Can the entire security context be specified and utilized for the data
itself ? e.g. Can data be inserted into the db with the label
"system_u:object_r:shadow_t", corresponding exactly to the filesystem
label of the file it came from?
Please consider the following case.
1. App-X read /etc/shadhow (system_u:object_r:shadow_t)
2. App-X create a file /tmp/aaa
3. App-X write a buffered data into /tmp/aaa
In this case, /tmp/aaa will be labeled as "tmp_t".
1'. App-X read /etc/shadhow (system_u:object_r:shadow_t)
2'. App-X insert a row with buffered data.
In this case, I don't think it should be labeled as "shadow_t".
The newly inserted row is labeled based on TYPE_TRANSITION, or
inherits its table's context.
(Maybe, "sepgsql_table_t" in default)
Thanks,
--
KaiGai Kohei <kaigai@xxxxxxxxxxxx>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
