Ted, Any chance that module will be released under the PostgreSQL license (BSD-like)? We'd certainly like to see what those are doing and I do wonder if we could use the hooks instead, if the SELinux community feels that's a worthwhile approach. Thanks! * Ted Toth (txtoth@xxxxxxxxx) wrote: > Sorry these are in a module I've developed. > > Ted > > On Thu, May 28, 2015 at 2:28 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > On 05/28/2015 03:10 PM, Ted Toth wrote: > >> Unfortunately it is the latter. Here's an example of what you can do: > >> > >> CREATE TABLE reports ( > >> id integer NOT NULL, > >> report json, > >> message_id integer NOT NULL, > >> location geometry(Point), > >> security_label text DEFAULT sepostgres_getpeercon() > >> ); > >> > >> CREATE POLICY > >> check_report_insert_selinux ON reports FOR INSERT > >> WITH CHECK (sepostgres_check_row_perm(reports.security_label, > >> sepostgres_getpeercon(), 'insert')); > >> > >> CREATE POLICY > >> check_report_delete_selinux ON reports FOR DELETE > >> USING (sepostgres_check_row_perm(reports.security_label, > >> sepostgres_getpeercon(), 'delete')); > >> > >> CREATE POLICY > >> check_report_update_selinux ON reports FOR UPDATE > >> USING (sepostgres_check_row_perm(reports.security_label, > >> sepostgres_getpeercon(), 'update')) > >> WITH CHECK (sepostgres_check_row_perm(reports.security_label, > >> sepostgres_getpeercon(), 'update')); > >> > >> CREATE POLICY > >> check_report_select_selinux ON reports FOR SELECT > >> USING (sepostgres_check_row_perm(sepostgres_getpeercon(), > >> reports.security_label, 'select')); > >> > >> I'm hoping that between DAC, postgresql DAC, selinux policy and RLS > >> policy we can get something that's secure enough for our purposes. > > > > Pardon my ignorance, but are the sepostgres_*() functions something you > > have implemented or something in the existing sepgsl or postgres code? > _______________________________________________ > Selinux mailing list > Selinux@xxxxxxxxxxxxx > To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. > To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
