Absolutely I'll share it when I'm happy with it. Ted On Thu, May 28, 2015 at 2:41 PM, Stephen Frost <sfrost@xxxxxxxxxxx> wrote: > Ted, > > Any chance that module will be released under the PostgreSQL license > (BSD-like)? We'd certainly like to see what those are doing and I do > wonder if we could use the hooks instead, if the SELinux community feels > that's a worthwhile approach. > > Thanks! > > * Ted Toth (txtoth@xxxxxxxxx) wrote: >> Sorry these are in a module I've developed. >> >> Ted >> >> On Thu, May 28, 2015 at 2:28 PM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: >> > On 05/28/2015 03:10 PM, Ted Toth wrote: >> >> Unfortunately it is the latter. Here's an example of what you can do: >> >> >> >> CREATE TABLE reports ( >> >> id integer NOT NULL, >> >> report json, >> >> message_id integer NOT NULL, >> >> location geometry(Point), >> >> security_label text DEFAULT sepostgres_getpeercon() >> >> ); >> >> >> >> CREATE POLICY >> >> check_report_insert_selinux ON reports FOR INSERT >> >> WITH CHECK (sepostgres_check_row_perm(reports.security_label, >> >> sepostgres_getpeercon(), 'insert')); >> >> >> >> CREATE POLICY >> >> check_report_delete_selinux ON reports FOR DELETE >> >> USING (sepostgres_check_row_perm(reports.security_label, >> >> sepostgres_getpeercon(), 'delete')); >> >> >> >> CREATE POLICY >> >> check_report_update_selinux ON reports FOR UPDATE >> >> USING (sepostgres_check_row_perm(reports.security_label, >> >> sepostgres_getpeercon(), 'update')) >> >> WITH CHECK (sepostgres_check_row_perm(reports.security_label, >> >> sepostgres_getpeercon(), 'update')); >> >> >> >> CREATE POLICY >> >> check_report_select_selinux ON reports FOR SELECT >> >> USING (sepostgres_check_row_perm(sepostgres_getpeercon(), >> >> reports.security_label, 'select')); >> >> >> >> I'm hoping that between DAC, postgresql DAC, selinux policy and RLS >> >> policy we can get something that's secure enough for our purposes. >> > >> > Pardon my ignorance, but are the sepostgres_*() functions something you >> > have implemented or something in the existing sepgsl or postgres code? >> _______________________________________________ >> Selinux mailing list >> Selinux@xxxxxxxxxxxxx >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. >> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx. _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
