Baoding-FenShuaJiang
/
Green_GoodERP18_FSJ_Standard
Seguir 1
Destacar 0
Wiki 捐赠
gooderp18绿色标准版
No puede seleccionar más de 25 temas Los temas deben comenzar con una letra o número, pueden incluir guiones ('-') y pueden tener hasta 35 caracteres de largo.
Árbol: 0f75e31513
Ramas Etiquetas
${ item.name }
Crear rama ${ searchTerm }
desde '0f75e31513'
${ noResults }
Green_GoodERP18_FSJ_Standard/PostgreSQL/doc/postgresql/html/sepgsql.html

490 líneas
34KB
Original Blame Histórico 

  1. <?xml version="1.0" encoding="UTF-8" standalone="no"?>

  2. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>F.35. sepgsql</title><link rel="stylesheet" type="text/css" href="stylesheet.css" /><link rev="made" href="pgsql-docs@lists.postgresql.org" /><meta name="generator" content="DocBook XSL Stylesheets V1.79.1" /><link rel="prev" href="seg.html" title="F.34. seg" /><link rel="next" href="contrib-spi.html" title="F.36. spi" /></head><body><div xmlns="http://www.w3.org/TR/xhtml1/transitional" class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="5" align="center">F.35. sepgsql</th></tr><tr><td width="10%" align="left"><a accesskey="p" href="seg.html" title="F.34. seg">Prev</a> </td><td width="10%" align="left"><a accesskey="u" href="contrib.html" title="Appendix F. Additional Supplied Modules">Up</a></td><th width="60%" align="center">Appendix F. Additional Supplied Modules</th><td width="10%" align="right"><a accesskey="h" href="index.html" title="PostgreSQL 12.4 Documentation">Home</a></td><td width="10%" align="right"> <a accesskey="n" href="contrib-spi.html" title="F.36. spi">Next</a></td></tr></table><hr></hr></div><div class="sect1" id="SEPGSQL"><div class="titlepage"><div><div><h2 class="title" style="clear: both">F.35. sepgsql</h2></div></div></div><div class="toc"><dl class="toc"><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-OVERVIEW">F.35.1. Overview</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-INSTALLATION">F.35.2. Installation</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-REGRESSION">F.35.3. Regression Tests</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-PARAMETERS">F.35.4. GUC Parameters</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-FEATURES">F.35.5. Features</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-FUNCTIONS">F.35.6. Sepgsql Functions</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-LIMITATIONS">F.35.7. Limitations</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-RESOURCES">F.35.8. External Resources</a></span></dt><dt><span class="sect2"><a href="sepgsql.html#SEPGSQL-AUTHOR">F.35.9. Author</a></span></dt></dl></div><a id="id-1.11.7.44.2" class="indexterm"></a><p>

  3.   <code class="filename">sepgsql</code> is a loadable module that supports label-based

  4.   mandatory access control (MAC) based on <span class="productname">SELinux</span> security

  5.   policy.

  6.  </p><div class="warning"><h3 class="title">Warning</h3><p>

  7.      The current implementation has significant limitations, and does not

  8.      enforce mandatory access control for all actions.  See

  9.      <a class="xref" href="sepgsql.html#SEPGSQL-LIMITATIONS" title="F.35.7. Limitations">Section F.35.7</a>.

  10.    </p></div><div class="sect2" id="SEPGSQL-OVERVIEW"><div class="titlepage"><div><div><h3 class="title">F.35.1. Overview</h3></div></div></div><p>

  11.    This module integrates with <span class="productname">SELinux</span> to provide an

  12.    additional layer of security checking above and beyond what is normally

  13.    provided by <span class="productname">PostgreSQL</span>.  From the perspective of

  14.    <span class="productname">SELinux</span>, this module allows

  15.    <span class="productname">PostgreSQL</span> to function as a user-space object

  16.    manager.  Each table or function access initiated by a DML query will be

  17.    checked against the system security policy.  This check is in addition to

  18.    the usual SQL permissions checking performed by

  19.    <span class="productname">PostgreSQL</span>.

  20.   </p><p>

  21.    <span class="productname">SELinux</span> access control decisions are made using

  22.    security labels, which are represented by strings such as

  23.    <code class="literal">system_u:object_r:sepgsql_table_t:s0</code>.  Each access control

  24.    decision involves two labels: the label of the subject attempting to

  25.    perform the action, and the label of the object on which the operation is

  26.    to be performed.  Since these labels can be applied to any sort of object,

  27.    access control decisions for objects stored within the database can be

  28.    (and, with this module, are) subjected to the same general criteria used

  29.    for objects of any other type, such as files.  This design is intended to

  30.    allow a centralized security policy to protect information assets

  31.    independent of the particulars of how those assets are stored.

  32.   </p><p>

  33.    The <a class="xref" href="sql-security-label.html" title="SECURITY LABEL"><span class="refentrytitle">SECURITY LABEL</span></a> statement allows assignment of

  34.    a security label to a database object.

  35.   </p></div><div class="sect2" id="SEPGSQL-INSTALLATION"><div class="titlepage"><div><div><h3 class="title">F.35.2. Installation</h3></div></div></div><p>

  36.     <code class="filename">sepgsql</code> can only be used on <span class="productname">Linux</span>

  37.     2.6.28 or higher with <span class="productname">SELinux</span> enabled.

  38.     It is not available on any other platform.  You will also need

  39.     <span class="productname">libselinux</span> 2.1.10 or higher and

  40.     <span class="productname">selinux-policy</span> 3.9.13 or higher (although some

  41.     distributions may backport the necessary rules into older policy

  42.     versions).

  43.   </p><p>

  44.    The <code class="command">sestatus</code> command allows you to check the status of

  45.    <span class="productname">SELinux</span>.  A typical display is:

  46. </p><pre class="screen">

  47. $ sestatus

  48. SELinux status:                 enabled

  49. SELinuxfs mount:                /selinux

  50. Current mode:                   enforcing

  51. Mode from config file:          enforcing

  52. Policy version:                 24

  53. Policy from config file:        targeted

  54. </pre><p>

  55.    If <span class="productname">SELinux</span> is disabled or not installed, you must set

  56.    that product up first before installing this module.

  57.   </p><p>

  58.    To build this module, include the option <code class="literal">--with-selinux</code> in

  59.    your PostgreSQL <code class="literal">configure</code> command.  Be sure that the

  60.    <code class="filename">libselinux-devel</code> RPM is installed at build time.

  61.   </p><p>

  62.    To use this module, you must include <code class="literal">sepgsql</code>

  63.    in the <a class="xref" href="runtime-config-client.html#GUC-SHARED-PRELOAD-LIBRARIES">shared_preload_libraries</a> parameter in

  64.    <code class="filename">postgresql.conf</code>.  The module will not function correctly

  65.    if loaded in any other manner.  Once the module is loaded, you

  66.    should execute <code class="filename">sepgsql.sql</code> in each database.

  67.    This will install functions needed for security label management, and

  68.    assign initial security labels.

  69.   </p><p>

  70.    Here is an example showing how to initialize a fresh database cluster

  71.    with <code class="filename">sepgsql</code> functions and security labels installed.

  72.    Adjust the paths shown as appropriate for your installation:

  73.   </p><pre class="screen">

  74. $ export PGDATA=/path/to/data/directory

  75. $ initdb

  76. $ vi $PGDATA/postgresql.conf

  77.   change

  78.     #shared_preload_libraries = ''                # (change requires restart)

  79.   to

  80.     shared_preload_libraries = 'sepgsql'          # (change requires restart)

  81. $ for DBNAME in template0 template1 postgres; do

  82.     postgres --single -F -c exit_on_error=true $DBNAME \

  83.       &lt;/usr/local/pgsql/share/contrib/sepgsql.sql &gt;/dev/null

  84.   done

  85. </pre><p>

  86.    Please note that you may see some or all of the following notifications

  87.    depending on the particular versions you have of

  88.    <span class="productname">libselinux</span> and <span class="productname">selinux-policy</span>:

  89. </p><pre class="screen">

  90. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 33 has invalid object type db_blobs

  91. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 36 has invalid object type db_language

  92. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 37 has invalid object type db_language

  93. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 38 has invalid object type db_language

  94. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 39 has invalid object type db_language

  95. /etc/selinux/targeted/contexts/sepgsql_contexts:  line 40 has invalid object type db_language

  96. </pre><p>

  97.    These messages are harmless and should be ignored.

  98.   </p><p>

  99.    If the installation process completes without error, you can now start the

  100.    server normally.

  101.   </p></div><div class="sect2" id="SEPGSQL-REGRESSION"><div class="titlepage"><div><div><h3 class="title">F.35.3. Regression Tests</h3></div></div></div><p>

  102.    Due to the nature of <span class="productname">SELinux</span>, running the

  103.    regression tests for <code class="filename">sepgsql</code> requires several extra

  104.    configuration steps, some of which must be done as root.

  105.    The regression tests will not be run by an ordinary

  106.    <code class="literal">make check</code> or <code class="literal">make installcheck</code> command; you must

  107.    set up the configuration and then invoke the test script manually.

  108.    The tests must be run in the <code class="filename">contrib/sepgsql</code> directory

  109.    of a configured PostgreSQL build tree.  Although they require a build tree,

  110.    the tests are designed to be executed against an installed server,

  111.    that is they are comparable to <code class="literal">make installcheck</code> not

  112.    <code class="literal">make check</code>.

  113.   </p><p>

  114.    First, set up <code class="filename">sepgsql</code> in a working database

  115.    according to the instructions in <a class="xref" href="sepgsql.html#SEPGSQL-INSTALLATION" title="F.35.2. Installation">Section F.35.2</a>.

  116.    Note that the current operating system user must be able to connect to the

  117.    database as superuser without password authentication.

  118.   </p><p>

  119.    Second, build and install the policy package for the regression test.

  120.    The <code class="filename">sepgsql-regtest</code> policy is a special purpose policy package

  121.    which provides a set of rules to be allowed during the regression tests.

  122.    It should be built from the policy source file

  123.    <code class="filename">sepgsql-regtest.te</code>, which is done using

  124.    <code class="command">make</code> with a Makefile supplied by SELinux.

  125.    You will need to locate the appropriate

  126.    Makefile on your system; the path shown below is only an example.

  127.    Once built, install this policy package using the

  128.    <code class="command">semodule</code> command, which loads supplied policy packages

  129.    into the kernel.  If the package is correctly installed,

  130.    <code class="literal"><code class="command">semodule</code> -l</code> should list <code class="literal">sepgsql-regtest</code> as an

  131.    available policy package:

  132.   </p><pre class="screen">

  133. $ cd .../contrib/sepgsql

  134. $ make -f /usr/share/selinux/devel/Makefile

  135. $ sudo semodule -u sepgsql-regtest.pp

  136. $ sudo semodule -l | grep sepgsql

  137. sepgsql-regtest 1.07

  138. </pre><p>

  139.    Third, turn on <code class="literal">sepgsql_regression_test_mode</code>.

  140.    For security reasons, the rules in <code class="filename">sepgsql-regtest</code>

  141.    are not enabled by default;

  142.    the <code class="literal">sepgsql_regression_test_mode</code> parameter enables

  143.    the rules needed to launch the regression tests.

  144.    It can be turned on using the <code class="command">setsebool</code> command:

  145.   </p><pre class="screen">

  146. $ sudo setsebool sepgsql_regression_test_mode on

  147. $ getsebool sepgsql_regression_test_mode

  148. sepgsql_regression_test_mode --&gt; on

  149. </pre><p>

  150.    Fourth, verify your shell is operating in the <code class="literal">unconfined_t</code>

  151.    domain:

  152.   </p><pre class="screen">

  153. $ id -Z

  154. unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  155. </pre><p>

  156.    See <a class="xref" href="sepgsql.html#SEPGSQL-RESOURCES" title="F.35.8. External Resources">Section F.35.8</a> for details on adjusting your

  157.    working domain, if necessary.

  158.   </p><p>

  159.    Finally, run the regression test script:

  160.   </p><pre class="screen">

  161. $ ./test_sepgsql

  162. </pre><p>

  163.    This script will attempt to verify that you have done all the configuration

  164.    steps correctly, and then it will run the regression tests for the

  165.    <code class="filename">sepgsql</code> module.

  166.   </p><p>

  167.    After completing the tests, it's recommended you disable

  168.    the <code class="literal">sepgsql_regression_test_mode</code> parameter:

  169.   </p><pre class="screen">

  170. $ sudo setsebool sepgsql_regression_test_mode off

  171. </pre><p>

  172.    You might prefer to remove the <code class="filename">sepgsql-regtest</code> policy

  173.    entirely:

  174.   </p><pre class="screen">

  175. $ sudo semodule -r sepgsql-regtest

  176. </pre></div><div class="sect2" id="SEPGSQL-PARAMETERS"><div class="titlepage"><div><div><h3 class="title">F.35.4. GUC Parameters</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt id="GUC-SEPGSQL-PERMISSIVE"><span class="term">

  177.      <code class="varname">sepgsql.permissive</code> (<code class="type">boolean</code>)

  178.      <a id="id-1.11.7.44.8.2.1.1.3" class="indexterm"></a>

  179.     </span></dt><dd><p>

  180.       This parameter enables <code class="filename">sepgsql</code> to function

  181.       in permissive mode, regardless of the system setting.

  182.       The default is off.

  183.       This parameter can only be set in the <code class="filename">postgresql.conf</code>

  184.       file or on the server command line.

  185.      </p><p>

  186.       When this parameter is on, <code class="filename">sepgsql</code> functions

  187.       in permissive mode, even if SELinux in general is working in enforcing

  188.       mode.  This parameter is primarily useful for testing purposes.

  189.      </p></dd><dt id="GUC-SEPGSQL-DEBUG-AUDIT"><span class="term">

  190.      <code class="varname">sepgsql.debug_audit</code> (<code class="type">boolean</code>)

  191.      <a id="id-1.11.7.44.8.2.2.1.3" class="indexterm"></a>

  192.     </span></dt><dd><p>

  193.       This parameter enables the printing of audit messages regardless of

  194.       the system policy settings.

  195.       The default is off, which means that messages will be printed according

  196.       to the system settings.

  197.      </p><p>

  198.       The security policy of <span class="productname">SELinux</span> also has rules to

  199.       control whether or not particular accesses are logged.

  200.       By default, access violations are logged, but allowed

  201.       accesses are not.

  202.      </p><p>

  203.       This parameter forces all possible logging to be turned on, regardless

  204.       of the system policy.

  205.      </p></dd></dl></div></div><div class="sect2" id="SEPGSQL-FEATURES"><div class="titlepage"><div><div><h3 class="title">F.35.5. Features</h3></div></div></div><div class="sect3" id="id-1.11.7.44.9.2"><div class="titlepage"><div><div><h4 class="title">F.35.5.1. Controlled Object Classes</h4></div></div></div><p>

  206.     The security model of <span class="productname">SELinux</span> describes all the access

  207.     control rules as relationships between a subject entity (typically,

  208.     a client of the database) and an object entity (such as a database

  209.     object), each of which is

  210.     identified by a security label.  If access to an unlabeled object is

  211.     attempted, the object is treated as if it were assigned the label

  212.     <code class="literal">unlabeled_t</code>.

  213.    </p><p>

  214.     Currently, <code class="filename">sepgsql</code> allows security labels to be

  215.     assigned to schemas, tables, columns, sequences, views, and functions.

  216.     When <code class="filename">sepgsql</code> is in use, security labels are

  217.     automatically assigned to supported database objects at creation time.

  218.     This label is called a default security label, and is decided according

  219.     to the system security policy, which takes as input the creator's label,

  220.     the label assigned to the new object's parent object and optionally name

  221.     of the constructed object.

  222.    </p><p>

  223.     A new database object basically inherits the security label of the parent

  224.     object, except when the security policy has special rules known as

  225.     type-transition rules, in which case a different label may be applied.

  226.     For schemas, the parent object is the current database; for tables,

  227.     sequences, views, and functions, it is the containing schema; for columns,

  228.     it is the containing table.

  229.    </p></div><div class="sect3" id="id-1.11.7.44.9.3"><div class="titlepage"><div><div><h4 class="title">F.35.5.2. DML Permissions</h4></div></div></div><p>

  230.     For tables, <code class="literal">db_table:select</code>, <code class="literal">db_table:insert</code>,

  231.     <code class="literal">db_table:update</code> or <code class="literal">db_table:delete</code> are

  232.     checked for all the referenced target tables depending on the kind of

  233.     statement; in addition, <code class="literal">db_table:select</code> is also checked for

  234.     all the tables that contain columns referenced in the

  235.     <code class="literal">WHERE</code> or <code class="literal">RETURNING</code> clause, as a data source

  236.     for <code class="literal">UPDATE</code>, and so on.

  237.    </p><p>

  238.     Column-level permissions will also be checked for each referenced column.

  239.     <code class="literal">db_column:select</code> is checked on not only the columns being

  240.     read using <code class="literal">SELECT</code>, but those being referenced in other DML

  241.     statements; <code class="literal">db_column:update</code> or <code class="literal">db_column:insert</code>

  242.     will also be checked for columns being modified by <code class="literal">UPDATE</code> or

  243.     <code class="literal">INSERT</code>.

  244.    </p><p>

  245.    For example, consider:

  246. </p><pre class="synopsis">

  247. UPDATE t1 SET x = 2, y = func1(y) WHERE z = 100;

  248. </pre><p>

  249. 

  250.     Here, <code class="literal">db_column:update</code> will be checked for

  251.     <code class="literal">t1.x</code>, since it is being updated,

  252.     <code class="literal">db_column:{select update}</code> will be checked for

  253.     <code class="literal">t1.y</code>, since it is both updated and referenced, and

  254.     <code class="literal">db_column:select</code> will be checked for <code class="literal">t1.z</code>, since

  255.     it is only referenced.

  256.     <code class="literal">db_table:{select update}</code> will also be checked

  257.     at the table level.

  258.    </p><p>

  259.     For sequences, <code class="literal">db_sequence:get_value</code> is checked when we

  260.     reference a sequence object using <code class="literal">SELECT</code>; however, note that we

  261.     do not currently check permissions on execution of corresponding functions

  262.     such as <code class="literal">lastval()</code>.

  263.    </p><p>

  264.     For views, <code class="literal">db_view:expand</code> will be checked, then any other

  265.     required permissions will be checked on the objects being

  266.     expanded from the view, individually.

  267.    </p><p>

  268.     For functions, <code class="literal">db_procedure:{execute}</code> will be checked when

  269.     user tries to execute a function as a part of query, or using fast-path

  270.     invocation. If this function is a trusted procedure, it also checks

  271.     <code class="literal">db_procedure:{entrypoint}</code> permission to check whether it

  272.     can perform as entry point of trusted procedure.

  273.    </p><p>

  274.     In order to access any schema object, <code class="literal">db_schema:search</code>

  275.     permission is required on the containing schema.  When an object is

  276.     referenced without schema qualification, schemas on which this

  277.     permission is not present will not be searched (just as if the user did

  278.     not have <code class="literal">USAGE</code> privilege on the schema).  If an explicit schema

  279.     qualification is present, an error will occur if the user does not have

  280.     the requisite permission on the named schema.

  281.    </p><p>

  282.     The client must be allowed to access all referenced tables and

  283.     columns, even if they originated from views which were then expanded,

  284.     so that we apply consistent access control rules independent of the manner

  285.     in which the table contents are referenced.

  286.    </p><p>

  287.     The default database privilege system allows database superusers to

  288.     modify system catalogs using DML commands, and reference or modify

  289.     toast tables.  These operations are prohibited when

  290.     <code class="filename">sepgsql</code> is enabled.

  291.    </p></div><div class="sect3" id="id-1.11.7.44.9.4"><div class="titlepage"><div><div><h4 class="title">F.35.5.3. DDL Permissions</h4></div></div></div><p>

  292.     <span class="productname">SELinux</span> defines several permissions to control common

  293.     operations for each object type; such as creation, alter, drop and

  294.     relabel of security label. In addition, several object types have

  295.     special permissions to control their characteristic operations; such as

  296.     addition or deletion of name entries within a particular schema.

  297.    </p><p>

  298.     Creating a new database object requires <code class="literal">create</code> permission.

  299.     <span class="productname">SELinux</span> will grant or deny this permission based on the

  300.     client's security label and the proposed security label for the new

  301.     object.  In some cases, additional privileges are required:

  302.    </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

  303.       <a class="xref" href="sql-createdatabase.html" title="CREATE DATABASE"><span class="refentrytitle">CREATE DATABASE</span></a> additionally requires

  304.       <code class="literal">getattr</code> permission for the source or template database.

  305.      </p></li><li class="listitem"><p>

  306.       Creating a schema object additionally requires <code class="literal">add_name</code>

  307.       permission on the parent schema.

  308.      </p></li><li class="listitem"><p>

  309.       Creating a table additionally requires permission to create each

  310.       individual table column, just as if each table column were a

  311.       separate top-level object.

  312.      </p></li><li class="listitem"><p>

  313.       Creating a function marked as <code class="literal">LEAKPROOF</code> additionally

  314.       requires <code class="literal">install</code> permission.  (This permission is also

  315.       checked when <code class="literal">LEAKPROOF</code> is set for an existing function.)

  316.      </p></li></ul></div><p>

  317.     When <code class="literal">DROP</code> command is executed, <code class="literal">drop</code> will be

  318.     checked on the object being removed.  Permissions will be also checked for

  319.     objects dropped indirectly via <code class="literal">CASCADE</code>.  Deletion of objects

  320.     contained within a particular schema (tables, views, sequences and

  321.     procedures) additionally requires <code class="literal">remove_name</code> on the schema.

  322.    </p><p>

  323.     When <code class="literal">ALTER</code> command is executed, <code class="literal">setattr</code> will be

  324.     checked on the object being modified for each object types, except for

  325.     subsidiary objects such as the indexes or triggers of a table, where

  326.     permissions are instead checked on the parent object.  In some cases,

  327.     additional permissions are required:

  328.    </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>

  329.       Moving an object to a new schema additionally requires

  330.       <code class="literal">remove_name</code> permission on the old schema and

  331.       <code class="literal">add_name</code> permission on the new one.

  332.      </p></li><li class="listitem"><p>

  333.       Setting the <code class="literal">LEAKPROOF</code> attribute on a function requires

  334.       <code class="literal">install</code> permission.

  335.      </p></li><li class="listitem"><p>

  336.       Using <a class="xref" href="sql-security-label.html" title="SECURITY LABEL"><span class="refentrytitle">SECURITY LABEL</span></a> on an object additionally

  337.       requires <code class="literal">relabelfrom</code> permission for the object in

  338.       conjunction with its old security label and <code class="literal">relabelto</code>

  339.       permission for the object in conjunction with its new security label.

  340.       (In cases where multiple label providers are installed and the user

  341.       tries to set a security label, but it is not managed by

  342.       <span class="productname">SELinux</span>, only <code class="literal">setattr</code> should be checked here.

  343.       This is currently not done due to implementation restrictions.)

  344.      </p></li></ul></div></div><div class="sect3" id="id-1.11.7.44.9.5"><div class="titlepage"><div><div><h4 class="title">F.35.5.4. Trusted Procedures</h4></div></div></div><p>

  345.     Trusted procedures are similar to security definer functions or setuid

  346.     commands. <span class="productname">SELinux</span> provides a feature to allow trusted

  347.     code to run using a security label different from that of the client,

  348.     generally for the purpose of providing highly controlled access to

  349.     sensitive data (e.g. rows might be omitted, or the precision of stored

  350.     values might be reduced).  Whether or not a function acts as a trusted

  351.     procedure is controlled by its security label and the operating system

  352.     security policy.  For example:

  353.    </p><pre class="screen">

  354. postgres=# CREATE TABLE customer (

  355.                cid     int primary key,

  356.                cname   text,

  357.                credit  text

  358.            );

  359. CREATE TABLE

  360. postgres=# SECURITY LABEL ON COLUMN customer.credit

  361.                IS 'system_u:object_r:sepgsql_secret_table_t:s0';

  362. SECURITY LABEL

  363. postgres=# CREATE FUNCTION show_credit(int) RETURNS text

  364.              AS 'SELECT regexp_replace(credit, ''-[0-9]+$'', ''-xxxx'', ''g'')

  365.                         FROM customer WHERE cid = $1'

  366.            LANGUAGE sql;

  367. CREATE FUNCTION

  368. postgres=# SECURITY LABEL ON FUNCTION show_credit(int)

  369.                IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';

  370. SECURITY LABEL

  371. </pre><p>

  372.     The above operations should be performed by an administrative user.

  373.    </p><pre class="screen">

  374. postgres=# SELECT * FROM customer;

  375. ERROR:  SELinux: security policy violation

  376. postgres=# SELECT cid, cname, show_credit(cid) FROM customer;

  377.  cid | cname  |     show_credit

  378. -----+--------+---------------------

  379.    1 | taro   | 1111-2222-3333-xxxx

  380.    2 | hanako | 5555-6666-7777-xxxx

  381. (2 rows)

  382. </pre><p>

  383.     In this case, a regular user cannot reference <code class="literal">customer.credit</code>

  384.     directly, but a trusted procedure <code class="literal">show_credit</code> allows the user

  385.     to print the credit card numbers of customers with some of the digits

  386.     masked out.

  387.    </p></div><div class="sect3" id="id-1.11.7.44.9.6"><div class="titlepage"><div><div><h4 class="title">F.35.5.5. Dynamic Domain Transitions</h4></div></div></div><p>

  388.     It is possible to use SELinux's dynamic domain transition feature

  389.     to switch the security label of the client process, the client domain,

  390.     to a new context, if that is allowed by the security policy.

  391.     The client domain needs the <code class="literal">setcurrent</code> permission and also

  392.     <code class="literal">dyntransition</code> from the old to the new domain.

  393.    </p><p>

  394.     Dynamic domain transitions should be considered carefully, because they

  395.     allow users to switch their label, and therefore their privileges,

  396.     at their option, rather than (as in the case of a trusted procedure)

  397.     as mandated by the system.

  398.     Thus, the <code class="literal">dyntransition</code> permission is only considered

  399.     safe when used to switch to a domain with a smaller set of privileges than

  400.     the original one. For example:

  401.    </p><pre class="screen">

  402. regression=# select sepgsql_getcon();

  403.                     sepgsql_getcon

  404. -------------------------------------------------------

  405.  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  406. (1 row)

  407. 

  408. regression=# SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0-s0:c1.c4');

  409.  sepgsql_setcon 

  410. ----------------

  411.  t

  412. (1 row)

  413. 

  414. regression=# SELECT sepgsql_setcon('unconfined_u:unconfined_r:unconfined_t:s0-s0:c1.c1023');

  415. ERROR:  SELinux: security policy violation

  416. </pre><p>

  417.     In this example above we were allowed to switch from the larger MCS

  418.     range <code class="literal">c1.c1023</code> to the smaller range <code class="literal">c1.c4</code>, but

  419.     switching back was denied.

  420.    </p><p>

  421.     A combination of dynamic domain transition and trusted procedure

  422.     enables an interesting use case that fits the typical process life-cycle

  423.     of connection pooling software.

  424.     Even if your connection pooling software is not allowed to run most

  425.     of SQL commands, you can allow it to switch the security label

  426.     of the client using the <code class="literal">sepgsql_setcon()</code> function

  427.     from within a trusted procedure; that should take some

  428.     credential to authorize the request to switch the client label.

  429.     After that, this session will have the privileges of the target user,

  430.     rather than the connection pooler.

  431.     The connection pooler can later revert the security label change by

  432.     again using <code class="literal">sepgsql_setcon()</code> with

  433.     <code class="literal">NULL</code> argument, again invoked from within a trusted

  434.     procedure with appropriate permissions checks.

  435.     The point here is that only the trusted procedure actually has permission

  436.     to change the effective security label, and only does so when given proper

  437.     credentials.  Of course, for secure operation, the credential store

  438.     (table, procedure definition, or whatever) must be protected from

  439.     unauthorized access.

  440.    </p></div><div class="sect3" id="id-1.11.7.44.9.7"><div class="titlepage"><div><div><h4 class="title">F.35.5.6. Miscellaneous</h4></div></div></div><p>

  441.     We reject the <a class="xref" href="sql-load.html" title="LOAD"><span class="refentrytitle">LOAD</span></a> command across the board, because

  442.     any module loaded could easily circumvent security policy enforcement.

  443.    </p></div></div><div class="sect2" id="SEPGSQL-FUNCTIONS"><div class="titlepage"><div><div><h3 class="title">F.35.6. Sepgsql Functions</h3></div></div></div><p>

  444.    <a class="xref" href="sepgsql.html#SEPGSQL-FUNCTIONS-TABLE" title="Table F.29. Sepgsql Functions">Table F.29</a> shows the available functions.

  445.   </p><div class="table" id="SEPGSQL-FUNCTIONS-TABLE"><p class="title"><strong>Table F.29. Sepgsql Functions</strong></p><div class="table-contents"><table class="table" summary="Sepgsql Functions" border="1"><colgroup><col /><col /></colgroup><tbody><tr><td><code class="literal">sepgsql_getcon() returns text</code></td><td>

  446.        Returns the client domain, the current security label of the client.

  447.       </td></tr><tr><td><code class="literal">sepgsql_setcon(text) returns bool</code></td><td>

  448.        Switches the client domain of the current session to the new domain,

  449.        if allowed by the security policy.

  450.        It also accepts <code class="literal">NULL</code> input as a request to transition

  451.        to the client's original domain.

  452.       </td></tr><tr><td><code class="literal">sepgsql_mcstrans_in(text) returns text</code></td><td>Translates the given qualified MLS/MCS range into raw format if

  453.       the mcstrans daemon is running.

  454.       </td></tr><tr><td><code class="literal">sepgsql_mcstrans_out(text) returns text</code></td><td>Translates the given raw MLS/MCS range into qualified format if

  455.       the mcstrans daemon is running.

  456.       </td></tr><tr><td><code class="literal">sepgsql_restorecon(text) returns bool</code></td><td>

  457.        Sets up initial security labels for all objects within the

  458.        current database. The argument may be NULL, or the name of a specfile

  459.        to be used as alternative of the system default.

  460.       </td></tr></tbody></table></div></div><br class="table-break" /></div><div class="sect2" id="SEPGSQL-LIMITATIONS"><div class="titlepage"><div><div><h3 class="title">F.35.7. Limitations</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term">Data Definition Language (DDL) Permissions</span></dt><dd><p>

  461.       Due to implementation restrictions, some DDL operations do not

  462.       check permissions.

  463.      </p></dd><dt><span class="term">Data Control Language (DCL) Permissions</span></dt><dd><p>

  464.       Due to implementation restrictions, DCL operations do not check

  465.       permissions.

  466.      </p></dd><dt><span class="term">Row-level access control</span></dt><dd><p>

  467.       <span class="productname">PostgreSQL</span> supports row-level access, but

  468.       <code class="filename">sepgsql</code> does not.

  469.      </p></dd><dt><span class="term">Covert channels</span></dt><dd><p>

  470.       <code class="filename">sepgsql</code> does not try to hide the existence of

  471.       a certain object, even if the user is not allowed to reference it.

  472.       For example, we can infer the existence of an invisible object as

  473.       a result of primary key conflicts, foreign key violations, and so on,

  474.       even if we cannot obtain the contents of the object.  The existence

  475.       of a top secret table cannot be hidden; we only hope to conceal its

  476.       contents.

  477.      </p></dd></dl></div></div><div class="sect2" id="SEPGSQL-RESOURCES"><div class="titlepage"><div><div><h3 class="title">F.35.8. External Resources</h3></div></div></div><div class="variablelist"><dl class="variablelist"><dt><span class="term"><a class="ulink" href="https://wiki.postgresql.org/wiki/SEPostgreSQL" target="_top">SE-PostgreSQL Introduction</a></span></dt><dd><p>

  478.       This wiki page provides a brief overview, security design, architecture,

  479.       administration and upcoming features.

  480.      </p></dd><dt><span class="term"><a class="ulink" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/SELinux_Users_and_Administrators_Guide/" target="_top">SELinux User's and Administrator's Guide</a></span></dt><dd><p>

  481.       This document provides a wide spectrum of knowledge to administer

  482.       <span class="productname">SELinux</span> on your systems.

  483.       It focuses primarily on Red Hat operating systems, but is not limited to them.

  484.      </p></dd><dt><span class="term"><a class="ulink" href="https://fedoraproject.org/wiki/SELinux_FAQ" target="_top">Fedora SELinux FAQ</a></span></dt><dd><p>

  485.       This document answers frequently asked questions about

  486.       <span class="productname">SELinux</span>.

  487.       It focuses primarily on Fedora, but is not limited to Fedora.

  488.      </p></dd></dl></div></div><div class="sect2" id="SEPGSQL-AUTHOR"><div class="titlepage"><div><div><h3 class="title">F.35.9. Author</h3></div></div></div><p>

  489.    KaiGai Kohei <code class="email">&lt;<a class="email" href="mailto:kaigai@ak.jp.nec.com">kaigai@ak.jp.nec.com</a>&gt;</code>

  490.   </p></div></div><div class="navfooter"><hr /><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="seg.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="contrib.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="contrib-spi.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">F.34. seg </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> F.36. spi</td></tr></table></div></body></html>
上海开阖软件有限公司 沪ICP备12045867号-1