From: Russell Coker <russell@coker.com.au>
To: KaiGai Kohei <kaigai@kaigai.gr.jp>
Cc: selinux@tycho.nsa.gov
Subject: Re: [RFC] Security design of SE-PostgreSQL (2/3)
Date: Mon, 19 Feb 2007 17:50:29 +1100 [thread overview]
Message-ID: <200702191750.31301.russell@coker.com.au> (raw)
In-Reply-To: <45D87B8D.5030307@kaigai.gr.jp>
On Monday 19 February 2007 03:15, KaiGai Kohei <kaigai@kaigai.gr.jp> wrote:
> >> I have an idea to add the following access vector for the purpose.
> >> 1. allow (context of client) (context of database)
> >> database:load_module;
> >> 2. allow (context of database) (context of shlib
> >> file) database:associate;
> >
> > Who will be loading such modules? Only the DBA or regular users too?
>
> A regular user also can load shared library modules, but it is limited
> to be placed under '$libdir/plugins/' directory.
> The DBA can do any files, if PostgreSQL can access.
What Unix access controls are applied? I guess that as PostgreSQL users don't
have a direct relationship with Unix users it can't check the UID so it's
just a matter of what files the database server has read and execute to which
are in that directory.
Does it just check to make sure that the file isn't a sym-link and isn't
world-writable.
> > In the above access control design you control which databases a user may
> > load modules for and which modules may be associated with a given
> > database. But you don't control which modules a user may load. Is it
> > possible that modules A and B may be loaded into a database but only user
> > C will be permitted to load module A?
>
> Your indication is correct. The above design can describe the relationship
> between the client and the database, or between the database and the shared
> library file.
> It doesn't describe who can load which modules.
>
> We have to describe the relationship between the client, the database
> and shared library files to block a malicious modules.
>
> How do you think the following design to allow to load a module, for
> example?
> allow db_client_t sepgsql_db_t : database { load_module };
> allow sepgsql_db_t shlib_file_t : database { associate };
> allow db_client_t shlib_file_t : database { load_module };
That would work.
We already have triples in the policy language for type_transition, I wonder
whether we could do something similar for this. Having three rules when one
might do is not easy to understand.
Other programs might need such triples in the policy, I wonder if it would be
possible to make this a generic language feature. Some sort of policy class
which instead of actions takes another type as the third parameter.
--
russell@coker.com.au
http://etbe.blogspot.com/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-02-19 9:21 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-16 5:35 [RFC] Security design of SE-PostgreSQL (2/3) KaiGai Kohei
2007-02-18 11:04 ` Russell Coker
2007-02-18 16:15 ` KaiGai Kohei
2007-02-19 6:50 ` Russell Coker [this message]
2007-02-20 2:08 ` KaiGai Kohei
2007-02-20 9:45 ` Russell Coker
2007-02-20 12:38 ` KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200702191750.31301.russell@coker.com.au \
--to=russell@coker.com.au \
--cc=kaigai@kaigai.gr.jp \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.