Bad context in PostgreSQL page on SELinux Project wiki?

Bad context in PostgreSQL page on SELinux Project wiki?

[Peter Whittaker]

Folks, with whom I can verify whether there are errors on the SELinux
Project Wiki?

Details: It looks like MCS information is missing from a few security
contexts on https://selinuxproject.org/page/NB_SQL_9.3

The schema row has

   security_label = 'unconfined_u:object_r:sepgsql_schema_t:s10'

which should likely be

   security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10'

Likewise, the database row has

    context = 'unconfined_u:object_r:postgresql_db_t:s0'

but I'm unsure whether this should be as is or whether it should also
have MCS info.

With whom can I verify this? (Not using PostgreSQL, just noticing
errors as I crawl through my hardcopy of the handbook.)

Thanks!

P

Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Stephen Smalley]

On Fri, May 15, 2020 at 4:02 PM Peter Whittaker <pww@edgekeep.com> wrote:
>
> Folks, with whom I can verify whether there are errors on the SELinux
> Project Wiki?

As noted on the front page, selinuxproject.org isn't being updated and
is just historical at this point.  Anything new should go into the
GitHub SELinuxProject wiki(s) instead.

> Details: It looks like MCS information is missing from a few security
> contexts on https://selinuxproject.org/page/NB_SQL_9.3

I think that particular page was derived from the SELinux Notebook,
which was written by Richard Haines.
Not sure if he is still updating it but he frequents the list.

> The schema row has
>
>    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s10'
>
> which should likely be
>
>    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10'

Those are two different contexts, both valid (if using MLS policy).
Under MLS policy, there are multiple sensitivity levels (s0, s1, ...).
The category set is optional and can be omitted if empty.

> Likewise, the database row has
>
>     context = 'unconfined_u:object_r:postgresql_db_t:s0'
>
> but I'm unsure whether this should be as is or whether it should also
> have MCS info.

That's also a valid context.

> With whom can I verify this? (Not using PostgreSQL, just noticing
> errors as I crawl through my hardcopy of the handbook.)

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Peter Whittaker]

Thanks, Stephen, if Richard haunts here, I'll let him comment. (Then I
can send him my other errata! :->)

Just a couple of comments:

1. I know the contexts are valid, but they are inconsistent with other
contexts on that page (especially s10), and with other, related pages
applicable to different versions. Given their context, they seem out
of place.
2. There is a lot of historical and out of date SELinux information
out there, I have no illusions about trying to correct it all, and I
know this particular wiki isn't updated anymore, but it is there and
present and if incorrect then misleading - that's why I reached out to
the list - the information in github is organized quite differently
and doesn't intersect completely with this particular wiki.

Thanks,

P

Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP


Peter Whittaker
EdgeKeep Inc.
www.edgekeep.com
+1 613 864 5337
+1 613 864 KEEP



On Fri, May 15, 2020 at 4:20 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Fri, May 15, 2020 at 4:02 PM Peter Whittaker <pww@edgekeep.com> wrote:
> >
> > Folks, with whom I can verify whether there are errors on the SELinux
> > Project Wiki?
>
> As noted on the front page, selinuxproject.org isn't being updated and
> is just historical at this point.  Anything new should go into the
> GitHub SELinuxProject wiki(s) instead.
>
> > Details: It looks like MCS information is missing from a few security
> > contexts on https://selinuxproject.org/page/NB_SQL_9.3
>
> I think that particular page was derived from the SELinux Notebook,
> which was written by Richard Haines.
> Not sure if he is still updating it but he frequents the list.
>
> > The schema row has
> >
> >    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s10'
> >
> > which should likely be
> >
> >    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10'
>
> Those are two different contexts, both valid (if using MLS policy).
> Under MLS policy, there are multiple sensitivity levels (s0, s1, ...).
> The category set is optional and can be omitted if empty.
>
> > Likewise, the database row has
> >
> >     context = 'unconfined_u:object_r:postgresql_db_t:s0'
> >
> > but I'm unsure whether this should be as is or whether it should also
> > have MCS info.
>
> That's also a valid context.
>
> > With whom can I verify this? (Not using PostgreSQL, just noticing
> > errors as I crawl through my hardcopy of the handbook.)

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Richard Haines]

On Fri, 2020-05-15 at 16:03 -0400, Peter Whittaker wrote:
> Folks, with whom I can verify whether there are errors on the SELinux
> Project Wiki?
You can contact me about any errors in the notebook or on wiki. I've
updated the wiki page and happy to correct any minor errors you find.
I've no plans to do major updates to the wiki as it is now history.

I update the notebook occasionally to keep track of changes for my own
reference, but currently have no plans to publish a new one. If you do
have comments I'm happy to take them onboard, however no guarantees to
publish.
 
> 
> Details: It looks like MCS information is missing from a few security
> contexts on https://selinuxproject.org/page/NB_SQL_9.3
> 
> The schema row has
> 
>    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s10'
> 
> which should likely be
> 
>    security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10'
> 
> Likewise, the database row has
> 
>     context = 'unconfined_u:object_r:postgresql_db_t:s0'
> 
> but I'm unsure whether this should be as is or whether it should also
> have MCS info.
I think Stephen's reply covered the MCS query.

BTW the contexts match those in the tarball example, the testdb-
example.sql is correct, however the instructions in the README will not
work on version 11. If your interested I can send you an updated
README, however no plans to update online.

> 
> With whom can I verify this? (Not using PostgreSQL, just noticing
> errors as I crawl through my hardcopy of the handbook.)

> 
> Thanks!
> 
> P
> 
> Peter Whittaker
> EdgeKeep Inc.
> www.edgekeep.com
> +1 613 864 5337
> +1 613 864 KEEP

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Paul Moore]

On Sun, May 17, 2020 at 7:17 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> I update the notebook occasionally to keep track of changes for my own
> reference, but currently have no plans to publish a new one. If you do
> have comments I'm happy to take them onboard, however no guarantees to
> publish.

I just wanted to say thank you once again for all your work on the
notebook, it's a great resource!

I understand not wanting to go through the process of generating new
editions of the notebook, but is the source material posted somewhere
online so that people who wanted an updated copy could access it?

-- 
paul moore
www.paul-moore.com

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Richard Haines]

On Sun, 2020-05-17 at 17:59 -0400, Paul Moore wrote:
> On Sun, May 17, 2020 at 7:17 AM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > I update the notebook occasionally to keep track of changes for my
> > own
> > reference, but currently have no plans to publish a new one. If you
> > do
> > have comments I'm happy to take them onboard, however no guarantees
> > to
> > publish.
> 
> I just wanted to say thank you once again for all your work on the
> notebook, it's a great resource!
Glad it's useful

> 
> I understand not wanting to go through the process of generating new
> editions of the notebook, but is the source material posted somewhere
> online so that people who wanted an updated copy could access it?
The source is not available anywhere that I know of (I did send it to a
few people who wanted to translate it but never heard from them again
!!!). I edit it with LibreOffice Writer as an odt document. It converts
to pdf okay, but epub looks real crap.

I guess I could post it somewhere, would you like to host it on your
site ??.

It needs cleaning up as I've scribbled all over it so will take a few
weeks.
> 

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Paul Moore]

On Tue, May 19, 2020 at 9:50 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Sun, 2020-05-17 at 17:59 -0400, Paul Moore wrote:
> > On Sun, May 17, 2020 at 7:17 AM Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > I update the notebook occasionally to keep track of changes for my
> > > own
> > > reference, but currently have no plans to publish a new one. If you
> > > do
> > > have comments I'm happy to take them onboard, however no guarantees
> > > to
> > > publish.
> >
> > I just wanted to say thank you once again for all your work on the
> > notebook, it's a great resource!
> Glad it's useful
>
> >
> > I understand not wanting to go through the process of generating new
> > editions of the notebook, but is the source material posted somewhere
> > online so that people who wanted an updated copy could access it?
> The source is not available anywhere that I know of (I did send it to a
> few people who wanted to translate it but never heard from them again
> !!!). I edit it with LibreOffice Writer as an odt document. It converts
> to pdf okay, but epub looks real crap.
>
> I guess I could post it somewhere, would you like to host it on your
> site ??.
>
> It needs cleaning up as I've scribbled all over it so will take a few
> weeks.

While I'm happy to host it, I think it might be better if we hosted it
in the community GitHub repo - what would you think about creating a
new repo under https://github.com/SELinuxProject?  Perhaps
https://github.com/SELinuxProject/notebook?  While it might seem a bit
odd to host an ODT file in a git repo, it is a good way to keep track
of historical changes and there are other tools such as the issue
tracker and "release" hosting which might be helpful.

However, the last thing I would want to do is put a hurdle between you
and the doc.

Let me know what you think, I'm happy to create a new repo for you on
the SELinuxProject GH org and set you up with the necessary
permissions - assuming the others don't mind, and I can't imagine they
would.

-- 
paul moore
www.paul-moore.com

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Richard Haines]

On Tue, 2020-05-19 at 17:40 -0400, Paul Moore wrote:
> On Tue, May 19, 2020 at 9:50 AM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Sun, 2020-05-17 at 17:59 -0400, Paul Moore wrote:
> > > On Sun, May 17, 2020 at 7:17 AM Richard Haines
> > > <richard_c_haines@btinternet.com> wrote:
> > > > I update the notebook occasionally to keep track of changes for
> > > > my
> > > > own
> > > > reference, but currently have no plans to publish a new one. If
> > > > you
> > > > do
> > > > have comments I'm happy to take them onboard, however no
> > > > guarantees
> > > > to
> > > > publish.
> > > 
> > > I just wanted to say thank you once again for all your work on
> > > the
> > > notebook, it's a great resource!
> > Glad it's useful
> > 
> > > I understand not wanting to go through the process of generating
> > > new
> > > editions of the notebook, but is the source material posted
> > > somewhere
> > > online so that people who wanted an updated copy could access it?
> > The source is not available anywhere that I know of (I did send it
> > to a
> > few people who wanted to translate it but never heard from them
> > again
> > !!!). I edit it with LibreOffice Writer as an odt document. It
> > converts
> > to pdf okay, but epub looks real crap.
> > 
> > I guess I could post it somewhere, would you like to host it on
> > your
> > site ??.
> > 
> > It needs cleaning up as I've scribbled all over it so will take a
> > few
> > weeks.
> 
> While I'm happy to host it, I think it might be better if we hosted
> it
> in the community GitHub repo - what would you think about creating a
> new repo under https://github.com/SELinuxProject?  Perhaps
> https://github.com/SELinuxProject/notebook?  While it might seem a
> bit
> odd to host an ODT file in a git repo, it is a good way to keep track
> of historical changes and there are other tools such as the issue
> tracker and "release" hosting which might be helpful.

githubs sounds good, however as the document is quite large I'm
splitting into sections like on the wiki as it will make easier editing
(should anyone feel the need).

I've converted with pandoc using 'markdown_strict', where it converts
text to md but most tables into html (as their own md table format will
not render in some viewers). With firefox and the Markdown Viewer
Webext, the samples I've done look ok.

As with all these conversion apps, pandoc leaves a lot of cleaning up
to do, so I'll be some time. I'll send you the files once I'm done.
Thanks for your support.

> 
> However, the last thing I would want to do is put a hurdle between
> you
> and the doc.
> 
> Let me know what you think, I'm happy to create a new repo for you on
> the SELinuxProject GH org and set you up with the necessary
> permissions - assuming the others don't mind, and I can't imagine
> they
> would.
> 

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Paul Moore]

On Thu, May 21, 2020 at 4:57 AM Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Tue, 2020-05-19 at 17:40 -0400, Paul Moore wrote:
> > While I'm happy to host it, I think it might be better if we hosted
> > it
> > in the community GitHub repo - what would you think about creating a
> > new repo under https://github.com/SELinuxProject?  Perhaps
> > https://github.com/SELinuxProject/notebook?  While it might seem a
> > bit
> > odd to host an ODT file in a git repo, it is a good way to keep track
> > of historical changes and there are other tools such as the issue
> > tracker and "release" hosting which might be helpful.
>
> githubs sounds good, however as the document is quite large I'm
> splitting into sections like on the wiki as it will make easier editing
> (should anyone feel the need).

That sounds like a good idea.  I imagine it would also help for people
using it as a reference - something I personally find very helpful.

> I've converted with pandoc using 'markdown_strict', where it converts
> text to md but most tables into html (as their own md table format will
> not render in some viewers). With firefox and the Markdown Viewer
> Webext, the samples I've done look ok.
>
> As with all these conversion apps, pandoc leaves a lot of cleaning up
> to do, so I'll be some time. I'll send you the files once I'm done.
> Thanks for your support.

Wow, that would be great!  I was thinking just posting the ODT would
be a nice win, having it in something like Markdown so that GH can
render it from the web UI would be a *really* nice thing to have!

Once again, thanks for your help on this - documentation, especially
good and comprehensive documentation - is so hard to find.

-- 
paul moore
www.paul-moore.com

Re: Bad context in PostgreSQL page on SELinux Project wiki?

[Paul Moore]

On Fri, May 22, 2020 at 12:10 PM Paul Moore <paul@paul-moore.com> wrote:
> On Thu, May 21, 2020 at 4:57 AM Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Tue, 2020-05-19 at 17:40 -0400, Paul Moore wrote:
> > > While I'm happy to host it, I think it might be better if we hosted
> > > it
> > > in the community GitHub repo - what would you think about creating a
> > > new repo under https://github.com/SELinuxProject?  Perhaps
> > > https://github.com/SELinuxProject/notebook?  While it might seem a
> > > bit
> > > odd to host an ODT file in a git repo, it is a good way to keep track
> > > of historical changes and there are other tools such as the issue
> > > tracker and "release" hosting which might be helpful.
> >
> > githubs sounds good, however as the document is quite large I'm
> > splitting into sections like on the wiki as it will make easier editing
> > (should anyone feel the need).
>
> That sounds like a good idea.  I imagine it would also help for people
> using it as a reference - something I personally find very helpful.
>
> > I've converted with pandoc using 'markdown_strict', where it converts
> > text to md but most tables into html (as their own md table format will
> > not render in some viewers). With firefox and the Markdown Viewer
> > Webext, the samples I've done look ok.
> >
> > As with all these conversion apps, pandoc leaves a lot of cleaning up
> > to do, so I'll be some time. I'll send you the files once I'm done.
> > Thanks for your support.
>
> Wow, that would be great!  I was thinking just posting the ODT would
> be a nice win, having it in something like Markdown so that GH can
> render it from the web UI would be a *really* nice thing to have!
>
> Once again, thanks for your help on this - documentation, especially
> good and comprehensive documentation - is so hard to find.

I forgot to add: once you have a GH account setup, ping me off-list
and I'll get you setup with write access to a notebook repo in the
SELinuxProject org.

-- 
paul moore
www.paul-moore.com