From cc4ff8742b99d3b20a52f529d03bbe802f4b0053 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Tue, 27 Sep 2011 20:07:15 -0400 Subject: Take sepgsql regression tests out of the regular regression test mechanism. Because these tests require root privileges, not to mention invasive changes to the security configuration of the host system, it's not reasonable for them to be invoked by a regular "make check" or "make installcheck". Instead, dike out the Makefile's knowledge of the tests, and change chkselinuxenv (now renamed "test_sepgsql") into a script that verifies the environment is workable and then runs the tests. It's expected that test_sepgsql will only be run manually. While at it, do some cleanup in the error checking in the script, and do some wordsmithing in the documentation. --- doc/src/sgml/sepgsql.sgml | 277 +++++++++++++++++++++++++--------------------- 1 file changed, 152 insertions(+), 125 deletions(-) (limited to 'doc/src') diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml index 24224fb879a..f2c92667092 100644 --- a/doc/src/sgml/sepgsql.sgml +++ b/doc/src/sgml/sepgsql.sgml @@ -8,15 +8,15 @@ - sepgsql is a loadable module which supports label-based + sepgsql is a loadable module that supports label-based mandatory access control (MAC) based on SELinux security policy. - This implementation has signification limitations, and does not enforce - mandatory access control for all actions. See + The current implementation has significant limitations, and does not + enforce mandatory access control for all actions. See . @@ -31,8 +31,8 @@ SELinux, this module allows PostgreSQL to function as a user-space object manager. Each table or function access initiated by a DML query will be - checked against the system security policy. This check is an additional to - the usual permissions checking performed by + checked against the system security policy. This check is in addition to + the usual SQL permissions checking performed by PostgreSQL. @@ -45,7 +45,7 @@ to be performed. Since these labels can be applied to any sort of object, access control decisions for objects stored within the database can be (and, with this module, are) subjected to the same general criteria used - for objects of any other type (e.g. files). This design is intended to + for objects of any other type, such as files. This design is intended to allow a centralized security policy to protect information assets independent of the particulars of how those assets are stored. @@ -60,18 +60,18 @@ Installation - This module can only be used on Linux 2.6.28 - or higher with SELinux enabled. It is not - available on any other platform, and must be explicitly enabled using - --with-selinux. You will also need libselinux - 2.0.99 or higher and selinux-policy 3.9.13 or higher - (some distributions may backport the necessary rules into older policy + sepgsql can only be used on Linux + 2.6.28 or higher with SELinux enabled. + It is not available on any other platform. You will also need + libselinux 2.0.99 or higher and + selinux-policy 3.9.13 or higher (although some + distributions may backport the necessary rules into older policy versions). The sestatus command allows you to check the status of - SELinux. + SELinux. A typical display is: $ sestatus SELinux status: enabled @@ -86,40 +86,45 @@ Policy from config file: targeted - To use this module, you must add include sepgsql - in . The module will not - function if loaded in any other manner. Once the module is loaded, you + To build this module, include the option --with-selinux in + your PostgreSQL configure command. Be sure that the + libselinux-devel RPM is installed at build time. + + + + To use this module, you must include sepgsql + in the parameter in + postgresql.conf. The module will not function correctly + if loaded in any other manner. Once the module is loaded, you should execute sepgsql.sql in each database. This will install functions needed for security label management, and assign initial security labels. - The following instructions that assume your installation is under the - /usr/local/pgsql directory and the database cluster is - under the /path/to/database directory. Adjust the paths - shown below as appropriate for your installation. + Here is an example showing how to initialize a fresh database cluster + with sepgsql functions and security labels installed. + Adjust the paths shown as appropriate for your installation: -$ export PGDATA=/path/to/database +$ export PGDATA=/path/to/data/directory $ initdb $ vi $PGDATA/postgresql.conf + change + #shared_preload_libraries = '' # (change requires restart) + to + shared_preload_libraries = 'sepgsql' # (change requires restart) $ for DBNAME in template0 template1 postgres; do - postgres --single -F -O -c exit_on_error=true $DBNAME \ - < /usr/local/pgsql/share/contrib/sepgsql.sql > /dev/null + postgres --single -F -c exit_on_error=true $DBNAME \ + </usr/local/pgsql/share/contrib/sepgsql.sql >/dev/null done - - If the installation process completes without error, you can now start the - server normally. - - Please note that you may see some or all of the following notifications - depending on the combination of a particular version of - libselinux and selinux-policy. + depending on the particular versions you have of + libselinux and selinux-policy: /etc/selinux/targeted/contexts/sepgsql_contexts: line 33 has invalid object type db_blobs /etc/selinux/targeted/contexts/sepgsql_contexts: line 36 has invalid object type db_language @@ -128,75 +133,81 @@ $ for DBNAME in template0 template1 postgres; do /etc/selinux/targeted/contexts/sepgsql_contexts: line 39 has invalid object type db_language /etc/selinux/targeted/contexts/sepgsql_contexts: line 40 has invalid object type db_language - These messages are harmless and may be safely ignored. + These messages are harmless and should be ignored. + + + + If the installation process completes without error, you can now start the + server normally. Regression Tests + Due to the nature of SELinux, running the - regression tests for this module requires several additional configuration - steps. + regression tests for sepgsql requires several extra + configuration steps, some of which must be done as root. + The regression tests will not be run by an ordinary + make check or make installcheck command; you must + set up the configuration and then invoke the test script manually. + The tests must be run in the contrib/sepgsql directory + of a configured PostgreSQL build tree. Although they require a build tree, + the tests are designed to be executed against an installed server, + that is they are comparable to make installcheck not + make check. - First, set up sepgsql according to - the . The regression test is - intended to be run on a system with a working SE-Linux implementation. - The current operating system user must be able to connect to the database - as superuser without authentication. + First, set up sepgsql in a working database + according to the instructions in . + Note that the current operating system user must be able to connect to the + database as superuser without password authentication. Second, build and install the policy package for the regression test. - The sepgsql-regtest.pp is a special purpose policy package + The sepgsql-regtest policy is a special purpose policy package which provides a set of rules to be allowed during the regression tests. It should be built from the policy source file - (sepgsql-regtest.te), which is normally done using - make. You will need to locate the appropriate + sepgsql-regtest.te, which is done using + make with a Makefile supplied by SELinux. + You will need to locate the appropriate Makefile on your system; the path shown below is only an example. - Once built, you can install this policy package using the - semodule command, which links supplied policy packages and - loads them into the kernel space. If this package is correctly installed, + Once built, install this policy package using the + semodule command, which loads supplied policy packages + into the kernel. If the package is correctly installed, semodule -l should list sepgsql-regtest as an - available policy package. + available policy package: -$ make -C ./contrib/sepgsql -f /usr/share/selinux/devel/Makefile -$ su -# semodule -u ./contrib/sepgsql/sepgsql-regtest.pp -# semodule -l - : +$ cd .../contrib/sepgsql +$ make -f /usr/share/selinux/devel/Makefile +$ sudo semodule -u sepgsql-regtest.pp +$ sudo semodule -l | grep sepgsql sepgsql-regtest 1.03 - : Third, turn on sepgsql_regression_test_mode. - We don't enable all the rules in the sepgsql-regtest.pp + We don't enable all the rules in sepgsql-regtest by default, for your system's safety. - The sepgsql_regression_test_mode parameter is associated - with rules to launch regression test. - It can be turned on using setsebool command. + The sepgsql_regression_test_mode parameter enables + the rules needed to launch the regression tests. + It can be turned on using the setsebool command: -$ su -# setsebool sepgsql_regression_test_mode on -# getsebool sepgsql_regression_test_mode +$ sudo setsebool sepgsql_regression_test_mode on +$ getsebool sepgsql_regression_test_mode sepgsql_regression_test_mode --> on - Last, kick the regression test from the unconfined_t domain. - - - - The id command tells us the current working domain. - Confirm your shell is now performing with the unconfined_t - domain as follows. + Fourth, verify your shell is operating in the unconfined_t + domain: $ id -Z @@ -209,15 +220,34 @@ unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 - If pg_regress fails to launch the psql command, - you may need to ensure that the psql command is labeled - as bin_t. If it is not, the restorecon command can - often be used to fix up security labels within the - PostgreSQL installation directory. + Finally, run the regression test script: + + +$ ./test_sepgsql + + + + This script will attempt to verify that you have done all the configuration + steps correctly, and then it will run the regression tests for the + sepgsql module. + + + + After completing the tests, it's recommended you disable + the sepgsql_regression_test_mode parameter: -$ restorecon -R /usr/local/pgsql/ +$ sudo setsebool sepgsql_regression_test_mode off + + + + You might prefer to remove the sepgsql-regtest policy + entirely: + + + +$ sudo semodule -r sepgsql-regtest @@ -232,7 +262,7 @@ $ restorecon -R /usr/local/pgsql/ - This parameter enables SE-PostgreSQL to function + This parameter enables sepgsql to function in permissive mode, regardless of the system setting. The default is off. This parameter can only be set in the postgresql.conf @@ -240,8 +270,8 @@ $ restorecon -R /usr/local/pgsql/ - When this parameter is on, SE-PostgreSQL functions - in permissive mode, even if the platform system is working in enforcing + When this parameter is on, sepgsql functions + in permissive mode, even if SELinux in general is working in enforcing mode. This parameter is primarily useful for testing purposes. @@ -254,9 +284,10 @@ $ restorecon -R /usr/local/pgsql/ - This parameter enables the printing of audit messages independent from - the policy setting. - The default is off (according to the security policy setting). + This parameter enables the printing of audit messages regardless of + the system policy settings. + The default is off, which means that messages will be printed according + to the system settings. @@ -281,19 +312,20 @@ $ restorecon -R /usr/local/pgsql/ Controlled Object Classes The security model of SELinux describes all the access - control rules as a relationship between a subject entity (typically, - it is a client of database) and an object entity, each of which is + control rules as relationships between a subject entity (typically, + a client of the database) and an object entity (such as a database + object), each of which is identified by a security label. If access to an unlabelled object is attempted, the object is treated as if it were assigned the label unlabeled_t. - Currently, sepgsql allows security labels to be + Currently, sepgsql allows security labels to be assigned to schemas, tables, columns, sequences, views, and functions. - When sepgsql is in use, security labels are + When sepgsql is in use, security labels are automatically assigned to supported database objects at creation time. - This label is called as a default security label, being decided according + This label is called a default security label, and is decided according to the system security policy, which takes as input the creator's label and the label assigned to the new object's parent object. @@ -302,9 +334,9 @@ $ restorecon -R /usr/local/pgsql/ A new database object basically inherits the security label of the parent object, except when the security policy has special rules known as type-transition rules, in which case a different label may be applied. - For schemas, the parent object is the current database; for columns, it - is the corresponding table; for tables, sequences, views, and functions, - it is the containing schema. + For schemas, the parent object is the current database; for tables, + sequences, views, and functions, it is the containing schema; for columns, + it is the containing table. @@ -314,41 +346,29 @@ $ restorecon -R /usr/local/pgsql/ For tables, db_table:select, db_table:insert, db_table:update or db_table:delete is - checked for all the referenced target tables depending on the sort of + checked for all the referenced target tables depending on the kind of statement; in addition, db_table:select is also checked for all the tables that contain the columns referenced in the WHERE or RETURNING clause, as a data source - of UPDATE, and so on. - + of UPDATE, and so on. For example, consider: - UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; - In this case, we must have db_table:select in addition to + In this case we must have db_table:select in addition to db_table:update, because t1.a is referenced within the WHERE clause. Column-level permissions will also be checked for each referenced column. - - The client must be allowed to access all referenced tables and - columns, even if they originated from views which were then expanded, - so that we apply consistent access control rules independent of the manner - in which the table contents are referenced. - - For columns, db_column:select is checked on - not only the columns being read using SELECT, but being + not only the columns being read using SELECT, but those being referenced in other DML statements. - - - Of course, it also checks db_column:update or - db_column:insert on the column being modified by + db_column:insert on columns being modified by UPDATE or INSERT. @@ -356,11 +376,11 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; - In this case, it checks db_column:update on - the t1.x being updated, db_column:{select update} - on the t1.y being updated and referenced, - and db_column:select on the t1.z being only - referenced in the WHERE clause. + In this case, it checks db_column:update on the column + t1.x being updated, db_column:{select update} + on the column t1.y being updated and referenced, and + db_column:select on the column t1.z, since that is + only referenced in the WHERE clause. db_table:{select update} will also be checked at the table level. @@ -373,43 +393,50 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; - For views, db_view:expand shall be checked, then any other - corresponding permissions shall be also checked on the objects being + For views, db_view:expand will be checked, then any other + required permissions will be checked on the objects being expanded from the view, individually. - For functions, db_procedure:{execute} is defined, but not + For functions, db_procedure:{execute} is defined, but is not checked in this version. + + The client must be allowed to access all referenced tables and + columns, even if they originated from views which were then expanded, + so that we apply consistent access control rules independent of the manner + in which the table contents are referenced. + + The default database privilege system allows database superusers to modify system catalogs using DML commands, and reference or modify toast tables. These operations are prohibited when - sepgsql is enabled. + sepgsql is enabled. DDL Permissions - On command, setattr and - relabelfrom shall be checked on the object being relabeled - with an old security label, then relabelto on the supplied + When is executed, setattr + and relabelfrom will be checked on the object being relabeled + with its old security label, then relabelto with the supplied new security label. In the case where multiple label providers are installed and the user tries - to set a security label, but is not managed by SELinux, + to set a security label, but it is not managed by SELinux, only setattr should be checked here. - This is currently not checked due to implementation restrictions. + This is currently not done due to implementation restrictions. - Trusted Procedure + Trusted Procedures Trusted procedures are similar to security definer functions or set-uid commands. SELinux provides a feature to allow trusted @@ -458,9 +485,9 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; In this case, a regular user cannot reference customer.credit - directly, but a trusted procedure show_credit enables us - to print the credit card number of customers with some of the digits masked - out. + directly, but a trusted procedure show_credit allows him + to print the credit card numbers of customers with some of the digits + masked out. @@ -501,7 +528,7 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; PostgreSQL does not support row-level access; therefore, - sepgsql does not support it either. + sepgsql does not support it either. @@ -510,11 +537,11 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; Covert channels - sepgsql never tries to hide existence of - a certain object, even if the user is not allowed to the reference. + sepgsql does not try to hide the existence of + a certain object, even if the user is not allowed to reference it. For example, we can infer the existence of an invisible object as a result of primary key conflicts, foreign key violations, and so on, - even if we cannot reference contents of these objects. The existence + even if we cannot obtain the contents of the object. The existence of a top secret table cannot be hidden; we only hope to conceal its contents. @@ -530,7 +557,7 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; SE-PostgreSQL Introduction - This wiki page provides a brief-overview, security design, architecture, + This wiki page provides a brief overview, security design, architecture, administration and upcoming features. -- cgit v1.2.3