[RFC] sepgsql: prohibit users to relabel objects

Started by Denis Kirjanovover 10 years ago5 messages

kda@linux-powerpc.org

over 10 years ago

Enforce access control on security labels defined by admin
and prohibit users to relabel the objects

Signed-off-by: Denis Kirjanov <kda@itsirius.su>
---
contrib/sepgsql/label.c | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
 				(errcode(ERRCODE_INVALID_NAME),
 			   errmsg("SELinux: invalid security label: \"%s\"", seclabel)));

+	if (!superuser())
+		ereport(ERROR,
+				(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+		  errmsg("SELinux: must be superuser to relabel objects")));
+
 	/*
 	 * Do actual permission checks for each object classes
 	 */
-- 
1.7.10.4

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Robert Haas

robertmhaas@gmail.com

over 10 years ago

In reply to: Denis Kirjanov (#1)

Re: [RFC] sepgsql: prohibit users to relabel objects

On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote:

Enforce access control on security labels defined by admin
and prohibit users to relabel the objects

Really? Why? I would think it's the policy's job to restrict relabel
operations.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Adam Brightwell

adam.brightwell@crunchydatasolutions.com

over 10 years ago

In reply to: Robert Haas (#2)

Re: [RFC] sepgsql: prohibit users to relabel objects

Really? Why? I would think it's the policy's job to restrict relabel
operations.

I agree. This seems like an unnecessary change.

-Adam

--
Adam Brightwell - adam.brightwell@crunchydatasolutions.com
Database Engineer - www.crunchydatasolutions.com

Denis Kirjanov

kda@itsirius.su

over 10 years ago

In reply to: Denis Kirjanov (#1)

Re: [RFC] sepgsql: prohibit users to relabel objects

Oh, I wasn't aware of that.
Any hints where to look at?

Thanks!

PS: sorry for top posting.

----- Original Message -----
From: "Robert Haas" <robertmhaas@gmail.com>
To: "Denis Kirjanov" <kda@linux-powerpc.org>
Cc: pgsql-hackers@postgresql.org, "Alexey Zhuchkov" <alexey@itsirius.su>, "Denis Kirjanov" <kda@itsirius.su>
Sent: Wednesday, April 29, 2015 9:01:36 PM
Subject: Re: [HACKERS] [RFC] sepgsql: prohibit users to relabel objects

On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote:

Enforce access control on security labels defined by admin
and prohibit users to relabel the objects

Really? Why? I would think it's the policy's job to restrict relabel
operations.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Import Notes

Reply to msg id not found: 1152912253.307147.1430381478243.JavaMail.zimbra@itsirius.su

Robert Haas

robertmhaas@gmail.com

over 10 years ago

In reply to: Denis Kirjanov (#4)

Re: [RFC] sepgsql: prohibit users to relabel objects

On Thu, Apr 30, 2015 at 4:13 AM, Denis Kirjanov <kda@itsirius.su> wrote:

Oh, I wasn't aware of that.
Any hints where to look at?

Unfortunately, I don't really understand in detail how to write
selinux policies, so no.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers