Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) - Mailing list pgsql-hackers
| From | KaiGai Kohei |
|---|---|
| Subject | Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) |
| Date | |
| Msg-id | 49B5E235.5000203@ak.jp.nec.com Whole thread Raw |
| In response to | Re: Updates of SE-PostgreSQL 8.4devel patches (r1704) (Jaime Casanova <jcasanov@systemguards.com.ec>) |
| List | pgsql-hackers |
Jaime Casanova wrote: > On Mon, Mar 9, 2009 at 1:52 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote: >> As I promised last week, SE-PostgreSQL patches are revised here: >> >> [1/5] http://sepgsql.googlecode.com/files/sepgsql-core-8.4devel-r1704.patch >> [2/5] http://sepgsql.googlecode.com/files/sepgsql-utils-8.4devel-r1704.patch >> [3/5] http://sepgsql.googlecode.com/files/sepgsql-policy-8.4devel-r1704.patch >> [4/5] http://sepgsql.googlecode.com/files/sepgsql-docs-8.4devel-r1704.patch >> [5/5] http://sepgsql.googlecode.com/files/sepgsql-tests-8.4devel-r1704.patch >> > > has anyone noted that the links are malformed? in my browser they > include the [x/5 part of the next line Above URLs might be a bit long. I'll omit the "[x/5]" part on the next submission. > i want to try to isolate where is the difference... can someone > explain me how can i trace that? (sorry for my ignorance but if i > don't ask that ignorance will stay) The "sepgsql_enable_auditallow" system boolean will help you to understand what permissions are checked on the given query. ------------------------- % make -C src/backend/security/sepgsql/policy # su # semodule -i src/backend/security/sepgsql/policy/sepostgresql-devel.pp (installation of development purpose policy) # setsebool sepgsql_enable_auditallow 1 % psql postgres NOTICE: SELinux: granted { access } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_db_t:s0tclass=db_database name=postgres psql (8.4devel) Type "help" for help. postgres=# SELECT * FROM t1; NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_table name=t1 NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name=t1.a NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name=t1.b NOTICE: SELinux: granted { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name=t1.c a | b | c ---+---+--- (0 rows) postgres=# INSERT INTO t1 (a,c) VALUES (1,2); NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_table name=t1 NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name=t1.a NOTICE: SELinux: granted { insert } scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c63 tcontext=unconfined_u:object_r:sepgsql_table_t:s0tclass=db_column name=t1.c INSERT 0 1 postgres=# ------------------------- The meanings of each fields: - The "scontext" is the client's privileges - The "tcontext" is the security context of tables,columns and so on. - The "tclass" shows the kind of target object. - The "name" is the name of object. I recommend you to turn off it in normal case due to noisy and disk consumption with logs. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
pgsql-hackers by date: