Re: [PATCH] SE-PgSQL/tiny rev.2193 - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Re: [PATCH] SE-PgSQL/tiny rev.2193
Date
Msg-id 4A5EA8C1.1090809@ak.jp.nec.com
Whole thread Raw
In response to [PATCH] SE-PgSQL/tiny rev.2193  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Responses Re: [PATCH] SE-PgSQL/tiny rev.2193
List pgsql-hackers
Updated SE-PgSQL patch is here:
 http://sepgsql.googlecode.com/files/sepgsql-01-tiny-8.5devel-r2196.patch.gz

Unused definitions of SELinux's permissions are ripped out from
the permission table.

KaiGai Kohei wrote:
> The following patch is the tiny version of SE-PostgreSQL:
> 
>   http://sepgsql.googlecode.com/files/sepgsql-01-tiny-8.5devel-r2193.patch.gz
> 
> In this version, all the security hooks (to make decision) invoked from
> outside of the pg_xxx_aclcheck() and superuser_arg() were separated.
> So, SE-PgSQL/tiny only checks the following only four permissions:
>  - db_database:{connect}   ... equivalent to ACL_CONNECT on the database
>  - db_database:{superuser} ... equivalent to the superuser privilege
>  - db_schema:{usage}       ... equivalent to ACL_USAGE on the namespace
>  - db_procedure:{execute}  ... equivalent to ACL_EXECUTE on the procedure
> 
> All the database objects to be labeled are databases, namespaces and
> procedures, so I modified system column definitions.
>  - db_database.datseclabel (text)
>  - db_namespace.nspseclabel (text)
>  - db_procedure.proseclabel (text)
> When we create a new one, a default security label shall be assigned
> as far as we don't give any explicit security label.
> (In the current version, it only checks sanity check of security label,
> no any permission checks.)
> 
> The following features were separated.
>  - Facility to cache access control decisions
>  - Table/column level access controls
>  - Trusted procedures
> 
> FYI, It is the scale of patch.
> 
> It may seem you the "tiny" is larger than the "lite".
> But, 50% of changeset is at include/catalog/pg_proc.h, because we separate
> the pg_security facility, so it was necessary to add a new regular attribute
> into pg_proc system catalog. The pg_proc.h has 2000 of definitions for built
> in functions, using DATA(...) macro. I updates them by sed secript.
> It is the reason for the big changeset.
> 
> This patch also contains 570L of documentation changes, and 442L of testcases.
> So, actual code changeset is about 2700L.
> 
> [kaigai@saba]$ diffstat /home/kaigai/RPMS/SOURCES/sepgsql-01-tiny-8.5devel-r2193.patch.gz
>  configure                                                          |  112
>  configure.in                                                       |   13
>  doc/src/sgml/catalogs.sgml                                         |   21
>  doc/src/sgml/config.sgml                                           |   42
>  doc/src/sgml/errcodes.sgml                                         |   21
>  doc/src/sgml/filelist.sgml                                         |    1
>  doc/src/sgml/postgres.sgml                                         |    1
>  doc/src/sgml/ref/alter_database.sgml                               |   12
>  doc/src/sgml/ref/alter_function.sgml                               |   13
>  doc/src/sgml/ref/alter_schema.sgml                                 |   11
>  doc/src/sgml/ref/create_database.sgml                              |   14
>  doc/src/sgml/ref/create_function.sgml                              |   12
>  doc/src/sgml/ref/create_schema.sgml                                |   16
>  doc/src/sgml/ref/initdb.sgml                                       |   11
>  doc/src/sgml/sepgsql.sgml                                          |  395
>  src/Makefile.global.in                                             |    1
>  src/backend/Makefile                                               |    7
>  src/backend/bootstrap/bootstrap.c                                  |    4
>  src/backend/catalog/aclchk.c                                       |   22
>  src/backend/catalog/namespace.c                                    |   17
>  src/backend/catalog/pg_aggregate.c                                 |    3
>  src/backend/catalog/pg_namespace.c                                 |    6
>  src/backend/catalog/pg_proc.c                                      |   29
>  src/backend/commands/alter.c                                       |   31
>  src/backend/commands/dbcommands.c                                  |   86
>  src/backend/commands/functioncmds.c                                |   82
>  src/backend/commands/proclang.c                                    |    6
>  src/backend/commands/schemacmds.c                                  |   69
>  src/backend/nodes/copyfuncs.c                                      |   19
>  src/backend/nodes/equalfuncs.c                                     |   17
>  src/backend/parser/gram.y                                          |   68
>  src/backend/security/Makefile                                      |   11
>  src/backend/security/sepgsql/Makefile                              |   16
>  src/backend/security/sepgsql/avc.c                                 |  331
>  src/backend/security/sepgsql/dummy.c                               |   31
>  src/backend/security/sepgsql/hooks.c                               |  167
>  src/backend/security/sepgsql/label.c                               |  523 +
>  src/backend/security/sepgsql/misc.c                                |  152
>  src/backend/security/sepgsql/perms.c                               |  353
>  src/backend/security/sepgsql/policy/Makefile                       |   28
>  src/backend/security/sepgsql/policy/sepostgresql-devel.fc.template |   12
>  src/backend/security/sepgsql/policy/sepostgresql-devel.te          |  119
>  src/backend/tcop/utility.c                                         |   27
>  src/backend/utils/init/postinit.c                                  |   11
>  src/backend/utils/misc/guc.c                                       |   19
>  src/backend/utils/misc/postgresql.conf.sample                      |    4
>  src/backend/utils/misc/superuser.c                                 |   16
>  src/bin/initdb/initdb.c                                            |   13
>  src/include/catalog/pg_attribute.h                                 |    4
>  src/include/catalog/pg_class.h                                     |    2
>  src/include/catalog/pg_database.h                                  |    6
>  src/include/catalog/pg_namespace.h                                 |   12
>  src/include/catalog/pg_proc.h                                      | 4242 !!!!!!!!!!
>  src/include/catalog/pg_proc_fn.h                                   |    3
>  src/include/commands/alter.h                                       |    1
>  src/include/commands/dbcommands.h                                  |    1
>  src/include/commands/defrem.h                                      |    1
>  src/include/commands/schemacmds.h                                  |    1
>  src/include/nodes/nodes.h                                          |    1
>  src/include/nodes/parsenodes.h                                     |   15
>  src/include/parser/kwlist.h                                        |    1
>  src/include/pg_config.h.in                                         |    3
>  src/include/security/sepgsql.h                                     |  295
>  src/include/utils/errcodes.h                                       |    5
>  src/test/sepgsql/Makefile                                          |   74
>  src/test/sepgsql/expected/functions.out                            |   54
>  src/test/sepgsql/expected/seclabel.out                             |  129
>  src/test/sepgsql/launch_psql.c                                     |   86
>  src/test/sepgsql/sql/functions.sql                                 |   27
>  src/test/sepgsql/sql/seclabel.sql                                  |   72
>  70 files changed, 3695 insertions(+), 4335 modifications(!)
> 


-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: [GENERAL] pg_migrator not setting values of sequences?
Next
From: Bruce Momjian
Date:
Subject: Re: [GENERAL] pg_migrator not setting values of sequences?