Thread: sepgsql where are the security labels
I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: CREATE DATABASE contacts WITH OWNER = jcdx ENCODING = 'UTF8' TABLESPACE = pg_default LC_COLLATE = 'en_US.UTF-8' LC_CTYPE = 'en_US.UTF-8' CONNECTION LIMIT = -1; SECURITY LABEL FOR selinux ON DATABASE contacts IS 'user_u:object_r:sepgsql_db_t: s0'; -- -- PostgreSQL database dump -- SET statement_timeout = 0; SET lock_timeout = 0; SET client_encoding = 'UTF8'; SET standard_conforming_strings = on; SET check_function_bodies = false; SET client_min_messages = warning; -- -- Name: plpgsql; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS plpgsql WITH SCHEMA pg_catalog; -- -- Name: EXTENSION plpgsql; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION plpgsql IS 'PL/pgSQL procedural language'; -- -- Name: postgis; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public; -- -- Name: EXTENSION postgis; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION postgis IS 'PostGIS geometry, geography, and raster spatial types and functions'; -- -- Name: pgrouting; Type: EXTENSION; Schema: -; Owner: -- CREATE EXTENSION IF NOT EXISTS pgrouting WITH SCHEMA public; -- -- Name: EXTENSION pgrouting; Type: COMMENT; Schema: -; Owner: -- COMMENT ON EXTENSION pgrouting IS 'pgRouting Extension'; SET search_path = public, pg_catalog; SET default_tablespace = ''; SET default_with_oids = false; -- -- Name: messages; Type: TABLE; Schema: public; Owner: jcdx; Tablespace: -- CREATE TABLE messages ( id integer NOT NULL, message json ); SECURITY LABEL FOR selinux ON TABLE messages IS 'user_u:object_r:sepgsql_table_t:s0'; ALTER TABLE public.messages OWNER TO jcdx; -- -- Name: messages_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx -- CREATE SEQUENCE messages_id_seq START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1; SECURITY LABEL FOR selinux ON SEQUENCE messages_id_seq IS 'user_u:object_r:sepgsql_seq_t:s0'; ALTER TABLE public.messages_id_seq OWNER TO jcdx; -- -- Name: messages_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx -- ALTER SEQUENCE messages_id_seq OWNED BY messages.id; -- -- Name: reports; Type: TABLE; Schema: public; Owner: jcdx; Tablespace: -- CREATE TABLE reports ( id integer NOT NULL, report json, message_id integer NOT NULL, location geometry(Point) ); SECURITY LABEL FOR selinux ON TABLE reports IS 'user_u:object_r:sepgsql_table_t:s0'; ALTER TABLE public.reports OWNER TO jcdx; -- -- Name: reports_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx -- CREATE SEQUENCE reports_id_seq START WITH 1 INCREMENT BY 1 NO MINVALUE NO MAXVALUE CACHE 1; SECURITY LABEL FOR selinux ON SEQUENCE reports_id_seq IS 'user_u:object_r:sepgsql_seq_t:s0'; ALTER TABLE public.reports_id_seq OWNER TO jcdx; -- -- Name: reports_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx -- ALTER SEQUENCE reports_id_seq OWNED BY reports.id; -- -- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx -- ALTER TABLE ONLY messages ALTER COLUMN id SET DEFAULT nextval('messages_id_seq'::regclass); -- -- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx -- ALTER TABLE ONLY reports ALTER COLUMN id SET DEFAULT nextval('reports_id_seq'::regclass);
On 11/12/2014 02:45 PM, Ted Toth wrote: > I'm running selinux mls policy I've got labeled ipsec working and my > postgresql configured to load > sepgsql. I've created a db, run the sepgsql.sql script on it, created > tables and inserted data. How do I > query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no > security_context > column on either of the tables I've created that I see? How does the > system column security_context get added to tables? I've read > everything I can find on the web but > a lot of it is dated. Here's how I'm creating my db and tables: > -- Adrian Klaver adrian.klaver@aklaver.com
This table maintains information about the context of postgresql objects not the data in tables. On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > On 11/12/2014 02:45 PM, Ted Toth wrote: >> >> I'm running selinux mls policy I've got labeled ipsec working and my >> postgresql configured to load >> sepgsql. I've created a db, run the sepgsql.sql script on it, created >> tables and inserted data. How do I >> query the security labels on the data? > > > I do not use SECURITY LABELS, but it seems they can be queried here: > > http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html > > > As best I can tell there is no >> >> security_context >> column on either of the tables I've created that I see? How does the >> system column security_context get added to tables? I've read >> everything I can find on the web but >> a lot of it is dated. Here's how I'm creating my db and tables: >> > > -- > Adrian Klaver > adrian.klaver@aklaver.com
On 11/13/2014 05:58 AM, Ted Toth wrote: > This table maintains information about the context of postgresql > objects not the data in tables. http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql Slide 23 > > On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver > <adrian.klaver@aklaver.com> wrote: >> On 11/12/2014 02:45 PM, Ted Toth wrote: >>> >>> I'm running selinux mls policy I've got labeled ipsec working and my >>> postgresql configured to load >>> sepgsql. I've created a db, run the sepgsql.sql script on it, created >>> tables and inserted data. How do I >>> query the security labels on the data? >> >> >> I do not use SECURITY LABELS, but it seems they can be queried here: >> >> http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html >> >> >> As best I can tell there is no >>> >>> security_context >>> column on either of the tables I've created that I see? How does the >>> system column security_context get added to tables? I've read >>> everything I can find on the web but >>> a lot of it is dated. Here's how I'm creating my db and tables: >>> >> >> -- >> Adrian Klaver >> adrian.klaver@aklaver.com > -- Adrian Klaver adrian.klaver@aklaver.com
On 11/13/2014 05:58 AM, Ted Toth wrote: > This table maintains information about the context of postgresql > objects not the data in tables. To follow up, an expanded explanation of the security_label column: https://wiki.postgresql.org/wiki/SEPostgreSQL_Architecture#The_security_label_system_column -- Adrian Klaver adrian.klaver@aklaver.com
Exactly what I talking about ... but unfortunately that appears to have been based on KaiGai's branch and is not in 9.3. The current discuss/work is around row-level-security with patches to 9.5 which is not much help to me now :( On Thu, Nov 13, 2014 at 9:26 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > On 11/13/2014 05:58 AM, Ted Toth wrote: >> >> This table maintains information about the context of postgresql >> objects not the data in tables. > > > > > http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql > > Slide 23 > > >> >> On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver >> <adrian.klaver@aklaver.com> wrote: >>> >>> On 11/12/2014 02:45 PM, Ted Toth wrote: >>>> >>>> >>>> I'm running selinux mls policy I've got labeled ipsec working and my >>>> postgresql configured to load >>>> sepgsql. I've created a db, run the sepgsql.sql script on it, created >>>> tables and inserted data. How do I >>>> query the security labels on the data? >>> >>> >>> >>> I do not use SECURITY LABELS, but it seems they can be queried here: >>> >>> http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html >>> >>> >>> As best I can tell there is no >>>> >>>> >>>> security_context >>>> column on either of the tables I've created that I see? How does the >>>> system column security_context get added to tables? I've read >>>> everything I can find on the web but >>>> a lot of it is dated. Here's how I'm creating my db and tables: >>>> >>> >>> -- >>> Adrian Klaver >>> adrian.klaver@aklaver.com >> >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com
On 11/13/2014 07:37 AM, Ted Toth wrote: > Exactly what I talking about ... but unfortunately that appears to > have been based on KaiGai's branch and is not in 9.3. The current > discuss/work is around row-level-security with patches to 9.5 which is > not much help to me now :( > Then my previous post would not be of much help either. I do not have --selinux on my instances, so I have no way of testing. I'm afraid I am out of ideas. -- Adrian Klaver adrian.klaver@aklaver.com