Thread: sepgsql where are the security labels
I'm running selinux mls policy I've got labeled ipsec working and my
postgresql configured to load
sepgsql. I've created a db, run the sepgsql.sql script on it, created
tables and inserted data. How do I
query the security labels on the data? As best I can tell there is no
security_context
column on either of the tables I've created that I see? How does the
system column security_context get added to tables? I've read
everything I can find on the web but
a lot of it is dated. Here's how I'm creating my db and tables:
CREATE DATABASE contacts
WITH OWNER = jcdx
ENCODING = 'UTF8'
TABLESPACE = pg_default
LC_COLLATE = 'en_US.UTF-8'
LC_CTYPE = 'en_US.UTF-8'
CONNECTION LIMIT = -1;
SECURITY LABEL FOR selinux
ON DATABASE contacts
IS 'user_u:object_r:sepgsql_db_t:
s0';
--
-- PostgreSQL database dump
--
SET statement_timeout = 0;
SET lock_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SET check_function_bodies = false;
SET client_min_messages = warning;
--
-- Name: plpgsql; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS plpgsql WITH SCHEMA pg_catalog;
--
-- Name: EXTENSION plpgsql; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION plpgsql IS 'PL/pgSQL procedural language';
--
-- Name: postgis; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
--
-- Name: EXTENSION postgis; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION postgis IS 'PostGIS geometry, geography, and
raster spatial types and functions';
--
-- Name: pgrouting; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS pgrouting WITH SCHEMA public;
--
-- Name: EXTENSION pgrouting; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION pgrouting IS 'pgRouting Extension';
SET search_path = public, pg_catalog;
SET default_tablespace = '';
SET default_with_oids = false;
--
-- Name: messages; Type: TABLE; Schema: public; Owner: jcdx; Tablespace:
--
CREATE TABLE messages (
id integer NOT NULL,
message json
);
SECURITY LABEL FOR selinux ON TABLE messages IS
'user_u:object_r:sepgsql_table_t:s0';
ALTER TABLE public.messages OWNER TO jcdx;
--
-- Name: messages_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx
--
CREATE SEQUENCE messages_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
SECURITY LABEL FOR selinux ON SEQUENCE messages_id_seq IS
'user_u:object_r:sepgsql_seq_t:s0';
ALTER TABLE public.messages_id_seq OWNER TO jcdx;
--
-- Name: messages_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx
--
ALTER SEQUENCE messages_id_seq OWNED BY messages.id;
--
-- Name: reports; Type: TABLE; Schema: public; Owner: jcdx; Tablespace:
--
CREATE TABLE reports (
id integer NOT NULL,
report json,
message_id integer NOT NULL,
location geometry(Point)
);
SECURITY LABEL FOR selinux ON TABLE reports IS
'user_u:object_r:sepgsql_table_t:s0';
ALTER TABLE public.reports OWNER TO jcdx;
--
-- Name: reports_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx
--
CREATE SEQUENCE reports_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
SECURITY LABEL FOR selinux ON SEQUENCE reports_id_seq IS
'user_u:object_r:sepgsql_seq_t:s0';
ALTER TABLE public.reports_id_seq OWNER TO jcdx;
--
-- Name: reports_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx
--
ALTER SEQUENCE reports_id_seq OWNED BY reports.id;
--
-- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx
--
ALTER TABLE ONLY messages ALTER COLUMN id SET DEFAULT
nextval('messages_id_seq'::regclass);
--
-- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx
--
ALTER TABLE ONLY reports ALTER COLUMN id SET DEFAULT
nextval('reports_id_seq'::regclass);
On 11/12/2014 02:45 PM, Ted Toth wrote: > I'm running selinux mls policy I've got labeled ipsec working and my > postgresql configured to load > sepgsql. I've created a db, run the sepgsql.sql script on it, created > tables and inserted data. How do I > query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no > security_context > column on either of the tables I've created that I see? How does the > system column security_context get added to tables? I've read > everything I can find on the web but > a lot of it is dated. Here's how I'm creating my db and tables: > -- Adrian Klaver adrian.klaver@aklaver.com
This table maintains information about the context of postgresql objects not the data in tables. On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > On 11/12/2014 02:45 PM, Ted Toth wrote: >> >> I'm running selinux mls policy I've got labeled ipsec working and my >> postgresql configured to load >> sepgsql. I've created a db, run the sepgsql.sql script on it, created >> tables and inserted data. How do I >> query the security labels on the data? > > > I do not use SECURITY LABELS, but it seems they can be queried here: > > http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html > > > As best I can tell there is no >> >> security_context >> column on either of the tables I've created that I see? How does the >> system column security_context get added to tables? I've read >> everything I can find on the web but >> a lot of it is dated. Here's how I'm creating my db and tables: >> > > -- > Adrian Klaver > adrian.klaver@aklaver.com
On 11/13/2014 05:58 AM, Ted Toth wrote: > This table maintains information about the context of postgresql > objects not the data in tables. http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql Slide 23 > > On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver > <adrian.klaver@aklaver.com> wrote: >> On 11/12/2014 02:45 PM, Ted Toth wrote: >>> >>> I'm running selinux mls policy I've got labeled ipsec working and my >>> postgresql configured to load >>> sepgsql. I've created a db, run the sepgsql.sql script on it, created >>> tables and inserted data. How do I >>> query the security labels on the data? >> >> >> I do not use SECURITY LABELS, but it seems they can be queried here: >> >> http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html >> >> >> As best I can tell there is no >>> >>> security_context >>> column on either of the tables I've created that I see? How does the >>> system column security_context get added to tables? I've read >>> everything I can find on the web but >>> a lot of it is dated. Here's how I'm creating my db and tables: >>> >> >> -- >> Adrian Klaver >> adrian.klaver@aklaver.com > -- Adrian Klaver adrian.klaver@aklaver.com
On 11/13/2014 05:58 AM, Ted Toth wrote: > This table maintains information about the context of postgresql > objects not the data in tables. To follow up, an expanded explanation of the security_label column: https://wiki.postgresql.org/wiki/SEPostgreSQL_Architecture#The_security_label_system_column -- Adrian Klaver adrian.klaver@aklaver.com
Exactly what I talking about ... but unfortunately that appears to have been based on KaiGai's branch and is not in 9.3. The current discuss/work is around row-level-security with patches to 9.5 which is not much help to me now :( On Thu, Nov 13, 2014 at 9:26 AM, Adrian Klaver <adrian.klaver@aklaver.com> wrote: > On 11/13/2014 05:58 AM, Ted Toth wrote: >> >> This table maintains information about the context of postgresql >> objects not the data in tables. > > > > > http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql > > Slide 23 > > >> >> On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver >> <adrian.klaver@aklaver.com> wrote: >>> >>> On 11/12/2014 02:45 PM, Ted Toth wrote: >>>> >>>> >>>> I'm running selinux mls policy I've got labeled ipsec working and my >>>> postgresql configured to load >>>> sepgsql. I've created a db, run the sepgsql.sql script on it, created >>>> tables and inserted data. How do I >>>> query the security labels on the data? >>> >>> >>> >>> I do not use SECURITY LABELS, but it seems they can be queried here: >>> >>> http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html >>> >>> >>> As best I can tell there is no >>>> >>>> >>>> security_context >>>> column on either of the tables I've created that I see? How does the >>>> system column security_context get added to tables? I've read >>>> everything I can find on the web but >>>> a lot of it is dated. Here's how I'm creating my db and tables: >>>> >>> >>> -- >>> Adrian Klaver >>> adrian.klaver@aklaver.com >> >> > > > -- > Adrian Klaver > adrian.klaver@aklaver.com
On 11/13/2014 07:37 AM, Ted Toth wrote: > Exactly what I talking about ... but unfortunately that appears to > have been based on KaiGai's branch and is not in 9.3. The current > discuss/work is around row-level-security with patches to 9.5 which is > not much help to me now :( > Then my previous post would not be of much help either. I do not have --selinux on my instances, so I have no way of testing. I'm afraid I am out of ideas. -- Adrian Klaver adrian.klaver@aklaver.com