Thread: SELinux context of PostgreSQL connection process
There is postgres db with sepgsql enabled. When user connect to postgres db with psql, postgres create new process for eachconnection. These processes have selinux context unconfined_u:unconfined_r:postgresql_t. Is there a way to assign the process a context of user that connected to db?
On 3/24/2015 5:16 AM, Мартынов Александр wrote: > There is postgres db with sepgsql enabled. When user connect to postgres db with psql, postgres create new process foreach connection. These processes have selinux context unconfined_u:unconfined_r:postgresql_t. > > Is there a way to assign the process a context of user that connected to db? what if that user is on a different system connecting over the network? no, the only user the postgres server processes should run as are those of the postgres server itself as it needs to read and write files in the postgres data directory tree. -- john, recycling bits in santa cruz
If the user is given the necessary rights, then can the connection process get a context of the user? Is there the possibility in principle? 24.03.2015, 21:11, "John R Pierce" <pierce@hogranch.com>: > On 3/24/2015 5:16 AM, Мартынов Александр wrote: >> There is postgres db with sepgsql enabled. When user connect to postgres db with psql, postgres create new process foreach connection. These processes have selinux context unconfined_u:unconfined_r:postgresql_t. >> >> Is there a way to assign the process a context of user that connected to db? > > what if that user is on a different system connecting over the network? > > no, the only user the postgres server processes should run as are those > of the postgres server itself as it needs to read and write files in the > postgres data directory tree. > > -- > john, recycling bits in santa cruz > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general
If the user is given the necessary permissions, then can the connection process get a context of the user? I mean a category and a level (sensibility) by context. Does the architecture of PostgreSQL permit to add changing a context of a connection process to context of the connectinguser? 25.03.2015, 17:38, "Мартынов Александр" <m--a-s@yandex.ru>: > If the user is given the necessary rights, then can the connection process get a context of the user? > Is there the possibility in principle? > > 24.03.2015, 21:11, "John R Pierce" <pierce@hogranch.com>: >> On 3/24/2015 5:16 AM, Мартынов Александр wrote: >>> There is postgres db with sepgsql enabled. When user connect to postgres db with psql, postgres create new processfor each connection. These processes have selinux context unconfined_u:unconfined_r:postgresql_t. >>> >>> Is there a way to assign the process a context of user that connected to db? >> what if that user is on a different system connecting over the network? >> >> no, the only user the postgres server processes should run as are those >> of the postgres server itself as it needs to read and write files in the >> postgres data directory tree. >> >> -- >> john, recycling bits in santa cruz >> >> -- >> Sent via pgsql-general mailing list (pgsql-general@postgresql.org) >> To make changes to your subscription: >> http://www.postgresql.org/mailpref/pgsql-general > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general