Thread: [RFC] sepgsql: prohibit users to relabel objects

[RFC] sepgsql: prohibit users to relabel objects

From

Denis Kirjanov

Date:

29 April 2015, 20:44:47

Enforce access control on security labels defined by admin
and prohibit users to relabel the objects

Signed-off-by: Denis Kirjanov <kda@itsirius.su>
---contrib/sepgsql/label.c |    5 +++++1 file changed, 5 insertions(+)

diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
(errcode(ERRCODE_INVALID_NAME),              errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
 
+    if (!superuser())
+        ereport(ERROR,
+                (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+          errmsg("SELinux: must be superuser to relabel objects")));
+    /*     * Do actual permission checks for each object classes     */
-- 
1.7.10.4

Re: [RFC] sepgsql: prohibit users to relabel objects

From

Robert Haas

Date:

29 April 2015, 21:01:45

On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote:
> Enforce access control on security labels defined by admin
> and prohibit users to relabel the objects

Really?  Why?  I would think it's the policy's job to restrict relabel
operations.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: [RFC] sepgsql: prohibit users to relabel objects

From

Adam Brightwell

Date:

29 April 2015, 21:12:34

Really? Why? I would think it's the policy's job to restrict relabel
operations.

I agree. This seems like an unnecessary change.

-Adam

Adam Brightwell - adam.brightwell@crunchydatasolutions.com

Database Engineer - www.crunchydatasolutions.com

Re: [RFC] sepgsql: prohibit users to relabel objects

From

Denis Kirjanov

Date:

30 April 2015, 11:14:00

Oh, I wasn't aware of that. 
Any hints where to look at?

Thanks!

PS: sorry for top posting.

----- Original Message -----
From: "Robert Haas" <robertmhaas@gmail.com>
To: "Denis Kirjanov" <kda@linux-powerpc.org>
Cc: pgsql-hackers@postgresql.org, "Alexey Zhuchkov" <alexey@itsirius.su>, "Denis Kirjanov" <kda@itsirius.su>
Sent: Wednesday, April 29, 2015 9:01:36 PM
Subject: Re: [HACKERS] [RFC] sepgsql: prohibit users to relabel objects

On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote:
> Enforce access control on security labels defined by admin
> and prohibit users to relabel the objects

Really?  Why?  I would think it's the policy's job to restrict relabel
operations.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: [RFC] sepgsql: prohibit users to relabel objects

From

Robert Haas

Date:

30 April 2015, 14:37:13

On Thu, Apr 30, 2015 at 4:13 AM, Denis Kirjanov <kda@itsirius.su> wrote:
> Oh, I wasn't aware of that.
> Any hints where to look at?

Unfortunately, I don't really understand in detail how to write
selinux policies, so no.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company