sepostgresql

Langue: en

Version: 175244 (fedora - 06/07/09)

Section: 8 (Commandes administrateur)

Sommaire

NAME

sepostgresql - Security-Enhances PostgreSQL

DESCRIPTION

Security-Enhanced PostgreSQL (SE-PostgreSQL) is an enhancement of PostgreSQL, to apply fine grained mandatory access control for database objects based on the security policy of SELinux. These features enable to apply flexible integrated access control policy on both of operating system and database management system, during all stages of the life of the information.

This document describes the way to customize SE-PostgreSQL on the default security policy.

BOOLEANS

The SELinux policy is customizable via BOOLEAN variable. This variable has two states, 1 (on) or 0 (off). We can validate or invalidate a part of the security policy depending on the state of boolean variables.

sepgsql_enable_users_ddl enables to toggle permissions of confined users/applications to invoke DDL statement, like CREATE TABLE. It is set to on in the default. In most cases, DDL statements are used to set up initial database structure, and permissions to invoke them are not necessary on operation phase. You can turn off this boolean as follows:

setsebool -P sepgsql_enable_users_ddl ( on | off )

Rest of booleans are provided by selinux-devel.pp policy module. It provides developments/debugs related permissions. You can install it as follows:

semodule -i /usr/share/selinux/targeted/sepostgresql-devel.pp

sepgsql_enable_auditallow toggles output of audit messages in the case when required permission checks are allowed, except for tuples because it easily make a flood of audit logs. In the default, it is set to off. You can set it as follows:

setsebool -P sepgsql_enable_auditallow ( on | off )

sepgsql_enable_auditdeny toggles output of audit messages in the case when required permission checks are denied, except for tuples because it easily make a flood of audit logs. In the default, it is set to on. You can set it as follows:

setsebool -P sepgsql_enable_auditdeny ( on | off )

sepgsql_regression_test_mode allows to load shared libraries deployed on user's home directory. We recommend you to keep off in operation phase to prevent to load malicious libraries. However, typical PostgreSQL regression test requires to load it, so we have to reduce several restriction during the test. In the default, it is set to off. You can set it as follows:

setsebool -P sepgsql_regression_test_mode ( on | off )

TYPES

sepgsql_db_t is a only type for database itself. It is attched for newly created databases in the default.

sepgsql_table_t is a type for tables, columns and tuples. It is the default type of newly created tables by unconfined or non-roled domain. It allows confined clietns to access with any kind of operations except for relabeling, so we can use this type for compatible purpose.

sepgsql_secret_table_t is a type for tables, columns and tuples. It never allows confined clients to access, so we can use this type to store sensitive information. We reccomend to apply trusted procedures to access tables/columns/tuples with this type under safe operation.

sepgsql_ro_table_t is a type for read-only tables, columns and tuples. It does not allow confined clients to modify any objects with this type.

sepgsql_fixed_table_t is a type for non-manupulatable tables, columns and tuples. It does not allow confined clients to update or delete any objects with this type.

sepgsql_ROLE_table_t is a type for a role specific tables, columns and tuples. It allows confined clients with its role to access with any kind of operations except for relabeling. It is the default type of newly created tables by confined clients with its role, and we can use this type to describe role level separation.

sepgsql_proc_t is a type for procedures. It is attached for newly created procedures by unconfined clients. It allows any clients to invoke procedures with this type. All of PostgreSQL built-in functions are labeled as this type in the default.

sepgsql_ROLE_proc_t is a type for a role specific procedure. It is attached for newly created procedures by confined clients with its role. It allows clients with same role to invoke procedure with this type. Note that unconfined clients cannot invoke this type to avoid to execute dangerous functions with unconfined authorities. They have to confirm its contains and relabel to sepgsql_proc_t for its invocation.

sepgsql_trusted_proc_exec_t is a type for trusted procedures. To call procedures with this type invokes domain transition to unconfined domain, so it can access any kind of database objects. We can use this type to provide a secure method to access sensitive information.

sepgsql_blob_t is a type for binary large objects (blob). It is attached for newly created blob in the default. Non-administrative clients can read and write the blobs with this type.

sepgsql_ro_blob_t is a type for read-only binary large objects (blob). Non-administrative clients cannot write the blobs with this type.

BACKUP and RESTORE

--enable-selinux option in sepg_dump and sepg_dumpall enable to dump database image with security context. We can restore the dumped image using the standard pg_restore and so on.

Example) $ sepg_dump -Ft -b --enable-selinux postgres | gzip -c > postgres.tgz

AUTHOR  

This manual page was written by KaiGai Kohei <kaigai@kaigai.gr.jp>

SEE ALSO

selinux(8), boolean(8)