Re: security labels on databases are bad for dump & restore

> So if I label a table with an SELinux context and the type of my
> client connection does not have policy to be able to access the table
> type will an AVC be generated and the access denied?
>
Of course, it depends on the policy of the system.

If client connection come from none-SELinux system, use netlabelctl
to configure default fallback security context. It gives getpeercon(3)
the client label shall be applied when netlabel is not configured on
the connection.

Thanks,
--
NEC Business Creation Division / PG-Strom Project
KaiGai Kohei <kaigai@ak.jp.nec.com>


> -----Original Message-----
> From: pgsql-hackers-owner@postgresql.org
> [mailto:pgsql-hackers-owner@postgresql.org] On Behalf Of Ted Toth
> Sent: Wednesday, July 15, 2015 2:59 AM
> To: Kohei KaiGai
> Cc: Robert Haas; Adam Brightwell; Andres Freund; pgsql-hackers@postgresql.org;
> Alvaro Herrera
> Subject: Re: [HACKERS] security labels on databases are bad for dump & restore
> 
> So if I label a table with an SELinux context and the type of my
> client connection does not have policy to be able to access the table
> type will an AVC be generated and the access denied?
> 
> Ted
> 
> On Tue, Jul 14, 2015 at 12:53 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
> > 2015-07-15 2:39 GMT+09:00 Ted Toth <txtoth@gmail.com>:
> >> That's exactly what I'm talking about like I said KaiGais branch was
> >> never merged into the mainline so I do not believe that it is used at
> >> all.
> >>
> > It depends on the definition of "integrated".
> > The PostgreSQL core offers an infrastructure for label based security
> > mechanism, not only selinux. Also, one extension module that is
> > usually distributed with PosgreSQL bridges the world of database and
> > the world of selinux (even though all the features I initially designed
> > are not yet implemented). I like to say it is integrated.
> >
> >> On Tue, Jul 14, 2015 at 12:28 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> >>> On Tue, Jul 14, 2015 at 1:22 PM, Ted Toth <txtoth@gmail.com> wrote:
> >>>> I'm sort of new to this so maybe I'm missing something but since the
> >>>> sepgsql SELinux userspace object manager was never integrated into
> >>>> postgresql (AFAIK KaiGais branch was never merged into the mainline)
> >>>> who uses these labels? What use are they?
> >>>
> >>> See contrib/sepgsql
> >>>
> >>> --
> >>> Robert Haas
> >>> EnterpriseDB: http://www.enterprisedb.com
> >>> The Enterprise PostgreSQL Company
> >
> >
> >
> > --
> > KaiGai Kohei <kaigai@kaigai.gr.jp>
> 
> 
> --
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers