SEPostgreSQLv8.4

From PostgreSQL wiki

Jump to: navigation, search

SepgsqlLogo.png

Contents

What is SE-PostgreSQL

Security Enhanced PostgreSQL (SE-PostgreSQL) is an optional access control feature of PostgreSQL, but has not upstreamed yet on the v8.4 series. This page introduces the way to set up SE-PostgreSQL with the v8.4 series of PostgreSQL.

It enables to apply fine-grained mandatory access control policy to various database objects, and makes its decision based on consistent privileges of remote/local client process and the centralized security policy of the operating system. It means we can control accesses on databases, as if the kernel controls accesses on filesystems using SELinux. We call it as system-wide consistency in access controls.

It works fully orthogonal to the default database ACLs mechanism, so it means both of access control features need to allow accesses on the database objects required.

SE-PostgreSQL will help to protect our information asset from some of threats like leaking, defacing and destruction.

Please see the SE-PostgreSQL for more details.

Setup

Requirements

SE-PostgreSQL requires the following packages to build and run.

  • Linux kernel with SELinux enabled (2.6.24 or later)
  • libselinux and libselinux-devel (2.0.80 or later)
  • selinux-policy (3.4.2 or later)
  • policycoreutils
  • checkpolicy

Build

At first, you need to get the SE-PostgreSQL patch in suitable version. The following List of Patches section keeps the links to any successive version of SE-PostgreSQL.

$ wget ftp://ftp.postgresql.org/pub/source/v8.4/postgresql-8.4.0.tar.gz
$ wget http://sepgsql.googlecode.com/files/sepgsql-00-full-8.4.0-rXXXX.patch.gz

Next, you need to unpack the PostgreSQL tarball, then apply the SE-PostgreSQL patch.

$ tar zxvf postgresql-8.4.0.tar.gz
$ cd postgresql-8.4.0
$ gunzip -c ../sepgsql-00-full-8.4.0-rXXXX.patch.gz | patch -p1

On the configure script, you need to add --enable-selinux option to enable SE-PostgreSQL feature.

$ ./configure --enable-selinux

The default SELinux policy (Reference Policy) already has basic set of rules for SE-PostgreSQL. In addition, we also provide a set of development purpose policy stored in src/backend/security/sepgsql/policy. It is not built in default, so you need to run make at the directory.

$ make
$ make -C src/backend/security/sepgsql/policy

NOTE: we recommend to install the development policy, because the default SELinux policy is not configured to install PostgreSQL at /usr/local/pgsql, so we need to set up the security context of the installed binaries by hand when the development policy is not installed.

Install

Run make install as a normal case, and semodule -i to install the development purpose security policy module.

$ su
# make install
# semodule -i src/backend/security/sepgsql/policy/sepostgresql-devel.pp

You need to assign correct security context on the installed binaries. The restorecon is a command to reset security context of the files under the specified directory.

# restorecon -R /usr/local/pgsql

NOTE: we assume the SE-PostgreSQL runs as sepgsql user, so the following example uses him.

You need to create an empty directory for the database cluster. All the database files need to be labeled as postgresql_t. Files newly created inherit the security context of parent directory, you need to change the label of the directory prior to initdb.

# mkdir /opt/sepgsql
# chown sepgsql:users /opt/sepgsql
# chcon -t postgresql_db_t /opt/sepgsql

On initdb, you need to add --enable-selinux option to enable SE-PostgreSQL feature. If you omit it, SE-PostgreSQL feature is disabled and it performs as if vanilla PostgreSQL.

# su - sepgsql
$ export PATH=/usr/local/pgsql/bin:${PATH}
$ initdb --enable-selinux

Then, start SE-PostgreSQL

$ pg_ctl start

Test

Regression test

When you tries to run regression test on the home direstory, SE-PostgreSQL prevent to load shared libraries labeled as user_home_t, so you need to disable the restriction during the regression test. The development purpose policy (sepostgresql-devel.pp) provides a boolean to turn off the rule. It can be changed as follows.

# setsebool -P sepgsql_regression_test_mode on

SE-PostgreSQL test

We also provides SE-PostgreSQL specific test at src/test/sepgsql. You can check whether the SE-PostgreSQL performs as expected, or not.

$ createdb test
$ make -C src/test/sepgsql

This test requires the following items:

  • Current user can login the test database as superuser.
  • Current user performs MCS categories s0-s0:c0.c15 at least.
  • The allow_user_postgresql_connect and sepgsql_regression_test_mode to be turned on.
  • The mcstrans daemon is stopping.

List of Patches

PostgreSQL v8.4.0 (2009-07-01)

Changelog
  • Upgrade base version to v8.4.0

PostgreSQL v8.4rc2 (2009-06-22)

Changelog
  • Upgrade base version to v8.4rc2

PostgreSQL v8.4rc1 (2009-06-19)

Changelog
  • Upgrade base version to v8.4rc1
  • Add support orphan pg_security entries
  • Add sepostgresql_mcstrans GUC option
  • Add SECURITY_LABEL='xxx' for schema/sequence
  • Some of bugfixes

PostgreSQL v8.4beta2 (2009-05-20)

Changelog
  • Upgrade base version to v8.4beta2
Personal tools