[refpolicy] [PATCH 2/2] Also apply the new postgres labeling scheme on Debian

Andreas Florath andre at flonatel.org
Fri Aug 15 17:42:06 EDT 2014


Hello!

I was able to reproduce the problem that postgresql helper programs
are not accessible from confined users (here: user_u).

You can find your 'Debianized' patch:
https://github.com/flonatel/refpolicy-experimental/blob/test/postgres-labeling-scheme-01/debian/patches/1002-postgres-client-labeling

After applying the patch, the user is now able to access the binary, but is not allowed to access the postgresql port.
(Looks that 'bin_t' is not allowed to connect to postgresql.)
I don't know if this is a problem of refpolicy or Debian's adaptations.

@Russel: Do you need the image of a VM or access to a VM?
If you just need the image, I can provide one. (Accessing a running VM is somewhat more complicated...)
Do you need special configurations?

Kind regards

Andre


=== Technical Details ===

Steps done:

 1) Create VM with minimal and up to date Jessie (using SELinux set to enforcing).
 2) Optional: Patched the selinux-policy-default package
    with the patch you sent.
 3) root at debselinux01:~# se_apt-get update
 4) root at debselinux01:~# se_apt-get install postgresql
    [...]
    Building PostgreSQL dictionaries from installed myspell/hunspell packages...
    Removing obsolete dictionary files:
    Setting up postgresql-9.4 (9.4~beta2-1) ...
    Creating new cluster 9.4/main ...
      config /etc/postgresql/9.4/main
      data   /var/lib/postgresql/9.4/main
      locale en_US.UTF-8
      port   5432
    update-alternatives: using /usr/share/postgresql/9.4/man/man1/postmaster.1.gz to provide /usr/share/man/man1/postmaster.1.gz (postmaster.1.gz) in auto mode
    Setting up postgresql (9.4+159) ...
 5) root at debselinux01:~# semanage login -a -s user_u dummy
 6) postgres at debselinux01:~$ createuser -d dummy
 7) dummy at debselinux01:~$ id -Z
    user_u:user_r:user_t:SystemLow
 8) dummy at debselinux01:~$ createdb tst01


Result when patch was not installed (using original Debian packet selinux-policy-default):
  Error: You must install at least one postgresql-client-<version> package.
strace showed:
  stat("/usr/lib/postgresql/9.4/bin/psql", 0x1cc5280) = -1 EACCES (Permission denied)


After applying the patch:
dummy at debselinux01:~$ createdb tst01
createdb: could not connect to database template1: could not connect to server: Permission denied
	Is the server running locally and accepting
	connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"?

Strace:
The stat works now:
stat("/usr/lib/postgresql/9.4/bin/psql", {st_mode=S_IFREG|0755, st_size=507128, ...}) = 0

But there is a 'Permission denied' in the connect:
connect(3, {sa_family=AF_LOCAL, sun_path="/var/run/postgresql/.s.PGSQL.5432"}, 110) = -1 EACCES (Permission denied)

And Postgres WAS listening:
root at debselinux01:~# netstat -nap  | grep 5432
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      2531/postgres
tcp6       0      0 ::1:5432                :::*                    LISTEN      2531/postgres
unix  2      [ ACC ]     STREAM     LISTENING     13432    2531/postgres       /var/run/postgresql/.s.PGSQL.5432


Here is a listing of the appropriate dir when the patch is applied:

root at debselinux01:~# ls -lZ /usr/lib/postgresql/9.4/bin/
total 8088
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72224 Jul 24 13:57 clusterdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72288 Jul 24 13:57 createdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 createlang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72672 Jul 24 13:57 createuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63936 Jul 24 13:57 dropdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63920 Jul 24 13:57 droplang
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               63904 Jul 24 13:57 dropuser
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              110296 Jul 24 13:57 initdb
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   68416 Jul 24 13:57 pg_basebackup
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   30720 Jul 24 13:57 pg_controldata
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   43352 Jul 24 13:57 pg_ctl
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              347808 Jul 24 13:57 pg_dump
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               89352 Jul 24 13:57 pg_dumpall
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               30992 Jul 24 13:57 pg_isready
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               47600 Jul 24 13:57 pg_receivexlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               51928 Jul 24 13:57 pg_recvlogical
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   38920 Jul 24 13:57 pg_resetxlog
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              150848 Jul 24 13:57 pg_restore
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow  109104 Jul 24 13:57 pg_upgrade
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow   51704 Jul 24 13:57 pg_xlogdump
-rwxr-xr-x. 1 root root system_u:object_r:postgresql_exec_t:SystemLow 5953344 Jul 24 13:57 postgres
lrwxrwxrwx. 1 root root system_u:object_r:postgresql_exec_t:SystemLow       8 Jul 24 13:57 postmaster -> postgres
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow              507128 Jul 24 13:57 psql
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72256 Jul 24 13:57 reindexdb
-rwxr-xr-x. 1 root root system_u:object_r:bin_t:SystemLow               72384 Jul 24 13:57 vacuumdb


More information about the refpolicy mailing list