1sepostgresql(8) Security-Enhanced PostgreSQL sepostgresql(8)
2
3
4
6 sepostgresql - Security-Enhances PostgreSQL
7
8
10 Security-Enhanced PostgreSQL (SE-PostgreSQL) is an enhancement of Post‐
11 greSQL, to apply fine grained mandatory access control for database
12 objects based on the security policy of SELinux. These features enable
13 to apply flexible integrated access control policy on both of operating
14 system and database management system, during all stages of the life of
15 the information.
16
17 This document describes the way to customize SE-PostgreSQL on the
18 default security policy.
19
20
22 The SELinux policy is customizable via BOOLEAN variable. This variable
23 has two states, 1 (on) or 0 (off). We can validate or invalidate a part
24 of the security policy depending on the state of boolean variables.
25
26 sepgsql_enable_users_ddl enables to toggle permissions of confined
27 users/applications to invoke DDL statement, like CREATE TABLE. It is
28 set to on in the default. In most cases, DDL statements are used to
29 set up initial database structure, and permissions to invoke them are
30 not necessary on operation phase. You can turn off this boolean as
31 follows:
32
33 setsebool -P sepgsql_enable_users_ddl ( on | off )
34
35 Rest of booleans are provided by selinux-devel.pp policy module. It
36 provides developments/debugs related permissions. You can install it
37 as follows:
38
39 semodule -i /usr/share/selinux/targeted/sepostgresql-devel.pp
40
41 sepgsql_enable_auditallow toggles output of audit messages in the case
42 when required permission checks are allowed, except for tuples because
43 it easily make a flood of audit logs. In the default, it is set to
44 off. You can set it as follows:
45
46 setsebool -P sepgsql_enable_auditallow ( on | off )
47
48 sepgsql_enable_auditdeny toggles output of audit messages in the case
49 when required permission checks are denied, except for tuples because
50 it easily make a flood of audit logs. In the default, it is set to on.
51 You can set it as follows:
52
53 setsebool -P sepgsql_enable_auditdeny ( on | off )
54
55 sepgsql_regression_test_mode allows to load shared libraries deployed
56 on user's home directory. We recommend you to keep off in operation
57 phase to prevent to load malicious libraries. However, typical Post‐
58 greSQL regression test requires to load it, so we have to reduce sev‐
59 eral restriction during the test. In the default, it is set to off.
60 You can set it as follows:
61
62 setsebool -P sepgsql_regression_test_mode ( on | off )
63
64
66 sepgsql_db_t is a only type for database itself. It is attched for
67 newly created databases in the default.
68
69 sepgsql_table_t is a type for tables, columns and tuples. It is the
70 default type of newly created tables by unconfined or non-roled domain.
71 It allows confined clietns to access with any kind of operations except
72 for relabeling, so we can use this type for compatible purpose.
73
74 sepgsql_secret_table_t is a type for tables, columns and tuples. It
75 never allows confined clients to access, so we can use this type to
76 store sensitive information. We reccomend to apply trusted procedures
77 to access tables/columns/tuples with this type under safe operation.
78
79 sepgsql_ro_table_t is a type for read-only tables, columns and tuples.
80 It does not allow confined clients to modify any objects with this
81 type.
82
83 sepgsql_fixed_table_t is a type for non-manupulatable tables, columns
84 and tuples. It does not allow confined clients to update or delete any
85 objects with this type.
86
87 sepgsql_ROLE_table_t is a type for a role specific tables, columns and
88 tuples. It allows confined clients with its role to access with any
89 kind of operations except for relabeling. It is the default type of
90 newly created tables by confined clients with its role, and we can use
91 this type to describe role level separation.
92
93 sepgsql_proc_t is a type for procedures. It is attached for newly cre‐
94 ated procedures by unconfined clients. It allows any clients to invoke
95 procedures with this type. All of PostgreSQL built-in functions are
96 labeled as this type in the default.
97
98 sepgsql_ROLE_proc_t is a type for a role specific procedure. It is
99 attached for newly created procedures by confined clients with its
100 role. It allows clients with same role to invoke procedure with this
101 type. Note that unconfined clients cannot invoke this type to avoid to
102 execute dangerous functions with unconfined authorities. They have to
103 confirm its contains and relabel to sepgsql_proc_t for its invocation.
104
105 sepgsql_trusted_proc_exec_t is a type for trusted procedures. To call
106 procedures with this type invokes domain transition to unconfined
107 domain, so it can access any kind of database objects. We can use this
108 type to provide a secure method to access sensitive information.
109
110 sepgsql_blob_t is a type for binary large objects (blob). It is
111 attached for newly created blob in the default. Non-administrative
112 clients can read and write the blobs with this type.
113
114 sepgsql_ro_blob_t is a type for read-only binary large objects (blob).
115 Non-administrative clients cannot write the blobs with this type.
116
117
119 --enable-selinux option in sepg_dump and sepg_dumpall enable to dump
120 database image with security context. We can restore the dumped image
121 using the standard pg_restore and so on.
122
123 Example)
124 $ sepg_dump -Ft -b --enable-selinux postgres | gzip -c > postgres.tgz
125
126
128 This manual page was written by KaiGai Kohei <kaigai@kaigai.gr.jp>
129
130
132 selinux(8), boolean(8)
133
134
135
136kaigai@kaigai.gr.jp Jul 15 2007 sepostgresql(8)