- sepgsql Overview
- Installing SE-PostgreSQL
- SECURITY LABEL SQL Command
- Additional SQL Functions
- postgresql.conf Entries
- Logging Security Events
- Internal Tables
This section gives an overview of PostgreSQL version 11.x with the sepgsql extension to support SELinux. It assumes some basic knowledge of PostgreSQL that can be found at: http://wiki.postgresql.org/wiki/Main_Page
It is important to note that PostgreSQL from version 11.x has the necessary infrastructure to support labeling of database objects via external 'providers'. The sepgsql extension has therefore been added that provides SELinux labeling. The extension is not installed by default but as an option as outlined in the sections that follow. Because of these changes the original version 9.0 patches are no longer supported (i.e. the SE-PostgreSQL database engine is replaced by the PostgreSQL database engine plus the sepgsql extension). A consequence of this change is that row level labeling is no longer supported by SELinux, however a Row Level Security (RLS) option has now been added within core PostgreSQL that does not utilise labeling.
The features of sepgsql 11.x and its setup are covered in the following document:
https://www.postgresql.org/docs/11/sepgsql.html
The sepgsql extension adds SELinux mandatory access controls (MAC) to database objects such as tables, columns, views, functions, schemas and sequences. Table 1: Database Security Context Information shows a simple database with one table and two columns, each with their object class and associated security context (the Internal Tables section shows these entries from the testdb database in the Notebook sepgsql Example. The database object classes and permissions are described in Appendix A - Object Classes and Permissions.
| database (db_database) - context = 'unconfined_u:object_r:postgresql_db_t:s0' This context is inherited from the database directory label - ls -Z /var/lib/pgsql/data |
| schema (db_schema) - security_label = 'unconfined_u:object_r:sepgsql_schema_t:s0:c10' |
| table (db_table) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c20' |
| column 1 (db_column) - security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c30' | column 2 - (db_column) security_label = 'unconfined_u:object_r:sepgsql_table_t:s0:c40' |
Table 1: Database Security Context Information - Showing the security contexts that can be associated to a schema, table and columns.
To use SE-PostgreSQL each Linux user must have a valid PostgreSQL database role (not to be confused with an SELinux role). The default installation automatically adds a user called pgsql with a suitable database role.
If a client is connecting remotely and labeled networking is required, then it is possible to use IPSec or NetLabel as discussed in the SELinux Networking Support section (the "Security-Enhanced PostgreSQL Security Wiki" also covers these methods of connectivity with examples).
Using Figure 24a: SE-PostgreSQL Services, the database client application (that could be provided by an API for Perl/PHP or some other programming language) connects to a database and executes SQL commands. As the SQL commands are processed by PostgreSQL, each operation performed on an object is checked by the object manager (OM) to see if the operation is allowed by the security policy or not.
Figure 24a: SE-PostgreSQL Services - The Object Manager checks access permissions for all objects under its control.
SE-PostgreSQL supports SELinux services via the libselinux library with AVC audits being logged via the standard PostgreSQL logfile as described in the Logging Security Events section.
The https://www.postgresql.org/docs/11/sepgsql.html page contains all the information required to install the sepgsql extension.
There are also instructions in the Notebook sepgsql Example - README that describes building the example database used in the sections below.
The 'SECURITY LABEL' SQL command has been added to PostgreSQL to allow security providers to label or change a label on database objects. The full syntax is defined in the security_label(7) man page, with some examples:
-- These set the security label on objects (default provider being SELinux):
SECURITY LABEL ON SCHEMA test_ns IS
'unconfined_u:object_r:sepgsql_schema_t:s0:c10';
SECURITY LABEL ON TABLE test_ns.info IS
'unconfined_u:object_r:sepgsql_table_t:s0:c20';
SECURITY LABEL ON COLUMN test_ns.info.user_name IS
'unconfined_u:object_r:sepgsql_table_t:s0:c30';
SECURITY LABEL ON COLUMN test_ns.info.email_addr IS
'unconfined_u:object_r:sepgsql_table_t:s0:c40';
The following functions have been added:
sepgsql_getcon()
Returns the client security context.
sepgsql_mcstrans_in(text con)
Translates the readable range of the context into raw format provided the mcstransd(8) daemon is running.
sepgsql_mcstrans_out(text con)
Translates the raw range of the context into readable format provided the mcstransd(8) daemon is running.
sepgsql_restorecon(text specfile)
Sets security contexts on all database objects (must be superuser) according to the specfile. This is normally used for initialisation of the database by the sepgsql.sql script. If the parameter is NULL, then the default sepgsql_contexts file is used. See selabel_db(5) details.
The postgresql.conf file supports the following additional entries to enable and manage SE-PostgreSQL:
- This entry is mandatory to enable the sepgsql extension to be loaded:
shared_preload_libraries = 'sepgsql'
- These entries are optional and default to 'off'.
# This enables sepgsql to always run in permissive mode:
sepgsql.permissive = on
# This enables printing of audit messages regardless of the policy setting:
sepgsql.debug_audit = on
To view these settings the SHOW SQL statement can be used (psql output shown):
SHOW sepgsql.permissive;
sepgsql.permissive
---------------
on
(1 row)
SHOW sepgsql.debug_audit;
sepgsql.debug_audit
---------------
on
(1 row)
SE-PostgreSQL manages its own AVC audit entries in the standard PostgreSQL log normally located within the /var/lib/pgsql/data/pg_log directory and by default only errors are logged (Note that there are no SE-PostgreSQL AVC entries added to the standard audit.log). The 'sepgsql.debug_audit = on' can be set to log all audit events.
To support the overall database operation PostgreSQL has internal tables in the system catalog that hold information relating to databases, tables etc. This section will only highlight the pg_seclabel table that holds the security label and other references. The pg_seclabel is shown in the table below and has been taken from http://www.postgresql.org/docs/11/static/catalog-pg-seclabel.html.
| Name | Type | References | Comments |
|---|---|---|---|
| objoid | oid | any OID column | The OID of the object this security label pertains to. |
| classoid | oid | pg_class.oid | The OID of the system catalog this object appears in. |
| objsubid | int4 | For a security label on a table column, this is the column number (the objoid and classoid refer to the table itself). For all other objects this column is zero. | |
| provider | text | The label provider associated with this label. Currently only SELinux is supported. | |
| label | text | The security label applied to this object. |
These are entries taken from a 'SELECT * FROM pg_seclabel;' command that refers to the example testdb database built using the Notebook - testdb-example.sql:
objoid | classoid | objsubid | provider | label
--------+----------+----------+----------+----------------------------------------------
16390 | 2615 | 0 | selinux | unconfined_u:object_r:sepgsql_schema_t:s0:c10
16391 | 1259 | 0 | selinux | unconfined_u:object_r:sepgsql_table_t:s0:c20
16391 | 1259 | 1 | selinux | unconfined_u:object_r:sepgsql_table_t:s0:c30
16391 | 1259 | 2 | selinux | unconfined_u:object_r:sepgsql_table_t:s0:c40
The first entry is the schema, the second entry is the table itself, and the third and fourth entries are columns 1 and 2.
There is also a built-in 'view' to show additional detail regarding security labels called 'pg_seclabels'. Using 'SELECT * FROM pg_seclabels;' command, the entries shown above become:
objoid|classoid|objsubid|objtype|objnamespace| objname | provider| label
------+--------+--------+-------+------------+--------------+---------+------------------------
16390 | 2615 | 0 | schema| 16390 | test_ns | selinux | unconfined_u:object_r:sepgsql_schema_t:s0:c10
16391 | 1259 | 0 | table | 16390 | test_ns.info | selinux | unconfined_u:object_r:sepgsql_table_t:s0:c20
16391 | 1259 | 1 | column| 16390 | test_ns.info.| selinux | unconfined_u:object_r:sepgsql_table_t:s0:c30
| | | | | user_name | |
16391 | 1259 | 2 | column| 16390 | test_ns.info.| selinux | unconfined_u:object_r:sepgsql_table_t:s0:c40
| | | | | email_addr | |