mirror of
				https://github.com/postgres/postgres.git
				synced 2025-10-25 13:17:41 +03:00 
			
		
		
		
	More documentation cleanup for sepgsql.
Thom Brown and Robert Haas
This commit is contained in:
		| @@ -307,14 +307,14 @@ $ restorecon -R /usr/local/pgsql/ | |||||||
|     Currently, <productname>sepgsql</productname> allows security labels to be |     Currently, <productname>sepgsql</productname> allows security labels to be | ||||||
|     assigned to schemas, tables, columns, sequences, views, and functions. |     assigned to schemas, tables, columns, sequences, views, and functions. | ||||||
|     When <productname>sepgsql</productname> is in use, security labels are |     When <productname>sepgsql</productname> is in use, security labels are | ||||||
|     automatically assigned to suppoted database objects at creation time. |     automatically assigned to supported database objects at creation time. | ||||||
|     This label is called as a default security label, being decided according |     This label is called as a default security label, being decided according | ||||||
|     to the system security policy, which takes as input the creator's label |     to the system security policy, which takes as input the creator's label | ||||||
|     and the label assigned to the new object's parent object. |     and the label assigned to the new object's parent object. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     A new database object basically inherits security label of the parent |     A new database object basically inherits the security label of the parent | ||||||
|     object, except when the security policy has special rules known as |     object, except when the security policy has special rules known as | ||||||
|     type-transition rules, in which case a different label may be applied. |     type-transition rules, in which case a different label may be applied. | ||||||
|     The meaning of the term "parent object" varies by object class, as follows. |     The meaning of the term "parent object" varies by object class, as follows. | ||||||
| @@ -365,7 +365,7 @@ $ restorecon -R /usr/local/pgsql/ | |||||||
|      <term>function</term> |      <term>function</term> | ||||||
|      <listitem> |      <listitem> | ||||||
|       <para> |       <para> | ||||||
|        Its parent object is the containing schema. |        The parent object is the containing schema. | ||||||
|       </para> |       </para> | ||||||
|      </listitem> |      </listitem> | ||||||
|     </varlistentry> |     </varlistentry> | ||||||
| @@ -383,7 +383,7 @@ $ restorecon -R /usr/local/pgsql/ | |||||||
|    <para> |    <para> | ||||||
|     DML statements are used to reference or modify contents within |     DML statements are used to reference or modify contents within | ||||||
|     the specified database objects; such as tables or columns. |     the specified database objects; such as tables or columns. | ||||||
|     We basically checks access rights of the client on all the objects |     The access rights of the client are checked on all the objects | ||||||
|     mentioned in the given statement, and the kind of privileges checked |     mentioned in the given statement, and the kind of privileges checked | ||||||
|     depend on the class of the object and the type of access. |     depend on the class of the object and the type of access. | ||||||
|    </para> |    </para> | ||||||
| @@ -391,10 +391,10 @@ $ restorecon -R /usr/local/pgsql/ | |||||||
|    <para> |    <para> | ||||||
|     For tables, <literal>db_table:select</>, <literal>db_table:insert</>, |     For tables, <literal>db_table:select</>, <literal>db_table:insert</>, | ||||||
|     <literal>db_table:update</> or <literal>db_table:delete</> is |     <literal>db_table:update</> or <literal>db_table:delete</> is | ||||||
|     checked for all the appeared target tables depending on the sort of |     checked for all the referenced target tables depending on the sort of | ||||||
|     statement; |     statement; | ||||||
|     in addition, <literal>db_table:select</> is also checked for |     in addition, <literal>db_table:select</> is also checked for | ||||||
|     all the tables that containin the columns to be referenced in |     all the tables that contain the columns referenced in the | ||||||
|     <literal>WHERE</> or <literal>RETURNING</> clause, as a data source |     <literal>WHERE</> or <literal>RETURNING</> clause, as a data source | ||||||
|     of <literal>UPDATE</>, and so on. |     of <literal>UPDATE</>, and so on. | ||||||
|    </para> |    </para> | ||||||
| @@ -404,23 +404,23 @@ $ restorecon -R /usr/local/pgsql/ | |||||||
| UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; | UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; | ||||||
| </synopsis> | </synopsis> | ||||||
|  |  | ||||||
|     In this case, we must have <literal>db_table:select</>, not only |     In this case, we must have <literal>db_table:select</> in addition to | ||||||
|     <literal>db_table:update</>, because <literal>t1.a</> is referenced |     <literal>db_table:update</>, because <literal>t1.a</> is referenced | ||||||
|     within <literal>WHERE</> clause.  Column-level permissions will be |     within the <literal>WHERE</> clause.  Column-level permissions will also be | ||||||
|     checked as well, for each referenced column. |     checked for each referenced column. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     The client must be allowed to reference all the appeared tables and |     The client must be allowed to access all referenced tables and | ||||||
|     columns, even if they are originated from views then expanded, because we |     columns, even if they originated from views which were then expanded, | ||||||
|     intend to apply consistent access control rules independent from the |     so that we apply consistent access control rules independent of the manner | ||||||
|     manner in which the table contents are referenced. |     in which the table contents are referenced. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     For columns, <literal>db_column:select</> is checked on |     For columns, <literal>db_column:select</> is checked on | ||||||
|     not only the columns being read using <literal>SELECT</>, but being |     not only the columns being read using <literal>SELECT</>, but being | ||||||
|     referenced in other DML statement. |     referenced in other DML statements. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
| @@ -438,16 +438,15 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; | |||||||
|     on the <literal>t1.y</> being updated and referenced, |     on the <literal>t1.y</> being updated and referenced, | ||||||
|     and <literal>db_column:select</> on the <literal>t1.z</> being only |     and <literal>db_column:select</> on the <literal>t1.z</> being only | ||||||
|     referenced in the <literal>WHERE</> clause. |     referenced in the <literal>WHERE</> clause. | ||||||
|     Also note that <literal>db_table:{select update}</> shall be checked |     <literal>db_table:{select update}</> will also be checked | ||||||
|     in the table-level granularity. |     at the table level. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     For sequences, <literal>db_sequence:get_value</> when we reference |     For sequences, <literal>db_sequence:get_value</> is checked when we | ||||||
|     a sequence object using <literal>SELECT</>; however, note that we |     reference a sequence object using <literal>SELECT</>; however, note that we | ||||||
|     cannot check permissions on execution of corresponding functions |     do not currently check permissions on execution of corresponding functions | ||||||
|     such as <literal>lastval()</> right now, although they performs same |     such as <literal>lastval()</>. | ||||||
|     job, because here is no object access hook to acquire controls. |  | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
| @@ -462,7 +461,7 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; | |||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     Here is a few more corner cases. |     Here are a few more corner cases. | ||||||
|     The default database privilege system allows database superusers to |     The default database privilege system allows database superusers to | ||||||
|     modify system catalogs using DML commands, and reference or modify |     modify system catalogs using DML commands, and reference or modify | ||||||
|     toast tables.  These operations are prohibited when |     toast tables.  These operations are prohibited when | ||||||
| @@ -480,30 +479,24 @@ UPDATE t1 SET x = 2, y = md5sum(y) WHERE z = 100; | |||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     In a case when multiple label providers are installed and user tries |     In the case where multiple label providers are installed and the user tries | ||||||
|     to set a security label, but is not managed by <productname>SELinux</>, |     to set a security label, but is not managed by <productname>SELinux</>, | ||||||
|     only <literal>setattr</> should be checked here. |     only <literal>setattr</> should be checked here. | ||||||
|     This is currently not done due to implementation restrictions. |     This is currently not checked due to implementation restrictions. | ||||||
|    </para> |    </para> | ||||||
|   </sect3> |   </sect3> | ||||||
|  |  | ||||||
|   <sect3> |   <sect3> | ||||||
|    <title>Trusted Procedure</title> |    <title>Trusted Procedure</title> | ||||||
|    <para> |    <para> | ||||||
|     It is a similar idea to security definer functions or set-uid commands |     Trusted procedures are similar to security definer functions or set-uid | ||||||
|     on operating systems. <productname>SELinux</> provides a feature to |     commands. <productname>SELinux</> provides a feature to allow trusted | ||||||
|     switch privilege of the client (that is a security label of the client |     code to run using a security label different from that of the client, | ||||||
|     for more correctness) during execution of certain functions; being |     generally for the purpose of providing highly controlled access to | ||||||
|     called as trusted procedures. |     sensitive data (e.g. rows might be omitted, or the precision of stored | ||||||
|    </para> |     values might be reduced).  Whether or not a function acts as a trusted | ||||||
|  |     procedure is controlled by its security label and the operating system | ||||||
|    <para> |     security policy.  For example: | ||||||
|     A trusted function is a function with a special security label being |  | ||||||
|     set up as a trusted procedure. |  | ||||||
|     So, we need to assign the special security label on the function that |  | ||||||
|     we hope it to perform as a trusted procedure, by administrative users. |  | ||||||
|     The default security policy also provides this special security label. |  | ||||||
|     See the following example. |  | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
| <screen> | <screen> | ||||||
| @@ -527,7 +520,7 @@ SECURITY LABEL | |||||||
| </screen> | </screen> | ||||||
|  |  | ||||||
|    <para> |    <para> | ||||||
|     Above operations shall be done by administrative users. |     The above operations should be performed by an administrative user. | ||||||
|    </para> |    </para> | ||||||
|  |  | ||||||
| <screen> | <screen> | ||||||
| @@ -544,14 +537,15 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; | |||||||
|    <para> |    <para> | ||||||
|     In this case, a regular user cannot reference <literal>customer.credit</> |     In this case, a regular user cannot reference <literal>customer.credit</> | ||||||
|     directly, but a trusted procedure <literal>show_credit</> enables us |     directly, but a trusted procedure <literal>show_credit</> enables us | ||||||
|     to print credit number of customers with a bit modification. |     to print the credit card number of customers with some of the digits masked | ||||||
|  |     out. | ||||||
|    </para> |    </para> | ||||||
|   </sect3> |   </sect3> | ||||||
|  |  | ||||||
|   <sect3> |   <sect3> | ||||||
|    <title>Miscellaneous</title> |    <title>Miscellaneous</title> | ||||||
|    <para> |    <para> | ||||||
|     In this version, we reject <xref linkend="sql-load"> command across |     In this version, we reject the <xref linkend="sql-load"> command across | ||||||
|     the board, because any module loaded could easily circumvent security |     the board, because any module loaded could easily circumvent security | ||||||
|     policy enforcement. |     policy enforcement. | ||||||
|    </para> |    </para> | ||||||
| @@ -605,10 +599,12 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; | |||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       <productname>sepgsql</> never tries to hide existence of |       <productname>sepgsql</> never tries to hide existence of | ||||||
|       a certain object, even if user is not allowed to reference. |       a certain object, even if the user is not allowed to the reference. | ||||||
|       For example, we can infer an existence of invisible object using |       For example, we can infer the existence of an invisible object as | ||||||
|       primary-key confliction, foreign-key violation, and so on, even if |       a result of primary key conflicts, foreign key violations, and so on, | ||||||
|       we cannot reference contents of these objects. |       even if we cannot reference contents of these objects.  The existence | ||||||
|  |       of a top secret table cannot be hidden; we only hope to conceal its | ||||||
|  |       contents. | ||||||
|      </para> |      </para> | ||||||
|     </listitem> |     </listitem> | ||||||
|    </varlistentry> |    </varlistentry> | ||||||
| @@ -623,7 +619,7 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; | |||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       This wiki page provides a brief-overview, security design, architecture, |       This wiki page provides a brief-overview, security design, architecture, | ||||||
|       administration and upcoming feature for more details. |       administration and upcoming features. | ||||||
|      </para> |      </para> | ||||||
|     </listitem> |     </listitem> | ||||||
|    </varlistentry> |    </varlistentry> | ||||||
| @@ -631,9 +627,9 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; | |||||||
|     <term><ulink url="http://docs.fedoraproject.org/selinux-user-guide/">Fedora SELinux User Guide</ulink></term> |     <term><ulink url="http://docs.fedoraproject.org/selinux-user-guide/">Fedora SELinux User Guide</ulink></term> | ||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       This document provides wide spectrum of knowledge to administer |       This document provides a wide spectrum of knowledge to administer | ||||||
|       <productname>SELinux</> on your systems. |       <productname>SELinux</> on your systems. | ||||||
|       It primary focuses on Fedora, but is not limited to Fedora. |       It focuses primarily on Fedora, but is not limited to Fedora. | ||||||
|      </para> |      </para> | ||||||
|     </listitem> |     </listitem> | ||||||
|    </varlistentry> |    </varlistentry> | ||||||
| @@ -641,9 +637,9 @@ postgres=# SELECT cid, cname, show_credit(cid) FROM customer; | |||||||
|     <term><ulink url="http://docs.fedoraproject.org/selinux-faq">Fedora SELinux FAQ</ulink></term> |     <term><ulink url="http://docs.fedoraproject.org/selinux-faq">Fedora SELinux FAQ</ulink></term> | ||||||
|     <listitem> |     <listitem> | ||||||
|      <para> |      <para> | ||||||
|       This document answers frequently asked questins about |       This document answers frequently asked questions about | ||||||
|       <productname>SELinux</productname>. |       <productname>SELinux</productname>. | ||||||
|       It primary focuses on Fedora, but is not limited to Fedora. |       It focuses primarily on Fedora, but is not limited to Fedora. | ||||||
|      </para> |      </para> | ||||||
|     </listitem> |     </listitem> | ||||||
|    </varlistentry> |    </varlistentry> | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user