When we use the
sepgsql module in PostgreSQL, all database sessions need to have a security context associated with them. While for local communications (which use Unix domain sockets) this context is readily available, networked sessions (which are the most common) do not automatically have a context set.
If the system does not participate in a labeled networking setup, interaction with the database will fail:
$ psql -U testuser -h ppubssa3ed db_test psql: FATAL: SELinux: unable to get peer label: Protocol not available
Creating a fallback label for remote sessions
With Linux’s NetLabel and CIPSO support we can introduce both fallback labeling (associating a label based on the source address), as well as use full labeling for localhost communication.
With full, local label support, NetLabel can pass the source context to the target if all this communication solely traverses over the loopback device (as such communication does not leave the system, allowing NetLabel to trace and support the flow from end to end and provide context information to the receiving service).
Let’s create the CIPSO definition for local labeling:
# netlabelctl cipsov4 add local doi:2
We now create a default context for communication coming from the network (over the
eth0 interface and the
192.168.100.1/24 network). It is this context that we will see when connecting to the PostgreSQL server over the network:
# netlabelctl unlbl add interface:eth0 address:192.168.100.0/24 label:user_u:user_r:user_t:s0
We can now remove the default mapping rules, and add mapping rules for the different communication types:
# netlabelctl map del default # netlabelctl map add default address:0.0.0.0/0 protocol:unlbl # netlabelctl map add default address:::/0 protocol:unlbl # netlabelctl map add default address:127.0.0.1 protocol:cipsov4,2
The mappings we created will allow unlabeled communication for everything (but keep in mind that we have a specific label defined for communication coming from
192.168.100.0/24) and loopback-based full labeling on the localhost.
Tuning the SELinux policy
postgresql_selinux_transmit_client_labelSELinux boolean (disabled by default) allows the
postgresql_tdomain to set its own session contexts. The PostgreSQL server might want to set its own session context when the server itself has database connections to other, remote databases (for instance, using PostgreSQL’s Foreign Data Wrapper (FDW) support). When enabled, the client context will be passed on to the remote databases as well.
postgresql_selinux_unconfined_dbadmSELinux boolean (enabled by default) grants administrative database privileges in
sepgsqlto any unconfined user domain.
postgresql_selinux_users_ddlSELinux boolean (enabled by default) allows unprivileged users to run Data Definition Language (DDL) statements. There are database statements that create new tables, views, and so on, and will result in user-oriented types such as
selinuxuser_postgresql_connect_enabledSELinux boolean (disabled by default) allows user domains to connect to the PostgreSQL daemon over the Unix domain sockets.
Don’t forget to persist the boolean changes (using
setsebool -P) as otherwise, a system reboot will revert the settings back to their default values.