Integrating SEPostgreSQL into the network

July 02, 2021

When we use the sepgsql module in PostgreSQL, all database sessions need to have a security context associated with them. While for local communications (which use Unix domain sockets) this context is readily available, networked sessions (which are the most common) do not automatically have a context set.

If the system does not participate in a labeled networking setup, interaction with the database will fail:

$ psql -U testuser -h ppubssa3ed db_test
psql: FATAL: SELinux: unable to get peer label: Protocol not available

To resolve this, the recommended approach is to start using labeled IPSec. However, we can also use NetLabel to introduce fallback labeling where needed.

Creating a fallback label for remote sessions

With Linux’s NetLabel and CIPSO support we can introduce both fallback labeling (associating a label based on the source address), as well as use full labeling for localhost communication.

With full, local label support, NetLabel can pass the source context to the target if all this communication solely traverses over the loopback device (as such communication does not leave the system, allowing NetLabel to trace and support the flow from end to end and provide context information to the receiving service).

Let’s create the CIPSO definition for local labeling:

# netlabelctl cipsov4 add local doi:2

We now create a default context for communication coming from the network (over the eth0 interface and the 192.168.100.1/24 network). It is this context that we will see when connecting to the PostgreSQL server over the network:

# netlabelctl unlbl add interface:eth0 address:192.168.100.0/24 label:user_u:user_r:user_t:s0

We can now remove the default mapping rules, and add mapping rules for the different communication types:

# netlabelctl map del default
# netlabelctl map add default address:0.0.0.0/0 protocol:unlbl
# netlabelctl map add default address:::/0 protocol:unlbl
# netlabelctl map add default address:127.0.0.1 protocol:cipsov4,2

The mappings we created will allow unlabeled communication for everything (but keep in mind that we have a specific label defined for communication coming from 192.168.100.0/24) and loopback-based full labeling on the localhost.

Tuning the SELinux policy

Next to the labeling configuration, we might also need to further fine-tune the SELinux policy for PostgreSQL. A couple of SELinux booleans are worth mentioning here:

  • The postgresql_selinux_transmit_client_label SELinux boolean (disabled by default) allows the postgresql_t domain to set its own session contexts. The PostgreSQL server might want to set its own session context when the server itself has database connections to other, remote databases (for instance, using PostgreSQL’s Foreign Data Wrapper (FDW) support). When enabled, the client context will be passed on to the remote databases as well.
  • The postgresql_selinux_unconfined_dbadm SELinux boolean (enabled by default) grants administrative database privileges in sepgsql to any unconfined user domain.
  • The postgresql_selinux_users_ddl SELinux boolean (enabled by default) allows unprivileged users to run Data Definition Language (DDL) statements. There are database statements that create new tables, views, and so on, and will result in user-oriented types such as user_sepgsql_table_t being used.
  • The selinuxuser_postgresql_connect_enabled SELinux boolean (disabled by default) allows user domains to connect to the PostgreSQL daemon over the Unix domain sockets.

Don’t forget to persist the boolean changes (using setsebool -P) as otherwise, a system reboot will revert the settings back to their default values.

Related Articles

How to add swap space on Ubuntu 21.04 Operating System

How to add swap space on Ubuntu 21.04 Operating System

The swap space is a unique space on the disk that is used by the system when Physical RAM is full. When a Linux machine runout the RAM it use swap space to move inactive pages from RAM. Swap space can be created into Linux system in two ways, one we can create a...

read more

Lorem ipsum dolor sit amet consectetur

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

12 − twelve =