Access to the postgresql data files

Igor Borisovsky igor at datanaut.com
Mon Jun 7 07:35:51 UTC 2004


 
Ok. I see you.
Can you explain me the following thing?
As I understand in selinux all permissions
must be explicitly granted. Hence there is
permission to allow sysadm_t to enter the /var/lib/pgsql directory.
I can't find something like this:
allow sysadm_t pgsql_home_dir_t:dir {...};
It is interesting how sysadm_t type has access to /var/lib/pgsql directory?
Thanks.
-----Original Message-----
From: owner-selinux at tycho.nsa.gov [mailto:owner-selinux at tycho.nsa.gov] On
Behalf Of Stephen Smalley
Sent: Friday, June 04, 2004 7:14 PM
To: Igor Borisovsky
Cc: SELinux at tycho.nsa.gov; 'Russell Coker'; fedora-selinux-list at redhat.com
Subject: RE: Access to the postgresql data files

On Fri, 2004-06-04 at 10:59, Igor Borisovsky wrote:
> Thanks for reply.
> Let me explain in more details my problem.
> I have the database server under RedHat9.
> The postgresql database contains very important secure data.
> So nobody should have access to this data directly.
> Only authorized clients via SSL connections should have access.
> In the ordinary linux user root can steal postgresql data files or 
> edit pg_hba.conf file to give access to itself.
> Thus I want to use FC2 to control access to data files for user root.
> User root should be only linux server administrator. For example, root 
> should be able to create/delete user, install software/hardware, 
> start/stop services. But root must not have access to postgresql files.

You can use SELinux to ensure that only certain applications have direct
access to the files.  But if root can install software, then he can just
replace those applications with his own code to get access to the files.  Or
he can replace any code or configuration on which those applications depend,
e.g. the kernel, ld.so, whatever.  And if there is any user account which is
authorized to access those files and you let root manage user accounts, then
root can gain access to those accounts. 
Not to mention issues of raw disk access, whether direct or indirect via
filesystem administrative utilities.  See the problem?  So you would have to
strip root of _many_ typical administrative privileges to truly enforce such
a guarantee.

--
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo at tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.





More information about the fedora-selinux-list mailing list