[GENERAL] postgres user with password read-only user without?
Is there a way to configure authentication so that some users require a password and other users don't? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] 9.5rc1 RLS select policy on insert?
I see the insert policy check running but also the select policy using on insert. I don't understand why the select policy is being run. Could it possibly be related to using a sequence on the table? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] RLS 9.5rc1 configuration changes?
I had been using CrunchyDatas 9.4 with backported RLS but I decided since my ultimate target is 9.5 that I update to it. However now the function called for the SELECT policy is not being called. \dt shows the policy but EXPLAIN ANALYZE of a select doesn't show the filter. When I turn up debug in postghresql.conf in pgstartup.log I see the library loaded and the _PG_init function called and in the daily log I see the client auth function called each time I run psql. The only changes I made for 9.5 were to no longer set row_security to 'force' in postgresql.conf and to add: ALTER TABLE FORCE ROW LEVEL SECURITY; in addition to the: ALTER TABLE ENABLE ROW LEVEL SECURITY; which I was already doing as I want RLS to be used even for the owner of the table. Are there any other additional configuration changes needed to get RLS to work again? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] RLS 9.5rc1 configuration changes?
On Mon, Jan 4, 2016 at 4:54 PM, Tom Lane <t...@sss.pgh.pa.us> wrote: > Ted Toth <txt...@gmail.com> writes: >> I had been using CrunchyDatas 9.4 with backported RLS but I decided >> since my ultimate target is 9.5 that I update to it. However now the >> function called for the SELECT policy is not being called. \dt shows >> the policy but EXPLAIN ANALYZE of a select doesn't show the filter. > > I'm not sure how Crunchy's 9.4 version behaves, but I'd expect the > policy USING condition to be visible in EXPLAIN in 9.5. > > Are you perhaps testing this as a superuser? Superusers bypass RLS > even with FORCE ROW LEVEL SECURITY. Yes I was a Superuser but without 'Bypass RLS'. So there's no way to enforce RLS for all users/roles? > >> ... The only >> changes I made for 9.5 were to no longer set row_security to 'force' >> in postgresql.conf > > What did you set it to instead? row_security=on. Maybe 'force' did what I wanted in Crunchy's 9.4 version :( > > regards, tom lane -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] native api or odbc?
What are peoples experiences with either/both, pluses/minuses? Ted
[GENERAL] RLS policy issue
I'm work on understanding and implementing RLS. Since I work on
systems using SELinux (MLS policy) I'm using the sepgsql module that
I've modified slightly i.e. I've added a function named
sepgsql_check_row_perm that I'm using in the policy for example I have
a 'reports' table that looks like:
Table public.reports
Column | Type | Modifiers
| Storage | Stats target | Description
+-+--+--+--+-
id | integer | not null default
nextval('reports_id_seq'::regclass) | plain| |
report | json|
| extended | |
message_id | integer | not null
| plain| |
location | geometry(Point) |
| main | |
security_label | text| default sepgsql_getcon()
| extended | |
Policies:
POLICY check_report_delete_selinux FOR DELETE
USING sepgsql_check_row_perm(security_label, sepgsql_getcon(),
'delete'::text)
POLICY check_report_insert_selinux FOR INSERT
WITH CHECK sepgsql_check_row_perm(security_label,
sepgsql_getcon(), 'insert'::text)
POLICY check_report_select_selinux FOR SELECT
USING sepgsql_check_row_perm(sepgsql_getcon(), security_label,
'select'::text)
POLICY check_report_update_selinux FOR UPDATE
USING sepgsql_check_row_perm(security_label, sepgsql_getcon(),
'update'::text)
WITH CHECK sepgsql_check_row_perm(security_label,
sepgsql_getcon(), 'update'::text)
When I do a select I expect sepgsql_check_row_perm to be called and at
least output the elog message I added here's part of the patch I apply
to add the sepgsql_check_row_perm funstion to the module:
/*
+ * BOOL sepgsql_check_row_perm(TEXT, TEXT, TEXT)
+ *
+ * Check if perm allowed for tuple.
+ * This is a variant of sepgsql_avc_check_perms_label which allows the
+ * specifying of both the source and target contexts. For MLS
+ * (write up read down) dominance purposes in the case of
+ * INSERT/UPDATE/DELETE (write) the source is the tuples context
+ * and it must dominate the peers context however in the case of
+ * SELECT (read) the source is the peers context and it must dominate
+ * the tuples context.
+ */
+PG_FUNCTION_INFO_V1(sepgsql_check_row_perm);
+Datum
+sepgsql_check_row_perm(PG_FUNCTION_ARGS)
+{
+ const char *scontext;
+ const char *tcontext;
+ const char *perm_name;
+ access_vector_t av_perm;
+
+ elog(DEBUG1, sepgsql_check_row_perm);
I'd also expect that the rewrite would have added the POLICY SELECT
USING clause to the query but I don't see any indication of that in
the details that follow:
2015-05-21 16:59:39.030 CDT STATEMENT: select * from reports
2015-05-21 16:59:39.030 CDT LOG: rewritten parse tree:
2015-05-21 16:59:39.030 CDT DETAIL: (
{QUERY
:commandType 1
:querySource 0
:canSetTag true
:utilityStmt
:resultRelation 0
:hasAggs false
:hasWindowFuncs false
:hasSubLinks false
:hasDistinctOn false
:hasRecursive false
:hasModifyingCTE false
:hasForUpdate false
:hasRowSecurity true
:cteList
:rtable (
{RTE
:alias
:eref
{ALIAS
:aliasname reports
:colnames (id report message_id location security_label)
}
:rtekind 0
:relid 19116
:relkind r
:lateral false
:inh true
:inFromCl true
:requiredPerms 2
:checkAsUser 0
:selectedCols (b 9 10 11 12 13)
:modifiedCols (b)
:securityQuals
}
)
:jointree
{FROMEXPR
:fromlist (
{RANGETBLREF
:rtindex 1
}
)
:quals
}
:targetList (
{TARGETENTRY
:expr
{VAR
:varno 1
:varattno 1
:vartype 23
:vartypmod -1
:varcollid 0
:varlevelsup 0
:varnoold 1
:varoattno 1
:location 7
}
:resno 1
:resname id
:ressortgroupref 0
:resorigtbl 19116
:resorigcol 1
:resjunk false
}
{TARGETENTRY
:expr
{VAR
:varno 1
:varattno 2
:vartype 114
:vartypmod -1
:varcollid 0
:varlevelsup 0
:varnoold 1
:varoattno 2
:location 7
}
:resno 2
:resname report
:ressortgroupref 0
:resorigtbl 19116
[GENERAL] 9.5 RLS 'check policy' function arguments
I'm contemplating writing a function for use with the CHECK POLICY statement. Where can I find documentation describing the arguments that will be passed to the function? Ted -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sepgsql where are the security labels
This table maintains information about the context of postgresql objects not the data in tables. On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/12/2014 02:45 PM, Ted Toth wrote: I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
Re: [GENERAL] sepgsql where are the security labels
Exactly what I talking about ... but unfortunately that appears to have been based on KaiGai's branch and is not in 9.3. The current discuss/work is around row-level-security with patches to 9.5 which is not much help to me now :( On Thu, Nov 13, 2014 at 9:26 AM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/13/2014 05:58 AM, Ted Toth wrote: This table maintains information about the context of postgresql objects not the data in tables. http://www.slideshare.net/kaigai/label-based-mandatory-access-control-on-postgresql Slide 23 On Wed, Nov 12, 2014 at 5:56 PM, Adrian Klaver adrian.kla...@aklaver.com wrote: On 11/12/2014 02:45 PM, Ted Toth wrote: I'm running selinux mls policy I've got labeled ipsec working and my postgresql configured to load sepgsql. I've created a db, run the sepgsql.sql script on it, created tables and inserted data. How do I query the security labels on the data? I do not use SECURITY LABELS, but it seems they can be queried here: http://www.postgresql.org/docs/9.3/interactive/view-pg-seclabels.html As best I can tell there is no security_context column on either of the tables I've created that I see? How does the system column security_context get added to tables? I've read everything I can find on the web but a lot of it is dated. Here's how I'm creating my db and tables: -- Adrian Klaver adrian.kla...@aklaver.com -- Adrian Klaver adrian.kla...@aklaver.com -- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
[GENERAL] sepgsql where are the security labels
I'm running selinux mls policy I've got labeled ipsec working and my
postgresql configured to load
sepgsql. I've created a db, run the sepgsql.sql script on it, created
tables and inserted data. How do I
query the security labels on the data? As best I can tell there is no
security_context
column on either of the tables I've created that I see? How does the
system column security_context get added to tables? I've read
everything I can find on the web but
a lot of it is dated. Here's how I'm creating my db and tables:
CREATE DATABASE contacts
WITH OWNER = jcdx
ENCODING = 'UTF8'
TABLESPACE = pg_default
LC_COLLATE = 'en_US.UTF-8'
LC_CTYPE = 'en_US.UTF-8'
CONNECTION LIMIT = -1;
SECURITY LABEL FOR selinux
ON DATABASE contacts
IS 'user_u:object_r:sepgsql_db_t:
s0';
--
-- PostgreSQL database dump
--
SET statement_timeout = 0;
SET lock_timeout = 0;
SET client_encoding = 'UTF8';
SET standard_conforming_strings = on;
SET check_function_bodies = false;
SET client_min_messages = warning;
--
-- Name: plpgsql; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS plpgsql WITH SCHEMA pg_catalog;
--
-- Name: EXTENSION plpgsql; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION plpgsql IS 'PL/pgSQL procedural language';
--
-- Name: postgis; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS postgis WITH SCHEMA public;
--
-- Name: EXTENSION postgis; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION postgis IS 'PostGIS geometry, geography, and
raster spatial types and functions';
--
-- Name: pgrouting; Type: EXTENSION; Schema: -; Owner:
--
CREATE EXTENSION IF NOT EXISTS pgrouting WITH SCHEMA public;
--
-- Name: EXTENSION pgrouting; Type: COMMENT; Schema: -; Owner:
--
COMMENT ON EXTENSION pgrouting IS 'pgRouting Extension';
SET search_path = public, pg_catalog;
SET default_tablespace = '';
SET default_with_oids = false;
--
-- Name: messages; Type: TABLE; Schema: public; Owner: jcdx; Tablespace:
--
CREATE TABLE messages (
id integer NOT NULL,
message json
);
SECURITY LABEL FOR selinux ON TABLE messages IS
'user_u:object_r:sepgsql_table_t:s0';
ALTER TABLE public.messages OWNER TO jcdx;
--
-- Name: messages_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx
--
CREATE SEQUENCE messages_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
SECURITY LABEL FOR selinux ON SEQUENCE messages_id_seq IS
'user_u:object_r:sepgsql_seq_t:s0';
ALTER TABLE public.messages_id_seq OWNER TO jcdx;
--
-- Name: messages_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx
--
ALTER SEQUENCE messages_id_seq OWNED BY messages.id;
--
-- Name: reports; Type: TABLE; Schema: public; Owner: jcdx; Tablespace:
--
CREATE TABLE reports (
id integer NOT NULL,
report json,
message_id integer NOT NULL,
location geometry(Point)
);
SECURITY LABEL FOR selinux ON TABLE reports IS
'user_u:object_r:sepgsql_table_t:s0';
ALTER TABLE public.reports OWNER TO jcdx;
--
-- Name: reports_id_seq; Type: SEQUENCE; Schema: public; Owner: jcdx
--
CREATE SEQUENCE reports_id_seq
START WITH 1
INCREMENT BY 1
NO MINVALUE
NO MAXVALUE
CACHE 1;
SECURITY LABEL FOR selinux ON SEQUENCE reports_id_seq IS
'user_u:object_r:sepgsql_seq_t:s0';
ALTER TABLE public.reports_id_seq OWNER TO jcdx;
--
-- Name: reports_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: jcdx
--
ALTER SEQUENCE reports_id_seq OWNED BY reports.id;
--
-- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx
--
ALTER TABLE ONLY messages ALTER COLUMN id SET DEFAULT
nextval('messages_id_seq'::regclass);
--
-- Name: id; Type: DEFAULT; Schema: public; Owner: jcdx
--
ALTER TABLE ONLY reports ALTER COLUMN id SET DEFAULT
nextval('reports_id_seq'::regclass);
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
