Integrating SEPostgreSQL into the network
When we use the sepgsql
module in PostgreSQL, all database sessions need to have a security context associated with them. While for local communications (which use Unix domain sockets) this context is readily available, networked sessions (which are the most common) do not automatically have a context set.
If the system does not participate in a labeled networking setup, as we saw in Chapter 5, Controlling Network Communications, interaction with the database will fail:
$ psql -U testuser -h ppubssa3ed db_test psql: FATAL: SELinux: unable to get peer label: Protocol not available
To resolve this, the recommended approach is to start using labeled IPSec. However, we can also use NetLabel to introduce fallback labeling where needed.
Creating a fallback label for remote sessions
With Linux's NetLabel and CIPSO support (as seen in Chapter 5, Controlling Network Communications) we can introduce both fallback labeling...