BUG/Q: failure with sepgsql from guide

[C3EQUALZz]

Hello! I have problems with configuring PostgreSQL with SELinux using sepgsql. I'm trying to make all stuff like in guide here, but faced problems with access to schema.

I tried to repeat all the steps from the guide several times and every time there was a failure at this point with schema.

• OS: Fedora 42
• PostgreSQL: 16.9

Sorry for russian errors in snippet, the key mistake "ОШИБКА: нет доступа к схеме test_ns" (translation: "ERROR: schema test_ns not accessible").

c3equalz@fedora:~$ service postgresql start
Redirecting to /bin/systemctl start postgresql.service
c3equalz@fedora:~$ psql -d testdb -U root
psql (16.9)
Введите "help", чтобы получить справку.

testdb=> /*
 * This is the example for the SELinux Notebook.
 *
 * From psql prompt run this to build the database by:
 *              \i testdb-example.sql
*/

/* These show the sepgsql postgresql.conf entries, normally not set */
SHOW sepgsql.permissive;
SHOW sepgsql.debug_audit;

SELECT sepgsql_getcon();
--- If mcstransd running and the sample setrans.conf installed then show translated info
SELECT sepgsql_mcstrans_out((SELECT sepgsql_getcon()));

CREATE SCHEMA test_ns;
CREATE TABLE test_ns.info (user_name CHAR(10), email_addr CHAR(20));

--- This sets the security labels:
SECURITY LABEL ON SCHEMA test_ns IS 'unconfined_u:object_r:sepgsql_schema_t:s0:c10';
SECURITY LABEL ON TABLE test_ns.info IS 'unconfined_u:object_r:sepgsql_table_t:s0:c20';
SECURITY LABEL ON COLUMN test_ns.info.user_name IS 'unconfined_u:object_r:sepgsql_table_t:s0:c30';
SECURITY LABEL ON COLUMN test_ns.info.email_addr IS 'unconfined_u:object_r:sepgsql_table_t:s0:c40';

--- Note: No support for row labeling
INSERT INTO test_ns.info (user_name, email_addr) VALUES ('fred', 'fred@yahoo.com');
INSERT INTO test_ns.info (user_name, email_addr) VALUES ('derf', 'derf@hotmail.com');
INSERT INTO test_ns.info (user_name, email_addr) VALUES ('george', 'george@hotmail.com');
INSERT INTO test_ns.info (user_name, email_addr) VALUES ('jane', 'jane@yahoo.com');

--- Show the columns
SELECT user_name, email_addr FROM test_ns.info;

--- This shows the testdb internal database entries using the pg_seclabels view
SELECT objtype, objname, label FROM pg_seclabels WHERE provider = 'selinux' AND  objtype in ('schema', 'table', 'column') AND objname in ('testdb', 'test_ns', 'test_ns.info', 'test_ns.info.user_name', 'test_ns.info.email_addr');

--- Shows labels on user_name and email_addr columns
SELECT user_name, label FROM pg_seclabels, test_ns.info WHERE provider = 'selinux' AND objname in ('test_ns.info.user_name');
SELECT email_addr, label FROM pg_seclabels, test_ns.info WHERE provider = 'selinux' AND objname in ('test_ns.info.email_addr');
 sepgsql.permissive 
--------------------
 off
(1 строка)

 sepgsql.debug_audit 
---------------------
 off
(1 строка)

                    sepgsql_getcon                     
-------------------------------------------------------
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(1 строка)

                 sepgsql_mcstrans_out                  
-------------------------------------------------------
 unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
(1 строка)

CREATE SCHEMA
CREATE TABLE
SECURITY LABEL
SECURITY LABEL
SECURITY LABEL
SECURITY LABEL
INSERT 0 1
INSERT 0 1
INSERT 0 1
INSERT 0 1
 user_name  |      email_addr      
------------+----------------------
 fred       | fred@yahoo.com      
 derf       | derf@hotmail.com    
 george     | george@hotmail.com  
 jane       | jane@yahoo.com      
(4 строки)

 objtype |         objname         |                     label                     
---------+-------------------------+-----------------------------------------------
 table   | test_ns.info            | unconfined_u:object_r:sepgsql_table_t:s0:c20
 column  | test_ns.info.user_name  | unconfined_u:object_r:sepgsql_table_t:s0:c30
 column  | test_ns.info.email_addr | unconfined_u:object_r:sepgsql_table_t:s0:c40
 schema  | test_ns                 | unconfined_u:object_r:sepgsql_schema_t:s0:c10
(4 строки)

 user_name  |                    label                     
------------+----------------------------------------------
 fred       | unconfined_u:object_r:sepgsql_table_t:s0:c30
 derf       | unconfined_u:object_r:sepgsql_table_t:s0:c30
 george     | unconfined_u:object_r:sepgsql_table_t:s0:c30
 jane       | unconfined_u:object_r:sepgsql_table_t:s0:c30
(4 строки)

      email_addr      |                    label                     
----------------------+----------------------------------------------
 fred@yahoo.com       | unconfined_u:object_r:sepgsql_table_t:s0:c40
 derf@hotmail.com     | unconfined_u:object_r:sepgsql_table_t:s0:c40
 george@hotmail.com   | unconfined_u:object_r:sepgsql_table_t:s0:c40
 jane@yahoo.com       | unconfined_u:object_r:sepgsql_table_t:s0:c40
(4 строки)

testdb=> 
\q
c3equalz@fedora:~$ setenforce 1
setenforce:  security_setenforce() failed:  Permission denied
c3equalz@fedora:~$ sudo !!
sudo setenforce 1
c3equalz@fedora:~$ runcon -l s0-s0:c10,c20,c30,c40 -t unconfined_t psql testdb
psql (16.9)
Введите "help", чтобы получить справку.

testdb=> SELECT user_name, email_addr FROM test_ns.info;
ОШИБКА:  нет доступа к схеме test_ns
СТРОКА 1: SELECT user_name, email_addr FROM test_ns.info;
                                            ^
testdb=> \q
c3equalz@fedora:~$ runcon -l s0-s0:c10,c20,c30 -t unconfined_t psql testdb
psql (16.9)
Введите "help", чтобы получить справку.

testdb=> SELECT user_name, email_addr FROM test_ns.info;
ОШИБКА:  нет доступа к схеме test_ns
СТРОКА 1: SELECT user_name, email_addr FROM test_ns.info;
                                            ^
testdb=> runcon -l s0-s0:c10,c20,c40 -t unconfined_t psql testdb
testdb-> \q
c3equalz@fedora:~$ runcon -l s0-s0:c10,c20,c40 -t unconfined_t psql testdb
psql (16.9)
Введите "help", чтобы получить справку.

testdb=> SELECT user_name, email_addr FROM test_ns.info;
ОШИБКА:  нет доступа к схеме test_ns
СТРОКА 1: SELECT user_name, email_addr FROM test_ns.info;
                                            ^
testdb=> 

I doesn't create any custom policies for SELinux. The system is completely new, I only installed updates and the database.

[C3EQUALZz]

Some updates: The integration with sepgsql works only up to and including PostgreSQL 14. However, users must manually build PostgreSQL, as in many repositories, PostgreSQL was built without the --with-selinux flag.

Here is a Russian guide on how to build PostgreSQL and use this integration, with an example if someone has faced a problem like me. This is a university project, so please don't be too harsh on me.