# for contrib/sepgsql

if test "$with_selinux" = yes; then

{ $as_echo "$as_me:$LINENO: checking forselinux_status_open in -lselinux" >&5

$as_echo_n "checking forselinux_status_open in -lselinux... " >&6; }

if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then

{ $as_echo "$as_me:$LINENO: checking forsecurity_compute_create_name in -lselinux" >&5

$as_echo_n "checking forsecurity_compute_create_name in -lselinux... " >&6; }

if test "${ac_cv_lib_selinux_security_compute_create_name+set}" = set; then

$as_echo_n "(cached) " >&6

else

ac_check_lib_save_LIBS=$LIBS

#ifdef __cplusplus

extern "C"

#endif

charselinux_status_open ();

charsecurity_compute_create_name ();

int

main ()

{

returnselinux_status_open ();

returnsecurity_compute_create_name ();

;

return 0;

}

test "$cross_compiling" = yes ||

$as_test_x conftest$ac_exeext

}; then

ac_cv_lib_selinux_selinux_status_open=yes

ac_cv_lib_selinux_security_compute_create_name=yes

else

$as_echo "$as_me: failed program was:" >&5

sed 's/^/| /' conftest.$ac_ext >&5

ac_cv_lib_selinux_selinux_status_open=no

ac_cv_lib_selinux_security_compute_create_name=no

fi

rm -rf conftest.dSYM

rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \

conftest$ac_exeext conftest.$ac_ext

LIBS=$ac_check_lib_save_LIBS

fi

{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5

$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; }

if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then

{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_security_compute_create_name" >&5

$as_echo "$ac_cv_lib_selinux_security_compute_create_name" >&6; }

if test "x$ac_cv_lib_selinux_security_compute_create_name" = x""yes; then

cat >>confdefs.h <<_ACEOF

#define HAVE_LIBSELINUX 1

_ACEOF

LIBS="-lselinux $LIBS"

else

{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5

$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;}

{ { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&5

$as_echo "$as_me: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&2;}

{ (exit 1); exit 1; }; }

fi

# for contrib/sepgsql

if test "$with_selinux" = yes; then

AC_CHECK_LIB(selinux,selinux_status_open, [],

[AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])])

AC_CHECK_LIB(selinux,security_compute_create_name, [],

[AC_MSG_ERROR([library 'libselinux', version 2.1.10 or newer, is required for SELinux support])])

fi

# for contrib/uuid-ossp

ncontext=sepgsql_compute_create(sepgsql_get_client_label(),

tcontext,

SEPG_CLASS_DB_DATABASE);

SEPG_CLASS_DB_DATABASE,

NameStr(datForm->datname));

CREATE TABLE t3 (s int, t text);

INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');

SELECT sepgsql_getcon();-- confirm client privilege

sepgsql_getcon

----------------------------------------------------

unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0

(1 row)

CREATE TABLE t4 (m int, n text);

INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');

SELECT objtype, objname, label FROM pg_seclabels

WHERE provider = 'selinux'

AND objtype in ('table', 'column')

AND objname in ('t1', 't2', 't3');

WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');

objtype | objname | label

---------+---------+-----------------------------------------------

table | t1 | unconfined_u:object_r:sepgsql_table_t:s0

table | t2 | unconfined_u:object_r:sepgsql_table_t:s0

table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0

(3 rows)

SELECT objtype, objname, label FROM pg_seclabels

WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');

objtype | objname | label

---------+-------------+-----------------------------------------------

column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0

column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0

column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0

column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0

column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0

column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0

column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0

column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0

column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0

(16 rows)

--

-- Tests for SECURITY LABEL

--

DROP TABLE IF EXISTS t1 CASCADE;

DROP TABLE IF EXISTS t2 CASCADE;

DROP TABLE IF EXISTS t3 CASCADE;

DROP TABLE IF EXISTS t4 CASCADE;

DROP FUNCTION IF EXISTS f1() CASCADE;

DROP FUNCTION IF EXISTS f2() CASCADE;

DROP FUNCTION IF EXISTS f3() CASCADE;

tcontext=sepgsql_get_label(NamespaceRelationId,

proForm->pronamespace,0);

ncontext=sepgsql_compute_create(scontext,tcontext,

SEPG_CLASS_DB_PROCEDURE);

SEPG_CLASS_DB_PROCEDURE,

NameStr(proForm->proname));

scontext=sepgsql_get_client_label();

tcontext=sepgsql_get_label(RelationRelationId,relOid,0);

ncontext=sepgsql_compute_create(scontext,tcontext,

SEPG_CLASS_DB_COLUMN);

SEPG_CLASS_DB_COLUMN,

NameStr(attForm->attname));

scontext=sepgsql_get_client_label();

tcontext=sepgsql_get_label(NamespaceRelationId,

classForm->relnamespace,0);

rcontext=sepgsql_compute_create(scontext,tcontext,tclass);

rcontext=sepgsql_compute_create(scontext,tcontext,tclass,

NameStr(classForm->relname));

ccontext=sepgsql_compute_create(scontext,

rcontext,

SEPG_CLASS_DB_COLUMN);

SEPG_CLASS_DB_COLUMN,

NameStr(attForm->attname));

char*tcontext;

char*ncontext;

charaudit_name[NAMEDATALEN+20];

constchar*nsp_name;

ObjectAddressobject;

Form_pg_namespacenspForm;

elog(ERROR,"catalog lookup failed for namespace %u",namespaceId);

nspForm= (Form_pg_namespace)GETSTRUCT(tuple);

nsp_name=NameStr(nspForm->nspname);

if (strncmp(nsp_name,"pg_temp_",8)==0)

nsp_name="pg_temp";

elseif (strncmp(nsp_name,"pg_toast_temp_",14)==0)

nsp_name="pg_toast_temp";

tcontext=sepgsql_get_label(DatabaseRelationId,MyDatabaseId,0);

ncontext=sepgsql_compute_create(sepgsql_get_client_label(),

tcontext,

snprintf(audit_name,sizeof(audit_name),

"schema %s",NameStr(nspForm->nspname));

snprintf(audit_name,sizeof(audit_name),"schema %s",nsp_name);

sepgsql_avc_check_perms_label(ncontext,

SEPG_CLASS_DB_SCHEMA,

SEPG_DB_SCHEMA__CREATE,

sepgsql_compute_create(constchar*scontext,

constchar*tcontext,

uint16tclass)

uint16tclass,

constchar*objname)

{

security_context_tncontext;

security_class_ttclass_ex;

if (security_compute_create_raw((security_context_t)scontext,

(security_context_t)tcontext,

tclass_ex,&ncontext)<0)

if (security_compute_create_name_raw((security_context_t)scontext,

(security_context_t)tcontext,

tclass_ex,

objname,

&ncontext)<0)

ereport(ERROR,

(errcode(ERRCODE_INTERNAL_ERROR),

errmsg("SELinux could not compute a new context: "

policy_module(sepgsql-regtest,1.04)

policy_module(sepgsql-regtest,1.05)

gen_require(`

all_userspace_class_perms

allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };

allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };

optional_policy(`

gen_require(`

attributesepgsql_table_type;

typesepgsql_sysobj_t;

')

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax";

type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid";

')

externchar*sepgsql_compute_create(constchar*scontext,

constchar*tcontext,

uint16tclass);

uint16tclass,

constchar*objname);

externboolsepgsql_check_perms(constchar*scontext,

constchar*tcontext,