Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit194c8f7

Browse files
committed
First round of cleanup of sepgsql code and documentation.
Robert Haas, with a few suggestions from Thom Brown
1 parent968bc6f commit194c8f7

File tree

5 files changed

+227
-271
lines changed

5 files changed

+227
-271
lines changed

‎contrib/sepgsql/.gitignore‎

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,5 @@
11
/sepgsql.sql
2+
/sepgsql-regtest.fc
3+
/sepgsql-regtest.if
4+
/sepgsql-regtest.pp
5+
/tmp

‎contrib/sepgsql/dml.c‎

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,12 +171,12 @@ check_relation_privileges(Oid relOid,
171171
SEPG_DB_TABLE__DELETE))!=0)
172172
ereport(ERROR,
173173
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
174-
errmsg("selinux: hardwired security policy violation")));
174+
errmsg("SELinux: hardwired security policy violation")));
175175

176176
if (relkind==RELKIND_TOASTVALUE)
177177
ereport(ERROR,
178178
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
179-
errmsg("selinux: hardwired security policy violation")));
179+
errmsg("SELinux: hardwired security policy violation")));
180180
}
181181

182182
/*

‎contrib/sepgsql/hooks.c‎

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ sepgsql_client_auth(Port *port, int status)
9191
if (getpeercon_raw(port->sock,&context)<0)
9292
ereport(FATAL,
9393
(errcode(ERRCODE_INTERNAL_ERROR),
94-
errmsg("selinux: failed to get the peer label")));
94+
errmsg("SELinux: unable to get peer label")));
9595

9696
sepgsql_set_client_label(context);
9797

@@ -318,7 +318,7 @@ sepgsql_utility_command(Node *parsetree,
318318
{
319319
ereport(ERROR,
320320
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
321-
errmsg("SELinux: LOAD is notallowed anyway.")));
321+
errmsg("SELinux: LOAD is notpermitted")));
322322
}
323323
break;
324324
default:
@@ -352,8 +352,8 @@ _PG_init(void)
352352
*/
353353
if (IsUnderPostmaster)
354354
ereport(ERROR,
355-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
356-
errmsg("Not allowed to load SE-PostgreSQL now")));
355+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
356+
errmsg("sepgsql must be loaded via shared_preload_libraries")));
357357

358358
/*
359359
* Check availability of SELinux on the platform.
@@ -414,7 +414,7 @@ _PG_init(void)
414414
if (getcon_raw(&context)<0)
415415
ereport(ERROR,
416416
(errcode(ERRCODE_INTERNAL_ERROR),
417-
errmsg("selinux: unable to get security label of server")));
417+
errmsg("SELinux: failed to getserversecurity label")));
418418
sepgsql_set_client_label(context);
419419

420420
/* Security label provider hook */

‎contrib/sepgsql/label.c‎

Lines changed: 19 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
8181
if (security_get_initial_context_raw("unlabeled",&unlabeled)<0)
8282
ereport(ERROR,
8383
(errcode(ERRCODE_INTERNAL_ERROR),
84-
errmsg("selinux: unable to get initial security label")));
84+
errmsg("SELinux: failed to get initial security label")));
8585
PG_TRY();
8686
{
8787
label=pstrdup(unlabeled);
@@ -114,7 +114,7 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
114114
security_check_context_raw((security_context_t)seclabel)<0)
115115
ereport(ERROR,
116116
(errcode(ERRCODE_INVALID_NAME),
117-
errmsg("invalid security label: \"%s\"",seclabel)));
117+
errmsg("SELinux:invalid security label: \"%s\"",seclabel)));
118118
/*
119119
* Do actual permission checks for each object classes
120120
*/
@@ -154,13 +154,11 @@ sepgsql_getcon(PG_FUNCTION_ARGS)
154154
char*client_label;
155155

156156
if (!sepgsql_is_enabled())
157-
ereport(ERROR,
158-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
159-
errmsg("SELinux: now disabled")));
157+
PG_RETURN_NULL();
160158

161159
client_label=sepgsql_get_client_label();
162160

163-
PG_RETURN_POINTER(cstring_to_text(client_label));
161+
PG_RETURN_TEXT_P(cstring_to_text(client_label));
164162
}
165163

166164
/*
@@ -179,14 +177,14 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
179177

180178
if (!sepgsql_is_enabled())
181179
ereport(ERROR,
182-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
183-
errmsg("SELinux: now disabled")));
180+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
181+
errmsg("sepgsql is not enabled")));
184182

185183
if (selinux_trans_to_raw_context(text_to_cstring(label),
186184
&raw_label)<0)
187185
ereport(ERROR,
188186
(errcode(ERRCODE_INTERNAL_ERROR),
189-
errmsg("SELinux:internal error on mcstrans")));
187+
errmsg("SELinux:could not translate security label")));
190188

191189
PG_TRY();
192190
{
@@ -200,7 +198,7 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
200198
PG_END_TRY();
201199
freecon(raw_label);
202200

203-
PG_RETURN_POINTER(cstring_to_text(result));
201+
PG_RETURN_TEXT_P(cstring_to_text(result));
204202
}
205203

206204
/*
@@ -219,14 +217,14 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
219217

220218
if (!sepgsql_is_enabled())
221219
ereport(ERROR,
222-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
223-
errmsg("SELinux: now disabled")));
220+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
221+
errmsg("sepgsql is not currently enabled")));
224222

225223
if (selinux_raw_to_trans_context(text_to_cstring(label),
226224
&qual_label)<0)
227225
ereport(ERROR,
228226
(errcode(ERRCODE_INTERNAL_ERROR),
229-
errmsg("SELinux:internal error on mcstrans")));
227+
errmsg("SELinux:could not translate security label")));
230228

231229
PG_TRY();
232230
{
@@ -240,7 +238,7 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
240238
PG_END_TRY();
241239
freecon(qual_label);
242240

243-
PG_RETURN_POINTER(cstring_to_text(result));
241+
PG_RETURN_TEXT_P(cstring_to_text(result));
244242
}
245243

246244
/*
@@ -360,8 +358,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
360358
break;
361359

362360
default:
363-
elog(ERROR,"Bug? %u is not supported to set initial labels",
364-
catalogId);
361+
elog(ERROR,"unexpected catalog id: %u",catalogId);
365362
break;
366363
}
367364

@@ -387,12 +384,12 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
387384
}
388385
elseif (errno==ENOENT)
389386
ereport(WARNING,
390-
(errmsg("novalidinitial labelon%s (type=%d),skipped",
387+
(errmsg("SELinux:no initial labelassigned for%s (type=%d),skipping",
391388
objname,objtype)));
392389
else
393390
ereport(ERROR,
394391
(errcode(ERRCODE_INTERNAL_ERROR),
395-
errmsg("libselinux: internal error")));
392+
errmsg("SELinux: could not determine initial security label for %s (type=%d)",objname,objtype)));
396393
}
397394
systable_endscan(sscan);
398395

@@ -422,16 +419,16 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
422419
*/
423420
if (!sepgsql_is_enabled())
424421
ereport(ERROR,
425-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
426-
errmsg("SELinux: now disabled")));
422+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
423+
errmsg("sepgsql is not currently enabled")));
427424
/*
428425
* Check DAC permission. Only superuser can set up initial
429426
* security labels, like root-user in filesystems
430427
*/
431428
if (!superuser())
432429
ereport(ERROR,
433430
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
434-
errmsg("must be superuser to restore initial contexts")));
431+
errmsg("SELinux:must be superuser to restore initial contexts")));
435432

436433
/*
437434
* Open selabel_lookup(3) stuff. It provides a set of mapping
@@ -452,7 +449,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
452449
if (!sehnd)
453450
ereport(ERROR,
454451
(errcode(ERRCODE_INTERNAL_ERROR),
455-
errmsg("SELinux internal error")));
452+
errmsg("SELinux: failed to initialize labeling handle")));
456453
PG_TRY();
457454
{
458455
/*

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp