NotificationsYou must be signed in to change notification settings
Fork5
Star26

Commit0f05840

committed

Allow sepgsql labels to depend on object name.

The main change here is to call security_compute_create_name_raw()rather than security_compute_create_raw(). This ups the minimumrequirement for libselinux from 2.0.99 to 2.1.10, but it lookslike most distributions will have picked that up before 9.3 is out.KaiGai Kohei

1 parentae7f1c3 commit0f05840Copy full SHA for 0f05840

File tree

13 files changed

+104

-40

lines changed

configure
configure.in
contrib/sepgsql
- database.c
- expected
  - label.out
- proc.c
- relation.c
- schema.c
- selinux.c
- sepgsql-regtest.te
- sepgsql.h
- sql
  - label.sql
- uavc.c
doc/src/sgml
- sepgsql.sgml

13 files changed

+104

-40

lines changed

`‎configure`

Lines changed: 12 additions & 12 deletions

Original file line number	Diff line number	Diff line change
`@@ -9710,9 +9710,9 @@ fi`
`9710`	`9710`	`# for contrib/sepgsql`
`9711`	`9711`	`if test "$with_selinux" = yes; then`
`9712`	`9712`
`9713`		`-{ $as_echo "$as_me:$LINENO: checking forselinux_status_open in -lselinux" >&5`
`9714`		`-$as_echo_n "checking forselinux_status_open in -lselinux... " >&6; }`
`9715`		`-if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then`
	`9713`	`+{ $as_echo "$as_me:$LINENO: checking forsecurity_compute_create_name in -lselinux" >&5`
	`9714`	`+$as_echo_n "checking forsecurity_compute_create_name in -lselinux... " >&6; }`
	`9715`	`+if test "${ac_cv_lib_selinux_security_compute_create_name+set}" = set; then`
`9716`	`9716`	`$as_echo_n "(cached) " >&6`
`9717`	`9717`	`else`
`9718`	`9718`	`ac_check_lib_save_LIBS=$LIBS`
`@@ -9730,11 +9730,11 @@ cat >>conftest.$ac_ext <<_ACEOF`
`9730`	`9730`	`#ifdef __cplusplus`
`9731`	`9731`	`extern "C"`
`9732`	`9732`	`#endif`
`9733`		`-charselinux_status_open ();`
	`9733`	`+charsecurity_compute_create_name ();`
`9734`	`9734`	`int`
`9735`	`9735`	`main ()`
`9736`	`9736`	`{`
`9737`		`-returnselinux_status_open ();`
	`9737`	`+returnsecurity_compute_create_name ();`
`9738`	`9738`	`;`
`9739`	`9739`	`return 0;`
`9740`	`9740`	`}`
`@@ -9760,31 +9760,31 @@ $as_echo "$ac_try_echo") >&5`
`9760`	`9760`	`test "$cross_compiling" = yes \|\|`
`9761`	`9761`	`$as_test_x conftest$ac_exeext`
`9762`	`9762`	`}; then`
`9763`		`-ac_cv_lib_selinux_selinux_status_open=yes`
	`9763`	`+ac_cv_lib_selinux_security_compute_create_name=yes`
`9764`	`9764`	`else`
`9765`	`9765`	`$as_echo "$as_me: failed program was:" >&5`
`9766`	`9766`	`sed 's/^/\| /' conftest.$ac_ext >&5`
`9767`	`9767`
`9768`		`-ac_cv_lib_selinux_selinux_status_open=no`
	`9768`	`+ac_cv_lib_selinux_security_compute_create_name=no`
`9769`	`9769`	`fi`
`9770`	`9770`
`9771`	`9771`	`rm -rf conftest.dSYM`
`9772`	`9772`	`rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \`
`9773`	`9773`	`conftest$ac_exeext conftest.$ac_ext`
`9774`	`9774`	`LIBS=$ac_check_lib_save_LIBS`
`9775`	`9775`	`fi`
`9776`		`-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5`
`9777`		`-$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; }`
`9778`		`-if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then`
	`9776`	`+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_security_compute_create_name" >&5`
	`9777`	`+$as_echo "$ac_cv_lib_selinux_security_compute_create_name" >&6; }`
	`9778`	`+if test "x$ac_cv_lib_selinux_security_compute_create_name" = x""yes; then`
`9779`	`9779`	`cat >>confdefs.h <<_ACEOF`
`9780`	`9780`	`#define HAVE_LIBSELINUX 1`
`9781`	`9781`	`_ACEOF`
`9782`	`9782`
`9783`	`9783`	`LIBS="-lselinux $LIBS"`
`9784`	`9784`
`9785`	`9785`	`else`
`9786`		`- { { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5`
`9787`		`-$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;}`
	`9786`	`+ { { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&5`
	`9787`	`+$as_echo "$as_me: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&2;}`
`9788`	`9788`	`{ (exit 1); exit 1; }; }`
`9789`	`9789`	`fi`
`9790`	`9790`

`‎configure.in`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -952,8 +952,8 @@ fi`
`952`	`952`
`953`	`953`	`# for contrib/sepgsql`
`954`	`954`	`if test "$with_selinux" = yes; then`
`955`		`- AC_CHECK_LIB(selinux,selinux_status_open, [],`
`956`		`- [AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])])`
	`955`	`+ AC_CHECK_LIB(selinux,security_compute_create_name, [],`
	`956`	`+ [AC_MSG_ERROR([library 'libselinux', version 2.1.10 or newer, is required for SELinux support])])`
`957`	`957`	`fi`
`958`	`958`
`959`	`959`	`# for contrib/uuid-ossp`

`‎contrib/sepgsql/database.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,8 @@ sepgsql_database_post_create(Oid databaseId, const char *dtemplate)`
`92`	`92`
`93`	`93`	`ncontext=sepgsql_compute_create(sepgsql_get_client_label(),`
`94`	`94`	`tcontext,`
`95`		`-SEPG_CLASS_DB_DATABASE);`
	`95`	`+SEPG_CLASS_DB_DATABASE,`
	`96`	`+NameStr(datForm->datname));`
`96`	`97`
`97`	`98`	`/*`
`98`	`99`	`* check db_database:{create} permission`

`‎contrib/sepgsql/expected/label.out`

Lines changed: 32 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -64,17 +64,45 @@ SELECT sepgsql_getcon();-- confirm client privilege`
`64`	`64`
`65`	`65`	`CREATE TABLE t3 (s int, t text);`
`66`	`66`	`INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');`
	`67`	`+SELECT sepgsql_getcon();-- confirm client privilege`
	`68`	`+ sepgsql_getcon`
	`69`	`+----------------------------------------------------`
	`70`	`+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0`
	`71`	`+(1 row)`
	`72`	`+`
	`73`	`+CREATE TABLE t4 (m int, n text);`
	`74`	`+INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');`
`67`	`75`	`SELECT objtype, objname, label FROM pg_seclabels`
`68`		`- WHERE provider = 'selinux'`
`69`		`- AND objtype in ('table', 'column')`
`70`		`- AND objname in ('t1', 't2', 't3');`
	`76`	`+ WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');`
`71`	`77`	`objtype \| objname \| label`
`72`	`78`	`---------+---------+-----------------------------------------------`
`73`	`79`	`table \| t1 \| unconfined_u:object_r:sepgsql_table_t:s0`
`74`	`80`	`table \| t2 \| unconfined_u:object_r:sepgsql_table_t:s0`
`75`	`81`	`table \| t3 \| unconfined_u:object_r:user_sepgsql_table_t:s0`
`76`	`82`	`(3 rows)`
`77`	`83`
	`84`	`+SELECT objtype, objname, label FROM pg_seclabels`
	`85`	`+ WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');`
	`86`	`+ objtype \| objname \| label`
	`87`	`+---------+-------------+-----------------------------------------------`
	`88`	`+ column \| t3.t \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`89`	`+ column \| t3.s \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`90`	`+ column \| t3.ctid \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`91`	`+ column \| t3.xmin \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`92`	`+ column \| t3.cmin \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`93`	`+ column \| t3.xmax \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`94`	`+ column \| t3.cmax \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`95`	`+ column \| t3.tableoid \| unconfined_u:object_r:user_sepgsql_table_t:s0`
	`96`	`+ column \| t4.n \| unconfined_u:object_r:sepgsql_table_t:s0`
	`97`	`+ column \| t4.m \| unconfined_u:object_r:sepgsql_table_t:s0`
	`98`	`+ column \| t4.ctid \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`99`	`+ column \| t4.xmin \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`100`	`+ column \| t4.cmin \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`101`	`+ column \| t4.xmax \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`102`	`+ column \| t4.cmax \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`103`	`+ column \| t4.tableoid \| unconfined_u:object_r:sepgsql_sysobj_t:s0`
	`104`	`+(16 rows)`
	`105`	`+`
`78`	`106`	`--`
`79`	`107`	`-- Tests for SECURITY LABEL`
`80`	`108`	`--`
`@@ -456,6 +484,7 @@ SELECT sepgsql_getcon();-- confirm client privilege`
`456`	`484`	`DROP TABLE IF EXISTS t1 CASCADE;`
`457`	`485`	`DROP TABLE IF EXISTS t2 CASCADE;`
`458`	`486`	`DROP TABLE IF EXISTS t3 CASCADE;`
	`487`	`+DROP TABLE IF EXISTS t4 CASCADE;`
`459`	`488`	`DROP FUNCTION IF EXISTS f1() CASCADE;`
`460`	`489`	`DROP FUNCTION IF EXISTS f2() CASCADE;`
`461`	`490`	`DROP FUNCTION IF EXISTS f3() CASCADE;`

`‎contrib/sepgsql/proc.c`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -95,7 +95,8 @@ sepgsql_proc_post_create(Oid functionId)`
`95`	`95`	`tcontext=sepgsql_get_label(NamespaceRelationId,`
`96`	`96`	`proForm->pronamespace,0);`
`97`	`97`	`ncontext=sepgsql_compute_create(scontext,tcontext,`
`98`		`-SEPG_CLASS_DB_PROCEDURE);`
	`98`	`+SEPG_CLASS_DB_PROCEDURE,`
	`99`	`+NameStr(proForm->proname));`
`99`	`100`
`100`	`101`	`/*`
`101`	`102`	`* check db_procedure:{create (install)} permission`

`‎contrib/sepgsql/relation.c`

Lines changed: 6 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -88,7 +88,8 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum)`
`88`	`88`	`scontext=sepgsql_get_client_label();`
`89`	`89`	`tcontext=sepgsql_get_label(RelationRelationId,relOid,0);`
`90`	`90`	`ncontext=sepgsql_compute_create(scontext,tcontext,`
`91`		`-SEPG_CLASS_DB_COLUMN);`
	`91`	`+SEPG_CLASS_DB_COLUMN,`
	`92`	`+NameStr(attForm->attname));`
`92`	`93`
`93`	`94`	`/*`
`94`	`95`	`* check db_column:{create} permission`
`@@ -309,7 +310,8 @@ sepgsql_relation_post_create(Oid relOid)`
`309`	`310`	`scontext=sepgsql_get_client_label();`
`310`	`311`	`tcontext=sepgsql_get_label(NamespaceRelationId,`
`311`	`312`	`classForm->relnamespace,0);`
`312`		`-rcontext=sepgsql_compute_create(scontext,tcontext,tclass);`
	`313`	`+rcontext=sepgsql_compute_create(scontext,tcontext,tclass,`
	`314`	`+NameStr(classForm->relname));`
`313`	`315`
`314`	`316`	`/*`
`315`	`317`	`* check db_xxx:{create} permission`
`@@ -363,7 +365,8 @@ sepgsql_relation_post_create(Oid relOid)`
`363`	`365`
`364`	`366`	`ccontext=sepgsql_compute_create(scontext,`
`365`	`367`	`rcontext,`
`366`		`-SEPG_CLASS_DB_COLUMN);`
	`368`	`+SEPG_CLASS_DB_COLUMN,`
	`369`	`+NameStr(attForm->attname));`
`367`	`370`
`368`	`371`	`/*`
`369`	`372`	`* check db_column:{create} permission`

`‎contrib/sepgsql/schema.c`

Lines changed: 9 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@ sepgsql_schema_post_create(Oid namespaceId)`
`42`	`42`	`char*tcontext;`
`43`	`43`	`char*ncontext;`
`44`	`44`	`charaudit_name[NAMEDATALEN+20];`
	`45`	`+constchar*nsp_name;`
`45`	`46`	`ObjectAddressobject;`
`46`	`47`	`Form_pg_namespacenspForm;`
`47`	`48`
`@@ -67,17 +68,21 @@ sepgsql_schema_post_create(Oid namespaceId)`
`67`	`68`	`elog(ERROR,"catalog lookup failed for namespace %u",namespaceId);`
`68`	`69`
`69`	`70`	`nspForm= (Form_pg_namespace)GETSTRUCT(tuple);`
	`71`	`+nsp_name=NameStr(nspForm->nspname);`
	`72`	`+if (strncmp(nsp_name,"pg_temp_",8)==0)`
	`73`	`+nsp_name="pg_temp";`
	`74`	`+elseif (strncmp(nsp_name,"pg_toast_temp_",14)==0)`
	`75`	`+nsp_name="pg_toast_temp";`
`70`	`76`
`71`	`77`	`tcontext=sepgsql_get_label(DatabaseRelationId,MyDatabaseId,0);`
`72`	`78`	`ncontext=sepgsql_compute_create(sepgsql_get_client_label(),`
`73`	`79`	`tcontext,`
`74`		`-SEPG_CLASS_DB_SCHEMA);`
`75`		`-`
	`80`	`+SEPG_CLASS_DB_SCHEMA,`
	`81`	`+nsp_name);`
`76`	`82`	`/*`
`77`	`83`	`* check db_schema:{create}`
`78`	`84`	`*/`
`79`		`-snprintf(audit_name,sizeof(audit_name),`
`80`		`-"schema %s",NameStr(nspForm->nspname));`
	`85`	`+snprintf(audit_name,sizeof(audit_name),"schema %s",nsp_name);`
`81`	`86`	`sepgsql_avc_check_perms_label(ncontext,`
`82`	`87`	`SEPG_CLASS_DB_SCHEMA,`
`83`	`88`	`SEPG_DB_SCHEMA__CREATE,`

`‎contrib/sepgsql/selinux.c`

Lines changed: 7 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -836,7 +836,8 @@ sepgsql_compute_avd(const char *scontext,`
`836`	`836`	`char*`
`837`	`837`	`sepgsql_compute_create(constchar*scontext,`
`838`	`838`	`constchar*tcontext,`
`839`		`-uint16tclass)`
	`839`	`+uint16tclass,`
	`840`	`+constchar*objname)`
`840`	`841`	`{`
`841`	`842`	`security_context_tncontext;`
`842`	`843`	`security_class_ttclass_ex;`
`@@ -853,9 +854,11 @@ sepgsql_compute_create(const char *scontext,`
`853`	`854`	`* Ask SELinux what is the default context for the given object class on a`
`854`	`855`	`* pair of security contexts`
`855`	`856`	`*/`
`856`		`-if (security_compute_create_raw((security_context_t)scontext,`
`857`		`-(security_context_t)tcontext,`
`858`		`-tclass_ex,&ncontext)<0)`
	`857`	`+if (security_compute_create_name_raw((security_context_t)scontext,`
	`858`	`+ (security_context_t)tcontext,`
	`859`	`+tclass_ex,`
	`860`	`+objname,`
	`861`	`+&ncontext)<0)`
`859`	`862`	`ereport(ERROR,`
`860`	`863`	`(errcode(ERRCODE_INTERNAL_ERROR),`
`861`	`864`	`errmsg("SELinux could not compute a new context: "`

`‎contrib/sepgsql/sepgsql-regtest.te`

Lines changed: 16 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-policy_module(sepgsql-regtest,1.04)`
	`1`	`+policy_module(sepgsql-regtest,1.05)`
`2`	`2`
`3`	`3`	gen_require(`
`4`	`4`	`all_userspace_class_perms`
`@@ -43,6 +43,21 @@ allow sepgsql_regtest_dba_t sepgsql_regtest_user_t : process { dyntransition };`
`43`	`43`	`allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };`
`44`	`44`	`allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };`
`45`	`45`
	`46`	`+# special rule for system columns`
	`47`	+optional_policy(`
	`48`	+gen_require(`
	`49`	`+attributesepgsql_table_type;`
	`50`	`+typesepgsql_sysobj_t;`
	`51`	`+')`
	`52`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid";`
	`53`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid";`
	`54`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin";`
	`55`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax";`
	`56`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin";`
	`57`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax";`
	`58`	`+type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid";`
	`59`	`+')`
	`60`	`+`
`46`	`61`	`#`
`47`	`62`	`# Dummy domain for unpriv users`
`48`	`63`	`#`

`‎contrib/sepgsql/sepgsql.h`

Lines changed: 2 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -239,7 +239,8 @@ extern void sepgsql_compute_avd(const char *scontext,`
`239`	`239`
`240`	`240`	`externcharsepgsql_compute_create(constcharscontext,`
`241`	`241`	`constchar*tcontext,`
`242`		`-uint16tclass);`
	`242`	`+uint16tclass,`
	`243`	`+constchar*objname);`
`243`	`244`
`244`	`245`	`externboolsepgsql_check_perms(constchar*scontext,`
`245`	`246`	`constchar*tcontext,`

`‎contrib/sepgsql/sql/label.sql`

Lines changed: 8 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -71,10 +71,14 @@ SECURITY LABEL ON TABLE var_tbl`
`71`	`71`	`CREATETABLEt3 (sint, ttext);`
`72`	`72`	`INSERT INTO t3VALUES (1,'sss'), (2,'ttt'), (3,'uuu');`
`73`	`73`
	`74`	`+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0`
	`75`	`+CREATETABLEt4 (mint, ntext);`
	`76`	`+INSERT INTO t4VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');`
	`77`	`+`
	`78`	`+SELECT objtype, objname, labelFROM pg_seclabels`
	`79`	`+WHERE provider='selinux'AND objtype='table'AND objnamein ('t1','t2','t3');`
`74`	`80`	`SELECT objtype, objname, labelFROM pg_seclabels`
`75`		`-WHERE provider='selinux'`
`76`		`-AND objtypein ('table','column')`
`77`		`-AND objnamein ('t1','t2','t3');`
	`81`	`+WHERE provider='selinux'AND objtype='column'AND (objnamelike't3.%'OR objnamelike't4.%');`
`78`	`82`
`79`	`83`	`--`
`80`	`84`	`-- Tests for SECURITY LABEL`
`@@ -229,6 +233,7 @@ SELECT sepgsql_getcon();`
`229`	`233`	`DROPTABLE IF EXISTS t1 CASCADE;`
`230`	`234`	`DROPTABLE IF EXISTS t2 CASCADE;`
`231`	`235`	`DROPTABLE IF EXISTS t3 CASCADE;`
	`236`	`+DROPTABLE IF EXISTS t4 CASCADE;`
`232`	`237`	`DROPFUNCTION IF EXISTS f1() CASCADE;`
`233`	`238`	`DROPFUNCTION IF EXISTS f2() CASCADE;`
`234`	`239`	`DROPFUNCTION IF EXISTS f3() CASCADE;`

`‎contrib/sepgsql/uavc.c`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -250,10 +250,10 @@ sepgsql_avc_compute(const char scontext, const char tcontext, uint16 tclass)`
`250`	`250`	`{`
`251`	`251`	`if (!ucontext)`
`252`	`252`	`ncontext=sepgsql_compute_create(scontext,tcontext,`
`253`		`-SEPG_CLASS_PROCESS);`
	`253`	`+SEPG_CLASS_PROCESS,NULL);`
`254`	`254`	`else`
`255`	`255`	`ncontext=sepgsql_compute_create(scontext,ucontext,`
`256`		`-SEPG_CLASS_PROCESS);`
	`256`	`+SEPG_CLASS_PROCESS,NULL);`
`257`	`257`	`if (strcmp(scontext,ncontext)==0)`
`258`	`258`	`{`
`259`	`259`	`pfree(ncontext);`

`‎doc/src/sgml/sepgsql.sgml`

Lines changed: 4 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@`
`63`	`63`	`<filename>sepgsql</> can only be used on <productname>Linux</productname>`
`64`	`64`	`2.6.28 or higher with <productname>SELinux</productname> enabled.`
`65`	`65`	`It is not available on any other platform. You will also need`
`66`		`- <productname>libselinux</> 2.0.99 or higher and`
	`66`	`+ <productname>libselinux</> 2.1.10 or higher and`
`67`	`67`	`<productname>selinux-policy</> 3.9.13 or higher (although some`
`68`	`68`	`distributions may backport the necessary rules into older policy`
`69`	`69`	`versions).`
`@@ -326,8 +326,9 @@ $ sudo semodule -r sepgsql-regtest`
`326`	`326`	`When <filename>sepgsql</filename> is in use, security labels are`
`327`	`327`	`automatically assigned to supported database objects at creation time.`
`328`	`328`	`This label is called a default security label, and is decided according`
`329`		`- to the system security policy, which takes as input the creator's label`
`330`		`- and the label assigned to the new object's parent object.`
	`329`	`+ to the system security policy, which takes as input the creator's label,`
	`330`	`+ the label assigned to the new object's parent object and optionally name`
	`331`	`+ of the constructed object.`
`331`	`332`	`</para>`
`332`	`333`
`333`	`334`	`<para>`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit0f05840

File tree

13 files changed

13 files changed

`‎configure`

`‎configure.in`

`‎contrib/sepgsql/database.c`

`‎contrib/sepgsql/expected/label.out`

`‎contrib/sepgsql/proc.c`

`‎contrib/sepgsql/relation.c`

`‎contrib/sepgsql/schema.c`

`‎contrib/sepgsql/selinux.c`

`‎contrib/sepgsql/sepgsql-regtest.te`

`‎contrib/sepgsql/sepgsql.h`

`‎contrib/sepgsql/sql/label.sql`

`‎contrib/sepgsql/uavc.c`

`‎doc/src/sgml/sepgsql.sgml`

0 commit comments