The attached patch is a part of efforts to support security label
on database objects.
It adds statement support to manage security label of relations.
Right now, object labeling except for relations/columns are not
supported, because the DML permission hook is the only chance to
apply access control decision of ESP module.
It has the following syntax:
ALTER TABLE <relation_expr> [ALTER [COLUMN] <colmu_name>]
SECURITY LABEL TO '<label>';
I believe Robert's refactoring on COMMENT ON code also helps to
implement security label support for various kind of object classes.
However, we need to handle relabeling on the tables particularly
because of table's inheritances, unlike any other object classes.
So, I considered we can make progress these works in progress, then
we can integrated them later.
Example:
postgres=# CREATE TABLE t (a int, b text);
CREATE TABLE
postgres=# ALTER TABLE t SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0';
ALTER TABLE
postgres=# ALTER TABLE t ALTER a SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0';
ALTER TABLE
postgres=# ALTER TABLE t ALTER b SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0:c1';
ALTER TABLE
[kaigai@saba ~]$ runcon -l s0 psql postgres
psql (9.1devel)
Type "help" for help.
postgres=# set client_min_messages = log;
SET
postgres=# SELECT * FROM t;
LOG: SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0
tcontext=system_u:object_r:sepgsql_table_t:s0:c1tclass=db_column name=t.b
ERROR: SELinux: security policy violation
postgres=# SELECT a FROM t;
a
---
(0 rows)
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>
