The attached patch is a portion that we splitted off when we added
pg_shseclabel system catalog.
It enables the control/sepgsql to assign security label on pg_database
objects that are utilized as a basis to compute a default security
label of schema object.
Currently, we have an ugly assumption that all the pg_database entries
are labeled as "system_u:object_r:sepgsql_db_t:s0", and default
security label of schema is computed based on this assumption. See,
sepgsql_schema_post_create() in sepgsql/schema.c
It also enables initial labeling at sepgsql_restorecon() and
permission checks on relabeling, however, nothing are checked any
more.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
