Thread: [v9.2] "database" object class of contrib/sepgsql

[v9.2] "database" object class of contrib/sepgsql

From

Kohei KaiGai

Date:

12 September 2011, 09:45:12

The attached patch is a portion that we splitted off when we added
pg_shseclabel system catalog.

It enables the control/sepgsql to assign security label on pg_database
objects that are utilized as a basis to compute a default security
label of schema object.
Currently, we have an ugly assumption that all the pg_database entries
are labeled as "system_u:object_r:sepgsql_db_t:s0", and default
security label of schema is computed based on this assumption. See,
sepgsql_schema_post_create() in sepgsql/schema.c

It also enables initial labeling at sepgsql_restorecon() and
permission checks on relabeling, however, nothing are checked any
more.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

Attachment

pgsql-v9.2-sepgsql-database.v1.patch

Re: [v9.2] "database" object class of contrib/sepgsql

From

Robert Haas

Date:

23 September 2011, 21:11:49

On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
> The attached patch is a portion that we splitted off when we added
> pg_shseclabel system catalog.
>
> It enables the control/sepgsql to assign security label on pg_database
> objects that are utilized as a basis to compute a default security
> label of schema object.

Committed, although the fact that it didn't compile until I made
schema.c include pg_database.h makes me wonder how thoroughly you
tested this.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

Re: [v9.2] "database" object class of contrib/sepgsql

From

Kohei KaiGai

Date:

25 September 2011, 19:33:52

2011/9/23 Robert Haas <robertmhaas@gmail.com>:
> On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
>> The attached patch is a portion that we splitted off when we added
>> pg_shseclabel system catalog.
>>
>> It enables the control/sepgsql to assign security label on pg_database
>> objects that are utilized as a basis to compute a default security
>> label of schema object.
>
> Committed, although the fact that it didn't compile until I made
> schema.c include pg_database.h makes me wonder how thoroughly you
> tested this.
>
Hmm.. As I did usually, I might build the module and run installation
script and regression test when I submitted this patch.
However, it was fact I submitted a patch with an obvious miss.
Sorry, I'll be careful to check the code being tested.
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>