Thread: [v9.2] "database" object class of contrib/sepgsql
The attached patch is a portion that we splitted off when we added pg_shseclabel system catalog. It enables the control/sepgsql to assign security label on pg_database objects that are utilized as a basis to compute a default security label of schema object. Currently, we have an ugly assumption that all the pg_database entries are labeled as "system_u:object_r:sepgsql_db_t:s0", and default security label of schema is computed based on this assumption. See, sepgsql_schema_post_create() in sepgsql/schema.c It also enables initial labeling at sepgsql_restorecon() and permission checks on relabeling, however, nothing are checked any more. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
Attachment
On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: > The attached patch is a portion that we splitted off when we added > pg_shseclabel system catalog. > > It enables the control/sepgsql to assign security label on pg_database > objects that are utilized as a basis to compute a default security > label of schema object. Committed, although the fact that it didn't compile until I made schema.c include pg_database.h makes me wonder how thoroughly you tested this. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
2011/9/23 Robert Haas <robertmhaas@gmail.com>: > On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote: >> The attached patch is a portion that we splitted off when we added >> pg_shseclabel system catalog. >> >> It enables the control/sepgsql to assign security label on pg_database >> objects that are utilized as a basis to compute a default security >> label of schema object. > > Committed, although the fact that it didn't compile until I made > schema.c include pg_database.h makes me wonder how thoroughly you > tested this. > Hmm.. As I did usually, I might build the module and run installation script and regression test when I submitted this patch. However, it was fact I submitted a patch with an obvious miss. Sorry, I'll be careful to check the code being tested. -- KaiGai Kohei <kaigai@kaigai.gr.jp>