Thread: temp table security labels

temp table security labels

From

Ted Toth

Date:

07 July 2023, 15:43:31

I'm seeing security labels set on db objects when a temporary table is
created but they don't match the labels I've configured in my
sepgsql_contexts file. Our code doesn't actually execute a "SECURITY
LABEL ..." command for the temp tables but something else must be
doing so because I see pg_temp_NNN in pg_seclabels. So I'm confused at
how the objects are being labeled, can anyone help me understand how
this is happening?

Ted

Re: temp table security labels

From

Ted Toth

Date:

07 July 2023, 16:05:05

Also AFAICT the schema created for the temp table does not get deleted
at the end of the session which also causes issues.

On Fri, Jul 7, 2023 at 7:43 AM Ted Toth <txtoth@gmail.com> wrote:
>
> I'm seeing security labels set on db objects when a temporary table is
> created but they don't match the labels I've configured in my
> sepgsql_contexts file. Our code doesn't actually execute a "SECURITY
> LABEL ..." command for the temp tables but something else must be
> doing so because I see pg_temp_NNN in pg_seclabels. So I'm confused at
> how the objects are being labeled, can anyone help me understand how
> this is happening?
>
> Ted

Re: temp table security labels

From

Ted Toth

Date:

07 July 2023, 18:44:17

I see it now sepgsql_schema_post_create is doing it ... it's just not
doing what I think it should :(

On Fri, Jul 7, 2023 at 8:05 AM Ted Toth <txtoth@gmail.com> wrote:
>
> Also AFAICT the schema created for the temp table does not get deleted
> at the end of the session which also causes issues.
>
> On Fri, Jul 7, 2023 at 7:43 AM Ted Toth <txtoth@gmail.com> wrote:
> >
> > I'm seeing security labels set on db objects when a temporary table is
> > created but they don't match the labels I've configured in my
> > sepgsql_contexts file. Our code doesn't actually execute a "SECURITY
> > LABEL ..." command for the temp tables but something else must be
> > doing so because I see pg_temp_NNN in pg_seclabels. So I'm confused at
> > how the objects are being labeled, can anyone help me understand how
> > this is happening?
> >
> > Ted

Re: temp table security labels

From

Ted Toth

Date:

07 July 2023, 18:52:13

seems to me that sepgsql_schema_post_create should be doing a
selabel_lookup and using that default label if one exists instead of
computing the label ... hmm I'll have to think about it

On Fri, Jul 7, 2023 at 10:44 AM Ted Toth <txtoth@gmail.com> wrote:
>
> I see it now sepgsql_schema_post_create is doing it ... it's just not
> doing what I think it should :(
>
> On Fri, Jul 7, 2023 at 8:05 AM Ted Toth <txtoth@gmail.com> wrote:
> >
> > Also AFAICT the schema created for the temp table does not get deleted
> > at the end of the session which also causes issues.
> >
> > On Fri, Jul 7, 2023 at 7:43 AM Ted Toth <txtoth@gmail.com> wrote:
> > >
> > > I'm seeing security labels set on db objects when a temporary table is
> > > created but they don't match the labels I've configured in my
> > > sepgsql_contexts file. Our code doesn't actually execute a "SECURITY
> > > LABEL ..." command for the temp tables but something else must be
> > > doing so because I see pg_temp_NNN in pg_seclabels. So I'm confused at
> > > how the objects are being labeled, can anyone help me understand how
> > > this is happening?
> > >
> > > Ted