Lists: | pgsql-hackers |
---|
From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
---|---|
To: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | [v9.2] "database" object class of contrib/sepgsql |
Date: | 2011-09-12 09:45:04 |
Message-ID: | CADyhKSUOGAPMxrCkphbbP6G_AAgGjqV89pwZ5i52cnh6=TO6jQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
The attached patch is a portion that we splitted off when we added
pg_shseclabel system catalog.
It enables the control/sepgsql to assign security label on pg_database
objects that are utilized as a basis to compute a default security
label of schema object.
Currently, we have an ugly assumption that all the pg_database entries
are labeled as "system_u:object_r:sepgsql_db_t:s0", and default
security label of schema is computed based on this assumption. See,
sepgsql_schema_post_create() in sepgsql/schema.c
It also enables initial labeling at sepgsql_restorecon() and
permission checks on relabeling, however, nothing are checked any
more.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Attachment | Content-Type | Size |
---|---|---|
pgsql-v9.2-sepgsql-database.v1.patch | application/octet-stream | 8.0 KB |
From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
Cc: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [v9.2] "database" object class of contrib/sepgsql |
Date: | 2011-09-23 21:11:39 |
Message-ID: | CA+TgmoZ+k8dYpVOfWLz3f3pEZDnv3fdk6qsAicp9trMx6t3dFA@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> The attached patch is a portion that we splitted off when we added
> pg_shseclabel system catalog.
>
> It enables the control/sepgsql to assign security label on pg_database
> objects that are utilized as a basis to compute a default security
> label of schema object.
Committed, although the fact that it didn't compile until I made
schema.c include pg_database.h makes me wonder how thoroughly you
tested this.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [v9.2] "database" object class of contrib/sepgsql |
Date: | 2011-09-25 19:33:22 |
Message-ID: | CADyhKSXkeuqgk0=8kykMK=fCDzmDa9mdL2hA+P33e-26ofdYVw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers |
2011/9/23 Robert Haas <robertmhaas(at)gmail(dot)com>:
> On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> The attached patch is a portion that we splitted off when we added
>> pg_shseclabel system catalog.
>>
>> It enables the control/sepgsql to assign security label on pg_database
>> objects that are utilized as a basis to compute a default security
>> label of schema object.
>
> Committed, although the fact that it didn't compile until I made
> schema.c include pg_database.h makes me wonder how thoroughly you
> tested this.
>
Hmm.. As I did usually, I might build the module and run installation
script and regression test when I submitted this patch.
However, it was fact I submitted a patch with an obvious miss.
Sorry, I'll be careful to check the code being tested.
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>