# for contrib/sepgsql
if test "$with_selinux" = yes; then
-{ $as_echo "$as_me:$LINENO: checking for selinux_status_open in -lselinux" >&5
-$as_echo_n "checking for selinux_status_open in -lselinux... " >&6; }
-if test "${ac_cv_lib_selinux_selinux_status_open+set}" = set; then
+{ $as_echo "$as_me:$LINENO: checking for security_compute_create_name in -lselinux" >&5
+$as_echo_n "checking for security_compute_create_name in -lselinux... " >&6; }
+if test "${ac_cv_lib_selinux_security_compute_create_name+set}" = set; then
$as_echo_n "(cached) " >&6
else
ac_check_lib_save_LIBS=$LIBS
#ifdef __cplusplus
extern "C"
#endif
-char selinux_status_open ();
+char security_compute_create_name ();
int
main ()
{
-return selinux_status_open ();
+return security_compute_create_name ();
;
return 0;
}
test "$cross_compiling" = yes ||
$as_test_x conftest$ac_exeext
}; then
- ac_cv_lib_selinux_selinux_status_open=yes
+ ac_cv_lib_selinux_security_compute_create_name=yes
else
$as_echo "$as_me: failed program was:" >&5
sed 's/^/| /' conftest.$ac_ext >&5
- ac_cv_lib_selinux_selinux_status_open=no
+ ac_cv_lib_selinux_security_compute_create_name=no
fi
rm -rf conftest.dSYM
conftest$ac_exeext conftest.$ac_ext
LIBS=$ac_check_lib_save_LIBS
fi
-{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_selinux_status_open" >&5
-$as_echo "$ac_cv_lib_selinux_selinux_status_open" >&6; }
-if test "x$ac_cv_lib_selinux_selinux_status_open" = x""yes; then
+{ $as_echo "$as_me:$LINENO: result: $ac_cv_lib_selinux_security_compute_create_name" >&5
+$as_echo "$ac_cv_lib_selinux_security_compute_create_name" >&6; }
+if test "x$ac_cv_lib_selinux_security_compute_create_name" = x""yes; then
cat >>confdefs.h <<_ACEOF
#define HAVE_LIBSELINUX 1
_ACEOF
LIBS="-lselinux $LIBS"
else
- { { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&5
-$as_echo "$as_me: error: library 'libselinux', version 2.0.99 or newer, is required for SELinux support" >&2;}
+ { { $as_echo "$as_me:$LINENO: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&5
+$as_echo "$as_me: error: library 'libselinux', version 2.1.10 or newer, is required for SELinux support" >&2;}
{ (exit 1); exit 1; }; }
fi
# for contrib/sepgsql
if test "$with_selinux" = yes; then
- AC_CHECK_LIB(selinux, selinux_status_open, [],
- [AC_MSG_ERROR([library 'libselinux', version 2.0.99 or newer, is required for SELinux support])])
+ AC_CHECK_LIB(selinux, security_compute_create_name, [],
+ [AC_MSG_ERROR([library 'libselinux', version 2.1.10 or newer, is required for SELinux support])])
fi
# for contrib/uuid-ossp
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
- SEPG_CLASS_DB_DATABASE);
+ SEPG_CLASS_DB_DATABASE,
+ NameStr(datForm->datname));
/*
* check db_database:{create} permission
CREATE TABLE t3 (s int, t text);
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+SELECT sepgsql_getcon(); -- confirm client privilege
+ sepgsql_getcon
+----------------------------------------------------
+ unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
+(1 row)
+
+CREATE TABLE t4 (m int, n text);
+INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');
SELECT objtype, objname, label FROM pg_seclabels
- WHERE provider = 'selinux'
- AND objtype in ('table', 'column')
- AND objname in ('t1', 't2', 't3');
+ WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
objtype | objname | label
---------+---------+-----------------------------------------------
table | t1 | unconfined_u:object_r:sepgsql_table_t:s0
table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0
(3 rows)
+SELECT objtype, objname, label FROM pg_seclabels
+ WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
+ objtype | objname | label
+---------+-------------+-----------------------------------------------
+ column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0
+ column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0
+ column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0
+ column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0
+ column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0
+(16 rows)
+
--
-- Tests for SECURITY LABEL
--
DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
+DROP TABLE IF EXISTS t4 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE;
tcontext = sepgsql_get_label(NamespaceRelationId,
proForm->pronamespace, 0);
ncontext = sepgsql_compute_create(scontext, tcontext,
- SEPG_CLASS_DB_PROCEDURE);
+ SEPG_CLASS_DB_PROCEDURE,
+ NameStr(proForm->proname));
/*
* check db_procedure:{create (install)} permission
scontext = sepgsql_get_client_label();
tcontext = sepgsql_get_label(RelationRelationId, relOid, 0);
ncontext = sepgsql_compute_create(scontext, tcontext,
- SEPG_CLASS_DB_COLUMN);
+ SEPG_CLASS_DB_COLUMN,
+ NameStr(attForm->attname));
/*
* check db_column:{create} permission
scontext = sepgsql_get_client_label();
tcontext = sepgsql_get_label(NamespaceRelationId,
classForm->relnamespace, 0);
- rcontext = sepgsql_compute_create(scontext, tcontext, tclass);
+ rcontext = sepgsql_compute_create(scontext, tcontext, tclass,
+ NameStr(classForm->relname));
/*
* check db_xxx:{create} permission
ccontext = sepgsql_compute_create(scontext,
rcontext,
- SEPG_CLASS_DB_COLUMN);
+ SEPG_CLASS_DB_COLUMN,
+ NameStr(attForm->attname));
/*
* check db_column:{create} permission
char *tcontext;
char *ncontext;
char audit_name[NAMEDATALEN + 20];
+ const char *nsp_name;
ObjectAddress object;
Form_pg_namespace nspForm;
elog(ERROR, "catalog lookup failed for namespace %u", namespaceId);
nspForm = (Form_pg_namespace) GETSTRUCT(tuple);
+ nsp_name = NameStr(nspForm->nspname);
+ if (strncmp(nsp_name, "pg_temp_", 8) == 0)
+ nsp_name = "pg_temp";
+ else if (strncmp(nsp_name, "pg_toast_temp_", 14) == 0)
+ nsp_name = "pg_toast_temp";
tcontext = sepgsql_get_label(DatabaseRelationId, MyDatabaseId, 0);
ncontext = sepgsql_compute_create(sepgsql_get_client_label(),
tcontext,
- SEPG_CLASS_DB_SCHEMA);
-
+ SEPG_CLASS_DB_SCHEMA,
+ nsp_name);
/*
* check db_schema:{create}
*/
- snprintf(audit_name, sizeof(audit_name),
- "schema %s", NameStr(nspForm->nspname));
+ snprintf(audit_name, sizeof(audit_name), "schema %s", nsp_name);
sepgsql_avc_check_perms_label(ncontext,
SEPG_CLASS_DB_SCHEMA,
SEPG_DB_SCHEMA__CREATE,
char *
sepgsql_compute_create(const char *scontext,
const char *tcontext,
- uint16 tclass)
+ uint16 tclass,
+ const char *objname)
{
security_context_t ncontext;
security_class_t tclass_ex;
* Ask SELinux what is the default context for the given object class on a
* pair of security contexts
*/
- if (security_compute_create_raw((security_context_t) scontext,
- (security_context_t) tcontext,
- tclass_ex, &ncontext) < 0)
+ if (security_compute_create_name_raw((security_context_t) scontext,
+ (security_context_t) tcontext,
+ tclass_ex,
+ objname,
+ &ncontext) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux could not compute a new context: "
-policy_module(sepgsql-regtest, 1.04)
+policy_module(sepgsql-regtest, 1.05)
gen_require(`
all_userspace_class_perms
allow sepgsql_regtest_dba_t sepgsql_regtest_foo_t : process { dyntransition };
allow sepgsql_regtest_dba_t sepgsql_regtest_var_t : process { dyntransition };
+# special rule for system columns
+optional_policy(`
+ gen_require(`
+ attribute sepgsql_table_type;
+ type sepgsql_sysobj_t;
+ ')
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "ctid";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "oid";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmin";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "xmax";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmin";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "cmax";
+ type_transition sepgsql_regtest_dba_t sepgsql_table_type:db_column sepgsql_sysobj_t "tableoid";
+')
+
#
# Dummy domain for unpriv users
#
extern char *sepgsql_compute_create(const char *scontext,
const char *tcontext,
- uint16 tclass);
+ uint16 tclass,
+ const char *objname);
extern bool sepgsql_check_perms(const char *scontext,
const char *tcontext,
CREATE TABLE t3 (s int, t text);
INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu');
+-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0
+CREATE TABLE t4 (m int, n text);
+INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo');
+
+SELECT objtype, objname, label FROM pg_seclabels
+ WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3');
SELECT objtype, objname, label FROM pg_seclabels
- WHERE provider = 'selinux'
- AND objtype in ('table', 'column')
- AND objname in ('t1', 't2', 't3');
+ WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%');
--
-- Tests for SECURITY LABEL
DROP TABLE IF EXISTS t1 CASCADE;
DROP TABLE IF EXISTS t2 CASCADE;
DROP TABLE IF EXISTS t3 CASCADE;
+DROP TABLE IF EXISTS t4 CASCADE;
DROP FUNCTION IF EXISTS f1() CASCADE;
DROP FUNCTION IF EXISTS f2() CASCADE;
DROP FUNCTION IF EXISTS f3() CASCADE;
{
if (!ucontext)
ncontext = sepgsql_compute_create(scontext, tcontext,
- SEPG_CLASS_PROCESS);
+ SEPG_CLASS_PROCESS, NULL);
else
ncontext = sepgsql_compute_create(scontext, ucontext,
- SEPG_CLASS_PROCESS);
+ SEPG_CLASS_PROCESS, NULL);
if (strcmp(scontext, ncontext) == 0)
{
pfree(ncontext);
sepgsql can only be used on Linux
2.6.28 or higher with
SELinux enabled.
It is not available on any other platform. You will also need
-
libselinux 2.0.99 or higher and+
libselinux 2.1.10 or higher and selinux-policy 3.9.13 or higher (although some
distributions may backport the necessary rules into older policy
versions).
When sepgsql is in use, security labels are
automatically assigned to supported database objects at creation time.
This label is called a default security label, and is decided according
- to the system security policy, which takes as input the creator's label
- and the label assigned to the new object's parent object.
+ to the system security policy, which takes as input the creator's label,
+ the label assigned to the new object's parent object and optionally name
+ of the constructed object.
projects / postgresql.git / commitdiff