diff --git a/doc/src/sgml/ref/security_label.sgml b/doc/src/sgml/ref/security_label.sgml index 8a01b94..a62f02a 100644 --- a/doc/src/sgml/ref/security_label.sgml +++ b/doc/src/sgml/ref/security_label.sgml @@ -198,6 +198,36 @@ SECURITY LABEL FOR selinux ON TABLE mytable IS 'system_u:object_r:sepgsql_table_ + See Also + + These modules requires SECURITY LABEL command + for their foundation. Also see the section for more details. + + + + + + + sepgsql is a loadable module which supports label-based + mandatory access control (MAC) based on SELinux security + policy. + + + + + + + + The dummy_seclabel module exists only to support regression + testing of the SECURITY LABEL statement. It is not intended + to be used in production. + + + + + + + Compatibility There is no SECURITY LABEL command in the SQL standard. diff --git a/doc/src/sgml/sepgsql.sgml b/doc/src/sgml/sepgsql.sgml index db9b64c..4b9e1f3 100644 --- a/doc/src/sgml/sepgsql.sgml +++ b/doc/src/sgml/sepgsql.sgml @@ -96,11 +96,13 @@ Policy from config file: targeted The following instructions that assume your installation is under the - /usr/local/pgsql directory. Adjust the paths shown below as - appropriate for your installation. + /usr/local/pgsql directory and the database cluster is + under the /path/to/database directory. Adjust the paths + shown below as appropriate for your installation. +$ export PGDATA=/path/to/database $ initdb $ vi $PGDATA/postgresql.conf $ for DBNAME in template0 template1 postgres; do @@ -113,6 +115,17 @@ $ for DBNAME in template0 template1 postgres; do If the installation process completes without error, you can now start the server normally. + + + Please note that you may see the following notifications depending on + the combination of a particular version of libselinux + and selinux-policy. + +/etc/selinux/targeted/contexts/sepgsql_contexts: line 33 has invalid object type db_blobs + + It is harmless messages and already fixed. So, you can ignore these + messages or update related packages to the latest version. + @@ -124,7 +137,16 @@ $ for DBNAME in template0 template1 postgres; do - First, build and install the policy package for the regression test. + First, setup sepgsql according to + the . + We intend this regression test is run on the working system using + make installcheck, so the server system must be + correctly set up to allow current user of shell process to connect + database as superuser without authentication. + + + + Second, build and install the policy package for the regression test. The sepgsql-regtest.pp is a special purpose policy package which provides a set of rules to be allowed during the regression tests. It should be built from the policy source file @@ -149,7 +171,7 @@ sepgsql-regtest 1.03 - Second, turn on sepgsql_regression_test_mode. + Third, turn on sepgsql_regression_test_mode. We don't enable all the rules in the sepgsql-regtest.pp by default, for your system's safety. The sepgsql_regression_test_mode parameter is associated