Update sepgsql to add mandatory access control for TRUNCATE
Joe Conway <mail@joeconway.com>
Update sepgsql to add mandatory access control for TRUNCATE
Use SELinux "db_table: { truncate }" to check if permission is granted to
TRUNCATE. Update example SELinux policy to grant needed permission for
TRUNCATE. Add new regression test to demonstrate a positive and negative
cases. Test will only be run if the loaded SELinux policy has the
"db_table: { truncate }" permission. Makes use of recent commit which added
object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor
editorialization by me. Not back-patched because the object TRUNCATE hook
was not.
Author: Yuli Khodorkovskiy
Reviewed-by: Joe Conway
Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com
Files
| Path | Change | +/− |
|---|---|---|
| contrib/sepgsql/expected/truncate.out | added | +46 −0 |
| contrib/sepgsql/hooks.c | modified | +14 −0 |
| contrib/sepgsql/relation.c | modified | +40 −0 |
| contrib/sepgsql/selinux.c | modified | +3 −0 |
| contrib/sepgsql/sepgsql.h | modified | +2 −0 |
| contrib/sepgsql/sepgsql-regtest.te | modified | +8 −0 |
| contrib/sepgsql/sql/truncate.sql | added | +24 −0 |
| contrib/sepgsql/test_sepgsql | modified | +15 −1 |
Discussion
- add a MAC check for TRUNCATE 39 messages · 2019-07-24 → 2019-11-23