[v9.2] "database" object class of contrib/sepgsql
Kohei KaiGai <kaigai@kaigai.gr.jp>
From: Kohei KaiGai <kaigai@kaigai.gr.jp>
To: PgHacker <pgsql-hackers@postgresql.org>
Date: 2011-09-12T09:45:04Z
Lists: pgsql-hackers
Attachments
- pgsql-v9.2-sepgsql-database.v1.patch (application/octet-stream) patch v9
The attached patch is a portion that we splitted off when we added pg_shseclabel system catalog. It enables the control/sepgsql to assign security label on pg_database objects that are utilized as a basis to compute a default security label of schema object. Currently, we have an ugly assumption that all the pg_database entries are labeled as "system_u:object_r:sepgsql_db_t:s0", and default security label of schema is computed based on this assumption. See, sepgsql_schema_post_create() in sepgsql/schema.c It also enables initial labeling at sepgsql_restorecon() and permission checks on relabeling, however, nothing are checked any more. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>