Thread

  1. [v9.2] "database" object class of contrib/sepgsql

    Kohei KaiGai <kaigai@kaigai.gr.jp> — 2011-09-12T09:45:04Z

    The attached patch is a portion that we splitted off when we added
    pg_shseclabel system catalog.
    
    It enables the control/sepgsql to assign security label on pg_database
    objects that are utilized as a basis to compute a default security
    label of schema object.
    Currently, we have an ugly assumption that all the pg_database entries
    are labeled as "system_u:object_r:sepgsql_db_t:s0", and default
    security label of schema is computed based on this assumption. See,
    sepgsql_schema_post_create() in sepgsql/schema.c
    
    It also enables initial labeling at sepgsql_restorecon() and
    permission checks on relabeling, however, nothing are checked any
    more.
    
    Thanks,
    -- 
    KaiGai Kohei <kaigai@kaigai.gr.jp>
    
  2. Re: [v9.2] "database" object class of contrib/sepgsql

    Robert Haas <robertmhaas@gmail.com> — 2011-09-23T21:11:39Z

    On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
    > The attached patch is a portion that we splitted off when we added
    > pg_shseclabel system catalog.
    >
    > It enables the control/sepgsql to assign security label on pg_database
    > objects that are utilized as a basis to compute a default security
    > label of schema object.
    
    Committed, although the fact that it didn't compile until I made
    schema.c include pg_database.h makes me wonder how thoroughly you
    tested this.
    
    -- 
    Robert Haas
    EnterpriseDB: http://www.enterprisedb.com
    The Enterprise PostgreSQL Company
    
    
  3. Re: [v9.2] "database" object class of contrib/sepgsql

    Kohei KaiGai <kaigai@kaigai.gr.jp> — 2011-09-25T19:33:22Z

    2011/9/23 Robert Haas <robertmhaas@gmail.com>:
    > On Mon, Sep 12, 2011 at 5:45 AM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
    >> The attached patch is a portion that we splitted off when we added
    >> pg_shseclabel system catalog.
    >>
    >> It enables the control/sepgsql to assign security label on pg_database
    >> objects that are utilized as a basis to compute a default security
    >> label of schema object.
    >
    > Committed, although the fact that it didn't compile until I made
    > schema.c include pg_database.h makes me wonder how thoroughly you
    > tested this.
    >
    Hmm.. As I did usually, I might build the module and run installation
    script and regression test when I submitted this patch.
    However, it was fact I submitted a patch with an obvious miss.
    Sorry, I'll be careful to check the code being tested.
    -- 
    KaiGai Kohei <kaigai@kaigai.gr.jp>