Prev: [HACKERS] security label support, part.1
Next: [HACKERS] Fwd: sql/med review - problems with patching
From: KaiGai Kohei on 14 Jul 2010 01:34 The attached patch is a part of efforts to support security label on database objects. It adds statement support to manage security label of relations. Right now, object labeling except for relations/columns are not supported, because the DML permission hook is the only chance to apply access control decision of ESP module. It has the following syntax: ALTER TABLE <relation_expr> [ALTER [COLUMN] <colmu_name>] SECURITY LABEL TO '<label>'; I believe Robert's refactoring on COMMENT ON code also helps to implement security label support for various kind of object classes. However, we need to handle relabeling on the tables particularly because of table's inheritances, unlike any other object classes. So, I considered we can make progress these works in progress, then we can integrated them later. Example: postgres=# CREATE TABLE t (a int, b text); CREATE TABLE postgres=# ALTER TABLE t SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0'; ALTER TABLE postgres=# ALTER TABLE t ALTER a SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0'; ALTER TABLE postgres=# ALTER TABLE t ALTER b SECURITY LABEL TO 'system_u:object_r:sepgsql_table_t:s0:c1'; ALTER TABLE [kaigai(a)saba ~]$ runcon -l s0 psql postgres psql (9.1devel) Type "help" for help. postgres=# set client_min_messages = log; SET postgres=# SELECT * FROM t; LOG: SELinux: denied { select } scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:sepgsql_table_t:s0:c1 tclass=db_column name=t.b ERROR: SELinux: security policy violation postgres=# SELECT a FROM t; a --- (0 rows) Thanks, -- KaiGai Kohei <kaigai(a)ak.jp.nec.com> |