(2010/03/09 8:13), Eamon Walsh wrote:
> On 03/01/2010 09:53 PM, KaiGai Kohei wrote:
>>
>> What is the current status of the patch?
>>
>> Thanks,
>>
>
>
> Can you send me a sample sepgsql_contexts file so I can test this?
>
The attached selabel-test.conf is an example specfile, and the selabel-test.c
is a sample program to lookup an expected security context for the given name.
$ gcc selabel-test.c -o selabel-test -lselinux \
-I repo/selinux/libselinux/include/ \
-L repo/selinux/libselinux/src/
$ ./selabel-test selabel-test.conf db_table postgres.pg_catalog.pg_class
"postgres.pg_catalog.pg_class" => "system_u:object_r:sepgsql_sysobj_t:s0"
$ ./selabel-test selabel-test.conf db_table postgres.pg_public.my_table
"postgres.pg_public.my_table" => "system_u:object_r:sepgsql_table_t:s0"
$ ./selabel-test selabel-test.conf db_table foovarbaz
failed to lookup : "foovarbaz" (No such file or directory)
In PostgreSQL, its namespace has the following structure:
<database>.<schema>.(<table>|<view>|<procedure>|...)
So, the example specfile defines the following lines:
db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0
It informs all tables under the "pg_catalog" schema should be labeled as
"system_u:object_r:sepgsql_sysobj_t:s0".
Andy, in rubix, the specfile should be described as follows:
db_table *.*.*.* system_u:object_r:rubix_table_t:s0
The library just does pattern matching without any assumption of database
architecture.
I also noticed the previous patch allows to lookup an expected security
context for the db_tuple object class, but tuples don't have their name
basically, so I removed it.
And, it didn't support an upcoming db_view object class, I added it instead.
Thanks,
--
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
Attachment:
libselinux-selabel-sepgsql.2.patch
Description: application/octect-stream
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <selinux/selinux.h>
#include <selinux/label.h>
int main(int argc, char *argv[])
{
struct selabel_handle *handle;
struct selinux_opt options[1];
security_context_t context;
int tclass;
if (argc != 4)
{
fprintf(stderr, "usage: %s <sepc file> <tclass> <name>\n", argv[0]);
return 1;
}
/* config file to be parsed */
options[0].type = SELABEL_OPT_PATH;
options[0].value = argv[1];
handle = selabel_open(SELABEL_CTX_DB, options, 1);
if (!handle)
{
fprintf(stderr, "selabel_open() failed : %s\n", strerror(errno));
return 1;
}
/* tclass name to type value */
if (strcmp(argv[2], "db_database") == 0)
tclass = SELABEL_DB_DATABASE;
else if (strcmp(argv[2], "db_schema") == 0)
tclass = SELABEL_DB_SCHEMA;
else if (strcmp(argv[2], "db_table") == 0)
tclass = SELABEL_DB_TABLE;
else if (strcmp(argv[2], "db_column") == 0)
tclass = SELABEL_DB_COLUMN;
else if (strcmp(argv[2], "db_sequence") == 0)
tclass = SELABEL_DB_SEQUENCE;
else if (strcmp(argv[2], "db_view") == 0)
tclass = SELABEL_DB_VIEW;
else if (strcmp(argv[2], "db_procedure") == 0)
tclass = SELABEL_DB_PROCEDURE;
else if (strcmp(argv[2], "db_blob") == 0)
tclass = SELABEL_DB_BLOB;
else
{
fprintf(stderr, "unknown object class : %s\n", argv[2]);
return 1;
}
/* looking up spec file */
if (selabel_lookup(handle, &context, argv[3], tclass) < 0)
{
fprintf(stderr, "failed to lookup : \"%s\" (%s)\n",
argv[3], strerror(errno));
return 1;
}
printf("\"%s\" => \"%s\"\n", argv[3], context);
freecon(context);
selabel_close(handle);
return 0;
}
# # The specfile for database objects # (for SE-PostgreSQL) # # <object class> <object name> <security context> # db_database * system_u:object_r:sepgsql_db_t:s0 db_schema *.pg_catalog system_u:obejct_r:sepgsql_sys_schema_t:s0 db_schema *.* system_u:object_r:sepgsql_schema_t:s0 db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 db_table *.*.* system_u:object_r:sepgsql_table_t:s0 db_column *.pg_catalog.*.* system_u:object_r:sepgsql_sysobj_t:s0 db_column *.*.*.* system_u:object_r:sepgsql_table_t:s0 db_sequence *.*.* system_u:object_r:sepgsql_sequence_t:s0 db_view *.*.* system_u:object_r:sepgsql_view_t:s0 db_procedure *.pg_catalog.* system_u:object_r:sepgsql_proc_t:s0 db_procedure *.*.* system_u:object_r:sepgsql_user_proc_t:s0 db_blob *.* system_u:object_r:sepgsql_blob_t:s0
