On 03/08/2010 07:40 PM, KaiGai Kohei wrote: > (2010/03/09 8:13), Eamon Walsh wrote: > >> On 03/01/2010 09:53 PM, KaiGai Kohei wrote: >> >>> What is the current status of the patch? >>> >>> Thanks, >>> >>> >> >> Can you send me a sample sepgsql_contexts file so I can test this? >> >> > The attached selabel-test.conf is an example specfile, and the selabel-test.c > is a sample program to lookup an expected security context for the given name. > > $ gcc selabel-test.c -o selabel-test -lselinux \ > -I repo/selinux/libselinux/include/ \ > -L repo/selinux/libselinux/src/ > $ ./selabel-test selabel-test.conf db_table postgres.pg_catalog.pg_class > "postgres.pg_catalog.pg_class" => "system_u:object_r:sepgsql_sysobj_t:s0" > $ ./selabel-test selabel-test.conf db_table postgres.pg_public.my_table > "postgres.pg_public.my_table" => "system_u:object_r:sepgsql_table_t:s0" > $ ./selabel-test selabel-test.conf db_table foovarbaz > failed to lookup : "foovarbaz" (No such file or directory) > > In PostgreSQL, its namespace has the following structure: > <database>.<schema>.(<table>|<view>|<procedure>|...) > > So, the example specfile defines the following lines: > db_table *.pg_catalog.* system_u:object_r:sepgsql_sysobj_t:s0 > > It informs all tables under the "pg_catalog" schema should be labeled as > "system_u:object_r:sepgsql_sysobj_t:s0". > > Andy, in rubix, the specfile should be described as follows: > db_table *.*.*.* system_u:object_r:rubix_table_t:s0 > > The library just does pattern matching without any assumption of database > architecture. > > > I also noticed the previous patch allows to lookup an expected security > context for the db_tuple object class, but tuples don't have their name > basically, so I removed it. > And, it didn't support an upcoming db_view object class, I added it instead. > > Thanks, > This patch is missing the new files label_db.c and selabel_db.5. Also, in the previous patch, the file selabel_db.c had two instances of trailing whitespace: lines 20 and 55. Please fix those up and re-send. -- Eamon Walsh National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
