>> Lastly, regarding tuples, I noticed the ability to label tuples was
>> removed because tuples are not named. Would it be useful to label all
>> tuples under an object (e.g., table) as follows. I am sure you
>> considered this, just curious of your thoughts:
>>
>> db_tuple *.pg_catalog.pg_table.* system_u:object_r:sepgsql_tuple_t:s0
>>
>> So that all tuples under the *.pg_catalog.pg_table table would have a
>> context of system_u:object_r:sepgsql_tuple_t:s0. Or, is the fact that
>> you are not able to use anything other than * as the tuple's name simply
>> make things too messy? I would assume there would be a similar issue in
>> constructing a key value for a tuple in the call to selabel_lookup.
>
> Hmm. Indeed, it makes sense.
> I'll add db_tuple again. Please wait for a while.
The attached patch supports initial labeling of db_tuple class again.
If DBMS identifies tuples using the relation which owns the tuples,
libselinux can return a hint of the security context to be assigned.
Below are only differences from the previous patch.
diff --git a/libselinux/include/selinux/label.h b/libselinux/include/selinux/label.h
index 60503bd..0435365 100644
--- a/libselinux/include/selinux/label.h
+++ b/libselinux/include/selinux/label.h
@@ -127,6 +127,7 @@ void selabel_stats(struct selabel_handle *handle);
#define SELABEL_DB_VIEW 6
#define SELABEL_DB_PROCEDURE 7
#define SELABEL_DB_BLOB 8
+#define SELABEL_DB_TUPLE 9
#ifdef __cplusplus
}
diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
index 9e4f52b..e1bfab7 100644
--- a/libselinux/src/label_db.c
+++ b/libselinux/src/label_db.c
@@ -136,6 +136,8 @@ process_line(const char *path, char *line_buf, unsigned int line_num,
spec->type = SELABEL_DB_PROCEDURE;
else if (!strcmp(type, "db_blob"))
spec->type = SELABEL_DB_BLOB;
+ else if (!strcmp(type, "db_tuple"))
+ spec->type = SELABEL_DB_TUPLE;
else {
selinux_log(SELINUX_WARNING,
"%s: line %d has invalid object type %s\n",
--
KaiGai Kohei <kaigai@xxxxxxxxxxxxx>
Attachment:
libselinux-selabel-sepgsql.4.patch
Description: application/octect-stream
