On 03/11/2010 08:05 PM, KaiGai Kohei wrote: >>> Lastly, regarding tuples, I noticed the ability to label tuples was >>> removed because tuples are not named. Would it be useful to label all >>> tuples under an object (e.g., table) as follows. I am sure you >>> considered this, just curious of your thoughts: >>> >>> db_tuple *.pg_catalog.pg_table.* system_u:object_r:sepgsql_tuple_t:s0 >>> >>> So that all tuples under the *.pg_catalog.pg_table table would have a >>> context of system_u:object_r:sepgsql_tuple_t:s0. Or, is the fact that >>> you are not able to use anything other than * as the tuple's name simply >>> make things too messy? I would assume there would be a similar issue in >>> constructing a key value for a tuple in the call to selabel_lookup. >>> >> Hmm. Indeed, it makes sense. >> I'll add db_tuple again. Please wait for a while. >> > The attached patch supports initial labeling of db_tuple class again. > > If DBMS identifies tuples using the relation which owns the tuples, > libselinux can return a hint of the security context to be assigned. > I have committed this patch and released libselinux 2.0.93. To follow up on Andy's concerns: the patch includes the db_tuple labeling keyword as you requested. But you also need support for db_catalog and db_schema object classes in the policy, is that correct? I can't see any reason not to add them, although I don't know what permissions they would need. -- Eamon Walsh National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
