Commit Graph

8 Commits

Author SHA1 Message Date
Robert Haas
0bf5c548d6 sepgsql: One more getObjectIdentity in lieu of getObjectDescription.
KaiGai Kohei, based on a suggestion from Álvaro Herrera
2013-04-17 09:52:59 -04:00
Robert Haas
f8a54e936b sepgsql: Enforce db_procedure:{execute} permission.
To do this, we add an additional object access hook type,
OAT_FUNCTION_EXECUTE.

KaiGai Kohei
2013-04-12 08:58:01 -04:00
Robert Haas
0f05840bf4 Allow sepgsql labels to depend on object name.
The main change here is to call security_compute_create_name_raw()
rather than security_compute_create_raw().  This ups the minimum
requirement for libselinux from 2.0.99 to 2.1.10, but it looks
like most distributions will have picked that up before 9.3 is out.

KaiGai Kohei
2013-03-28 15:41:38 -04:00
Robert Haas
8fbe5a317d Fix error message for COMMENT/SECURITY LABEL ON COLUMN xxx IS 'yyy'
When the column name is an unqualified name, rather than table.column,
the error message complains about too many dotted names, which is
wrong.  Report by Peter Eisentraut based on examination of the
sepgsql regression test output, but the problem also affects COMMENT.
New wording as suggested by Tom Lane.
2012-05-22 11:23:36 -04:00
Robert Haas
523176cbf1 sepgsql_setcon().
This is intended as infrastructure to allow sepgsql to cooperate with
connection pooling software, by allowing the effective security label
to be set for each new connection.

KaiGai Kohei, reviewed by Yeb Havinga.
2012-03-15 16:08:40 -04:00
Robert Haas
595a441ae9 Add missing check on invocation of trusted procedures.
KaiGai Kohei
2011-04-04 13:25:42 -04:00
Robert Haas
c7689ee733 Various sepgsql corrections.
KaiGai Kohei
2011-02-02 23:39:43 -05:00
Robert Haas
968bc6fac9 sepgsql, an SE-Linux integration for PostgreSQL
This is still pretty rough - among other things, the documentation
needs work, and the messages need a visit from the style police -
but this gets the basic framework in place.

KaiGai Kohei
2011-01-23 20:48:27 -05:00