| From: | Joe Conway <mail(at)joeconway(dot)com> |
|---|---|
| To: | pgsql-committers(at)lists(dot)postgresql(dot)org |
| Subject: | pgsql: Update sepgsql to add mandatory access control for TRUNCATE |
| Date: | 2019-11-23 15:47:46 |
| Message-ID: | E1iYXdS-0000ik-Kv@gemulon.postgresql.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-committers |
Update sepgsql to add mandatory access control for TRUNCATE
Use SELinux "db_table: { truncate }" to check if permission is granted to
TRUNCATE. Update example SELinux policy to grant needed permission for
TRUNCATE. Add new regression test to demonstrate a positive and negative
cases. Test will only be run if the loaded SELinux policy has the
"db_table: { truncate }" permission. Makes use of recent commit which added
object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor
editorialization by me. Not back-patched because the object TRUNCATE hook
was not.
Author: Yuli Khodorkovskiy
Reviewed-by: Joe Conway
Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com
Branch
------
master
Details
-------
https://git.postgresql.org/pg/commitdiff/4f66c93f61439b4db866b21cc1ecd5bf815564ef
Modified Files
--------------
contrib/sepgsql/expected/truncate.out | 46 +++++++++++++++++++++++++++++++++++
contrib/sepgsql/hooks.c | 14 +++++++++++
contrib/sepgsql/relation.c | 40 ++++++++++++++++++++++++++++++
contrib/sepgsql/selinux.c | 3 +++
contrib/sepgsql/sepgsql-regtest.te | 8 ++++++
contrib/sepgsql/sepgsql.h | 2 ++
contrib/sepgsql/sql/truncate.sql | 24 ++++++++++++++++++
contrib/sepgsql/test_sepgsql | 16 +++++++++++-
8 files changed, 152 insertions(+), 1 deletion(-)
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Alvaro Herrera | 2019-11-23 16:22:08 | pgsql: Remove debugging aid |
| Previous Message | Joe Conway | 2019-11-23 15:39:53 | pgsql: Add object TRUNCATE hook |