| From: | Denis Kirjanov <kda(at)linux-powerpc(dot)org> |
|---|---|
| To: | pgsql-hackers(at)postgresql(dot)org |
| Cc: | alexey(at)itsirius(dot)su, Denis Kirjanov <kda(at)itsirius(dot)su> |
| Subject: | [RFC] sepgsql: prohibit users to relabel objects |
| Date: | 2015-04-29 13:15:22 |
| Message-ID: | 1430313322-18275-1-git-send-email-kda@itsirius.su |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Enforce access control on security labels defined by admin
and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <kda(at)itsirius(dot)su>
---
contrib/sepgsql/label.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
(errcode(ERRCODE_INVALID_NAME),
errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: must be superuser to relabel objects")));
+
/*
* Do actual permission checks for each object classes
*/
--
1.7.10.4
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-04-29 14:47:22 | Re: Additional role attributes && superuser review |
| Previous Message | Stephen Frost | 2015-04-29 13:03:28 | Re: pg_rewind test race condition..? |