From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Eamon Walsh <ewalsh@tycho.nsa.gov>
Cc: Joshua Brindle <method@manicmethod.com>,
Andy Warner <warner@rubix.com>, selinux <selinux@tycho.nsa.gov>
Subject: Re: Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL)
Date: Thu, 07 May 2009 16:24:49 +0900 [thread overview]
Message-ID: <4A028CC1.2070109@ak.jp.nec.com> (raw)
In-Reply-To: <4A023AC0.9080207@ak.jp.nec.com>
[-- Attachment #1: Type: text/plain, Size: 1035 bytes --]
KaiGai Kohei wrote:
> Please wait for a while.
>
> As I noted before, the selabel patch tries to solve two matters.
> - The default label for db_database class.
> - The default label for temporary schame.
>
> If we can have db_schema_temp class, the only remaining matter is the default
> in db_database class. It can be solved using a file which store a default label
> for SE-PostgreSQL's db_database objects, as if run_init uses initrc_context.
>
> It makes sense for me, and clear its behavior from the viewpoint of the analogy.
I would like to reserve /etc/selinux/$POLICYTYPE/context/sepgsql_context to
store the default security context for db_database object in SE-PostgreSQL.
(I guess RUBIX can store its default in rubix_context in same way.)
The attached patch adds a new API: selinux_sepgsql_context_path() which
returns the pathname of the configuration file.
Please apply this one, instead of the patch for selabel_lookup().
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
[-- Attachment #2: libselinux-selinux_sepgsql_context_path.patch --]
[-- Type: text/x-patch, Size: 2858 bytes --]
[PATCH] add selinux_sepgsql_context_path()
The /etc/selinux/$POLICYTYPE/context/sepgsql_context can store a default
security context of db_database class object in SE-PostgreSQL.
This patch add a new API: selinux_sepgsql_context_path() which returns
a pathname of the configuration file.
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
--
libselinux/include/selinux/selinux.h | 1 +
libselinux/src/file_path_suffixes.h | 1 +
libselinux/src/selinux_config.c | 9 ++++++++-
libselinux/src/selinux_internal.h | 1 +
4 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index 0a0b195..8adbbcf 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -492,6 +492,7 @@ extern const char *selinux_users_path(void);
extern const char *selinux_usersconf_path(void);
extern const char *selinux_translations_path(void);
extern const char *selinux_colors_path(void);
+extern const char *selinux_sepgsql_context_path(void);
extern const char *selinux_netfilter_context_path(void);
extern const char *selinux_path(void);
diff --git a/libselinux/src/file_path_suffixes.h b/libselinux/src/file_path_suffixes.h
index 8d207c9..b4e13d2 100644
--- a/libselinux/src/file_path_suffixes.h
+++ b/libselinux/src/file_path_suffixes.h
@@ -20,3 +20,4 @@ S_(BINPOLICY, "/policy/policy")
S_(FILE_CONTEXTS_LOCAL, "/contexts/files/file_contexts.local")
S_(X_CONTEXTS, "/contexts/x_contexts")
S_(COLORS, "/secolor.conf")
+ S_(SEPGSQL_CONTEXT, "/contexts/sepgsql_context")
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index dec5426..620a2ce 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -40,7 +40,8 @@
#define SECURETTY_TYPES 18
#define X_CONTEXTS 19
#define COLORS 20
-#define NEL 21
+#define SEPGSQL_CONTEXT 21
+#define NEL 22
/* New layout is relative to SELINUXDIR/policytype. */
static char *file_paths[NEL];
@@ -391,3 +392,9 @@ const char *selinux_x_context_path()
}
hidden_def(selinux_x_context_path)
+
+const char *selinux_sepgsql_context_path()
+{
+ return get_path(SEPGSQL_CONTEXT);
+}
+hidden_def(selinux_sepgsql_context_path)
diff --git a/libselinux/src/selinux_internal.h b/libselinux/src/selinux_internal.h
index 24c1396..2d2beb8 100644
--- a/libselinux/src/selinux_internal.h
+++ b/libselinux/src/selinux_internal.h
@@ -77,6 +77,7 @@ hidden_proto(selinux_mkload_policy)
hidden_proto(selinux_usersconf_path);
hidden_proto(selinux_translations_path);
hidden_proto(selinux_colors_path);
+hidden_proto(selinux_sepgsql_context_path);
hidden_proto(selinux_getenforcemode);
hidden_proto(selinux_getpolicytype);
hidden_proto(selinux_raw_to_trans_context);
next prev parent reply other threads:[~2009-05-07 7:24 UTC|newest]
Thread overview: 75+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-23 10:37 The status of SE-PostgreSQL KaiGai Kohei
2009-03-23 10:37 ` [refpolicy] " KaiGai Kohei
2009-03-23 14:56 ` Shaz
2009-03-23 14:57 ` Shaz
2009-03-23 15:19 ` Andy Warner
2009-03-24 2:14 ` KaiGai Kohei
2009-03-24 2:14 ` [refpolicy] " KaiGai Kohei
2009-03-25 6:54 ` Some ideas in SE-PostgreSQL enhancement (Re: The status of SE-PostgreSQL) KaiGai Kohei
2009-03-25 6:54 ` [refpolicy] " KaiGai Kohei
2009-03-25 7:45 ` Andy Warner
2009-03-25 8:20 ` KaiGai Kohei
2009-03-25 8:59 ` Andy Warner
2009-03-25 12:00 ` KaiGai Kohei
2009-03-25 17:02 ` Andy Warner
2009-03-26 0:13 ` KaiGai Kohei
2009-03-25 17:43 ` Joshua Brindle
2009-03-25 19:42 ` Andy Warner
2009-03-27 15:43 ` Joshua Brindle
2009-03-27 16:25 ` Andy Warner
2009-03-27 17:15 ` Joshua Brindle
2009-03-27 17:54 ` Andy Warner
2009-03-27 18:12 ` Joshua Brindle
2009-03-27 18:48 ` Andy Warner
2009-03-27 19:53 ` Joshua Brindle
2009-03-27 20:04 ` Andy Warner
2009-03-27 23:59 ` KaiGai Kohei
2009-03-28 7:17 ` Andy Warner
2009-03-30 0:56 ` KaiGai Kohei
2009-03-30 8:21 ` KaiGai Kohei
2009-03-30 9:58 ` Andy Warner
2009-03-30 13:22 ` KaiGai Kohei
2009-04-22 0:08 ` Eamon Walsh
2009-04-22 3:59 ` KaiGai Kohei
2009-05-01 4:54 ` Eamon Walsh
2009-05-07 1:34 ` KaiGai Kohei
2009-05-07 7:24 ` KaiGai Kohei [this message]
2009-03-30 9:49 ` Andy Warner
2009-03-26 5:50 ` [PATCH] Expose avc_netlink_loop() for applications (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-26 23:28 ` Eamon Walsh
2009-03-26 23:41 ` Eamon Walsh
2009-03-27 0:35 ` KaiGai Kohei
2009-03-28 0:54 ` Eamon Walsh
2009-03-28 2:00 ` KaiGai Kohei
2009-03-30 4:56 ` KaiGai Kohei
2009-03-26 6:11 ` [PATCH] database audit integration " KaiGai Kohei
2009-03-26 6:11 ` KaiGai Kohei
2009-03-26 21:45 ` John Dennis
[not found] ` <49CB313B.7020507@redhat.com>
2009-03-27 2:34 ` KaiGai Kohei
2009-03-27 2:34 ` KaiGai Kohei
2009-03-26 8:29 ` [PATCH] Permissive domain in userspace " KaiGai Kohei
2009-03-28 2:41 ` Eamon Walsh
2009-03-30 2:55 ` KaiGai Kohei
2009-03-31 1:45 ` KaiGai Kohei
2009-03-31 16:46 ` Stephen Smalley
2009-04-01 1:07 ` [PATCH] Permissive domain in userspace object manager KaiGai Kohei
2009-04-01 1:41 ` KaiGai Kohei
2009-04-01 12:34 ` Stephen Smalley
2009-04-01 20:07 ` Eric Paris
2009-04-01 22:53 ` James Morris
2009-03-27 8:18 ` [PATCH] Policy rework for SE-PostgreSQL (Re: Some ideas in SE-PostgreSQL enhancement) KaiGai Kohei
2009-03-27 8:18 ` [refpolicy] " KaiGai Kohei
2009-03-27 9:44 ` Andy Warner
2009-03-27 11:20 ` KaiGai Kohei
2009-03-27 11:20 ` [refpolicy] " KaiGai Kohei
2009-03-27 11:45 ` Andy Warner
2009-03-27 11:45 ` [refpolicy] " Andy Warner
2009-03-27 12:17 ` KaiGai Kohei
2009-03-27 12:17 ` [refpolicy] " KaiGai Kohei
2009-04-01 7:26 ` Correct manner to handler undefined classes/permissions? " KaiGai Kohei
2009-04-01 12:45 ` Stephen Smalley
2009-04-02 0:28 ` KaiGai Kohei
2009-03-23 15:25 ` The status of SE-PostgreSQL Stephen Smalley
2009-03-23 15:25 ` [refpolicy] " Stephen Smalley
2009-03-24 1:13 ` KaiGai Kohei
2009-03-24 1:13 ` [refpolicy] " KaiGai Kohei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A028CC1.2070109@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=method@manicmethod.com \
--cc=selinux@tycho.nsa.gov \
--cc=warner@rubix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.