Enforce access control on security labels defined by admin
and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <kda@itsirius.su>
---contrib/sepgsql/label.c | 5 +++++1 file changed, 5 insertions(+)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
(errcode(ERRCODE_INVALID_NAME), errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: must be superuser to relabel objects")));
+ /* * Do actual permission checks for each object classes */
--
1.7.10.4