Обсуждение: [RFC] sepgsql: prohibit users to relabel objects
Enforce access control on security labels defined by admin
and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <kda@itsirius.su>
---contrib/sepgsql/label.c | 5 +++++1 file changed, 5 insertions(+)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
(errcode(ERRCODE_INVALID_NAME), errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: must be superuser to relabel objects")));
+ /* * Do actual permission checks for each object classes */
--
1.7.10.4
On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote: > Enforce access control on security labels defined by admin > and prohibit users to relabel the objects Really? Why? I would think it's the policy's job to restrict relabel operations. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
Really? Why? I would think it's the policy's job to restrict relabel
operations.
I agree. This seems like an unnecessary change.
-Adam
Adam Brightwell - adam.brightwell@crunchydatasolutions.com
Database Engineer - www.crunchydatasolutions.com
Oh, I wasn't aware of that. Any hints where to look at? Thanks! PS: sorry for top posting. ----- Original Message ----- From: "Robert Haas" <robertmhaas@gmail.com> To: "Denis Kirjanov" <kda@linux-powerpc.org> Cc: pgsql-hackers@postgresql.org, "Alexey Zhuchkov" <alexey@itsirius.su>, "Denis Kirjanov" <kda@itsirius.su> Sent: Wednesday, April 29, 2015 9:01:36 PM Subject: Re: [HACKERS] [RFC] sepgsql: prohibit users to relabel objects On Wed, Apr 29, 2015 at 9:15 AM, Denis Kirjanov <kda@linux-powerpc.org> wrote: > Enforce access control on security labels defined by admin > and prohibit users to relabel the objects Really? Why? I would think it's the policy's job to restrict relabel operations. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company
On Thu, Apr 30, 2015 at 4:13 AM, Denis Kirjanov <kda@itsirius.su> wrote: > Oh, I wasn't aware of that. > Any hints where to look at? Unfortunately, I don't really understand in detail how to write selinux policies, so no. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company