[RFC] sepgsql: prohibit users to relabel objects
| От | Denis Kirjanov |
|---|---|
| Тема | [RFC] sepgsql: prohibit users to relabel objects |
| Дата | |
| Msg-id | 1430313322-18275-1-git-send-email-kda@itsirius.su обсуждение исходный текст |
| Ответы |
Re: [RFC] sepgsql: prohibit users to relabel objects
|
| Список | pgsql-hackers |
Enforce access control on security labels defined by admin
and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <kda@itsirius.su>
---contrib/sepgsql/label.c | 5 +++++1 file changed, 5 insertions(+)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
(errcode(ERRCODE_INVALID_NAME), errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: must be superuser to relabel objects")));
+ /* * Do actual permission checks for each object classes */
--
1.7.10.4
В списке pgsql-hackers по дате отправления: