Enforce access control on security labels defined by admin
and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <k...@itsirius.su>
---
contrib/sepgsql/label.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c
index ef7661c..470b90e 100644
--- a/contrib/sepgsql/label.c
+++ b/contrib/sepgsql/label.c
@@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const
char *seclabel)
(errcode(ERRCODE_INVALID_NAME),
errmsg("SELinux: invalid security label: \"%s\"",
seclabel)));
+ if (!superuser())
+ ereport(ERROR,
+ (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
+ errmsg("SELinux: must be superuser to relabel objects")));
+
/*
* Do actual permission checks for each object classes
*/
--
1.7.10.4
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
