(2011/01/27 0:25), Robert Haas wrote: > 2011/1/25 KaiGai Kohei<kai...@ak.jp.nec.com>: >> (2011/01/26 12:23), KaiGai Kohei wrote: >>>>> Yikes. On further examination, exec_object_restorecon() is pretty >>>>> bogus. Surely you need some calls to quote_literal_cstr() in there >>>>> someplace. >>>> >>> Are you concerning about the object name being supplied to >>> selabel_lookup_raw() in exec_object_restorecon()? >>> I also think this quoting you suggested is reasonable. >>> >> How about the case when the object name only contains alphabet and >> numerical characters? > > Oh, quote_literal_cstr() is the wrong function - these are > identifiers, not literals. So we should use quote_identifier(). > OK, I did with quote_identifier().
The attached patch fixes up several stuffs in sepgsql module. - The object names being supplied to selabel_lookup_raw() to lookup initial labels become qualified by quote_identifier(), if necessary. - On access violation, sepgsql_check_perms() records audit logs. It contains object name being referenced. It became generated using getObjectDescription(). - Also, sepgsql_audit_log() becomes to quote the supplied object name, because it may contains white-space. - Error messages become obtaining "%m", when the error was originated from the libselinux interfaces. It will provides DBA a hint why interactions with SELinux does not work well. - Documentation was updated to suggest users to install libselinux v2.0.93 or later, because it used newer features than ones provided in v2.0.80. - Regression Test was updated, because of error message updates. Thanks, -- KaiGai Kohei <kai...@ak.jp.nec.com>
sepgsql-v9.1-fixup.1.patch
Description: application/octect-stream
-- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
