Enforce access control on security labels defined by admin and prohibit users to relabel the objects
Signed-off-by: Denis Kirjanov <k...@itsirius.su> --- contrib/sepgsql/label.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c index ef7661c..470b90e 100644 --- a/contrib/sepgsql/label.c +++ b/contrib/sepgsql/label.c @@ -504,6 +504,11 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel) (errcode(ERRCODE_INVALID_NAME), errmsg("SELinux: invalid security label: \"%s\"", seclabel))); + if (!superuser()) + ereport(ERROR, + (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), + errmsg("SELinux: must be superuser to relabel objects"))); + /* * Do actual permission checks for each object classes */ -- 1.7.10.4 -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers