Allow sepgsql labels to depend on object name.

The main change here is to call security_compute_create_name_raw() rather than security_compute_create_raw(). This ups the minimum requirement for libselinux from 2.0.99 to 2.1.10, but it looks like most distributions will have picked that up before 9.3 is out. KaiGai Kohei
2025-07-30 11:03:19 +03:00 · 2013-03-28 15:38:35 -04:00
parent ae7f1c3ef2
commit 0f05840bf4
13 changed files with 104 additions and 40 deletions
--- a/doc/src/sgml/sepgsql.sgml
+++ b/doc/src/sgml/sepgsql.sgml
@ -63,7 +63,7 @@
    <filename>sepgsql</> can only be used on <productname>Linux</productname>
    2.6.28 or higher with <productname>SELinux</productname> enabled.
    It is not available on any other platform.  You will also need
-    <productname>libselinux</> 2.0.99 or higher and
+    <productname>libselinux</> 2.1.10 or higher and
    <productname>selinux-policy</> 3.9.13 or higher (although some
    distributions may backport the necessary rules into older policy
    versions).
@ -326,8 +326,9 @@ $ sudo semodule -r sepgsql-regtest
    When <filename>sepgsql</filename> is in use, security labels are
    automatically assigned to supported database objects at creation time.
    This label is called a default security label, and is decided according
-    to the system security policy, which takes as input the creator's label
-    and the label assigned to the new object's parent object.
+    to the system security policy, which takes as input the creator's label,
+    the label assigned to the new object's parent object and optionally name
+    of the constructed object.
   </para>

   <para>