Update sepgsql to add mandatory access control for TRUNCATE

mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00

Use SELinux "db_table: { truncate }" to check if permission is granted to
TRUNCATE. Update example SELinux policy to grant needed permission for
TRUNCATE. Add new regression test to demonstrate a positive and negative
cases. Test will only be run if the loaded SELinux policy has the
"db_table: { truncate }" permission. Makes use of recent commit which added
object TRUNCATE hook. Patch by Yuli Khodorkovskiy with minor
editorialization by me. Not back-patched because the object TRUNCATE hook
was not.

Author: Yuli Khodorkovskiy
Reviewed-by: Joe Conway
Discussion: https://postgr.es/m/CAFL5wJcomybj1Xdw7qWmPJRpGuFukKgNrDb6uVBaCMgYS9dkaA%40mail.gmail.com

This commit is contained in:

Joe Conway

2019-11-23 10:41:52 -05:00

parent f7a2002e82

commit 4f66c93f61

8 changed files with 152 additions and 1 deletions

									
										3

contrib/sepgsql/selinux.c
									
												View File
												
				@ -359,6 +359,9 @@ static struct

							{

								"lock", SEPG_DB_TABLE__LOCK

							},

							{

								"truncate", SEPG_DB_TABLE__TRUNCATE

							},

							{

								NULL, 0UL

							},

Update sepgsql to add mandatory access control for TRUNCATE

3 contrib/sepgsql/selinux.c Unescape Escape View File

3

contrib/sepgsql/selinux.c

View File