diff options
| author | Joe Conway <mail@joeconway.com> | 2015-09-22 14:58:38 -0700 |
|---|---|---|
| committer | Joe Conway <mail@joeconway.com> | 2015-09-22 14:58:38 -0700 |
| commit | e90a629e126b9459b1f1d8ee8aa8c8598dc36b16 (patch) | |
| tree | 0d28e0cf92b8e9e6d91dec886fa781cdace4a8c0 /contrib/sepgsql/hooks.c | |
| parent | 11b44d1cf65bcd59f0a827e1ffab1f1bba1cd1e2 (diff) | |
Fix sepgsql regression tests (9.2-only patch).
The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.
The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.
Applies only to 9.2. Unlike the previous similar patch, commit 794e2558b,
this also fixes a bug related to processing SELECT INTO statement.
Because v9.2 didn't have ObjectAccessPostCreate to inform the context
when a relation is newly created, sepgsql had an alternative method.
However, related code in sepgsql_object_access() neglected to consider
T_CreateTableAsStmt, thus no label was assigned on the new relation.
This logic was removed and replaced starting in 9.3.
Patch by Kohei KaiGai.
Diffstat (limited to 'contrib/sepgsql/hooks.c')
| -rw-r--r-- | contrib/sepgsql/hooks.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c index 914519109c8..6bd2de631ed 100644 --- a/contrib/sepgsql/hooks.c +++ b/contrib/sepgsql/hooks.c @@ -126,6 +126,7 @@ sepgsql_object_access(ObjectAccessType access, case T_CompositeTypeStmt: case T_CreateForeignTableStmt: case T_SelectStmt: + case T_CreateTableAsStmt: sepgsql_relation_post_create(objectId); break; default: |