rpms/sepostgresql/F-9 sepostgresql-sepgsql-8.3.4-2.patch, 1.1, 1.2 sepostgresql.init, 1.24, 1.25 sepostgresql.spec, 1.26, 1.27
KaiGai Kohei
kaigai at fedoraproject.org
Thu Oct 2 01:47:32 UTC 2008
Author: kaigai
Update of /cvs/pkgs/rpms/sepostgresql/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv26796
Modified Files:
sepostgresql-sepgsql-8.3.4-2.patch sepostgresql.init
sepostgresql.spec
Log Message:
- bugfix: "(null)" audit logs for non-cached decision making.
- A hook is added for "COPY TO/FROM <file>" cases.
sepostgresql-sepgsql-8.3.4-2.patch:
Index: sepostgresql-sepgsql-8.3.4-2.patch
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/F-9/sepostgresql-sepgsql-8.3.4-2.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sepostgresql-sepgsql-8.3.4-2.patch 30 Sep 2008 03:12:05 -0000 1.1
+++ sepostgresql-sepgsql-8.3.4-2.patch 2 Oct 2008 01:47:01 -0000 1.2
@@ -1617,7 +1617,7 @@
diff -rpNU3 base/src/backend/commands/copy.c sepgsql/src/backend/commands/copy.c
--- base/src/backend/commands/copy.c 2008-01-07 23:51:33.000000000 +0900
-+++ sepgsql/src/backend/commands/copy.c 2008-06-18 17:25:44.000000000 +0900
++++ sepgsql/src/backend/commands/copy.c 2008-10-01 11:19:37.000000000 +0900
@@ -22,6 +22,7 @@
#include "access/heapam.h"
@@ -1705,7 +1705,17 @@
cstate->force_notnull_flags[attnum - 1] = true;
}
}
-@@ -1305,16 +1334,29 @@ CopyTo(CopyState cstate)
+@@ -1242,6 +1271,9 @@ DoCopyTo(CopyState cstate)
+ ereport(ERROR,
+ (errcode(ERRCODE_WRONG_OBJECT_TYPE),
+ errmsg("\"%s\" is a directory", cstate->filename)));
++
++ pgaceCopyFile(cstate->rel, fileno(cstate->copy_file),
++ cstate->filename, false);
+ }
+
+ PG_TRY();
+@@ -1305,16 +1337,29 @@ CopyTo(CopyState cstate)
int attnum = lfirst_int(cur);
Oid out_func_oid;
bool isvarlena;
@@ -1738,7 +1748,7 @@
}
/*
-@@ -1369,7 +1411,14 @@ CopyTo(CopyState cstate)
+@@ -1369,7 +1414,14 @@ CopyTo(CopyState cstate)
CopySendChar(cstate, cstate->delim[0]);
hdr_delim = true;
@@ -1754,7 +1764,7 @@
CopyAttributeOutCSV(cstate, colname, false,
list_length(cstate->attnumlist) == 1);
-@@ -1395,11 +1444,17 @@ CopyTo(CopyState cstate)
+@@ -1395,11 +1447,17 @@ CopyTo(CopyState cstate)
{
CHECK_FOR_INTERRUPTS();
@@ -1773,7 +1783,7 @@
}
heap_endscan(scandesc);
-@@ -1425,7 +1480,7 @@ CopyTo(CopyState cstate)
+@@ -1425,7 +1483,7 @@ CopyTo(CopyState cstate)
* Emit one row during CopyTo().
*/
static void
@@ -1782,7 +1792,7 @@
{
bool need_delim = false;
FmgrInfo *out_functions = cstate->out_functions;
-@@ -1464,8 +1519,10 @@ CopyOneRowTo(CopyState cstate, Oid tuple
+@@ -1464,8 +1522,10 @@ CopyOneRowTo(CopyState cstate, Oid tuple
foreach(cur, cstate->attnumlist)
{
int attnum = lfirst_int(cur);
@@ -1795,7 +1805,7 @@
if (!cstate->binary)
{
-@@ -1474,6 +1531,22 @@ CopyOneRowTo(CopyState cstate, Oid tuple
+@@ -1474,6 +1534,22 @@ CopyOneRowTo(CopyState cstate, Oid tuple
need_delim = true;
}
@@ -1818,7 +1828,7 @@
if (isnull)
{
if (!cstate->binary)
-@@ -1485,11 +1558,9 @@ CopyOneRowTo(CopyState cstate, Oid tuple
+@@ -1485,11 +1561,9 @@ CopyOneRowTo(CopyState cstate, Oid tuple
{
if (!cstate->binary)
{
@@ -1832,7 +1842,7 @@
list_length(cstate->attnumlist) == 1);
else
CopyAttributeOutText(cstate, string);
-@@ -1498,8 +1569,7 @@ CopyOneRowTo(CopyState cstate, Oid tuple
+@@ -1498,8 +1572,7 @@ CopyOneRowTo(CopyState cstate, Oid tuple
{
bytea *outputbytes;
@@ -1842,7 +1852,7 @@
CopySendInt32(cstate, VARSIZE(outputbytes) - VARHDRSZ);
CopySendData(cstate, VARDATA(outputbytes),
VARSIZE(outputbytes) - VARHDRSZ);
-@@ -1633,10 +1703,13 @@ CopyFrom(CopyState cstate)
+@@ -1633,10 +1706,13 @@ CopyFrom(CopyState cstate)
num_defaults;
FmgrInfo *in_functions;
FmgrInfo oid_in_function;
@@ -1856,7 +1866,17 @@
Oid in_func_oid;
Datum *values;
char *nulls;
-@@ -1872,6 +1945,25 @@ CopyFrom(CopyState cstate)
+@@ -1737,6 +1813,9 @@ CopyFrom(CopyState cstate)
+ ereport(ERROR,
+ (errcode(ERRCODE_WRONG_OBJECT_TYPE),
+ errmsg("\"%s\" is a directory", cstate->filename)));
++
++ pgaceCopyFile(cstate->rel, fileno(cstate->copy_file),
++ cstate->filename, true);
+ }
+
+ tupDesc = RelationGetDescr(cstate->rel);
+@@ -1872,6 +1951,25 @@ CopyFrom(CopyState cstate)
fmgr_info(in_func_oid, &oid_in_function);
}
@@ -1882,7 +1902,7 @@
values = (Datum *) palloc(num_phys_attrs * sizeof(Datum));
nulls = (char *) palloc(num_phys_attrs * sizeof(char));
-@@ -1904,6 +1996,7 @@ CopyFrom(CopyState cstate)
+@@ -1904,6 +2002,7 @@ CopyFrom(CopyState cstate)
{
bool skip_tuple;
Oid loaded_oid = InvalidOid;
@@ -1890,7 +1910,7 @@
CHECK_FOR_INTERRUPTS();
-@@ -1978,6 +2071,32 @@ CopyFrom(CopyState cstate)
+@@ -1978,6 +2077,32 @@ CopyFrom(CopyState cstate)
int attnum = lfirst_int(cur);
int m = attnum - 1;
@@ -1923,7 +1943,7 @@
if (fieldno >= fldct)
ereport(ERROR,
(errcode(ERRCODE_BAD_COPY_FILE_FORMAT),
-@@ -2048,6 +2167,27 @@ CopyFrom(CopyState cstate)
+@@ -2048,6 +2173,27 @@ CopyFrom(CopyState cstate)
int attnum = lfirst_int(cur);
int m = attnum - 1;
@@ -1951,7 +1971,7 @@
cstate->cur_attname = NameStr(attr[m]->attname);
i++;
values[m] = CopyReadBinaryAttribute(cstate,
-@@ -2079,6 +2219,12 @@ CopyFrom(CopyState cstate)
+@@ -2079,6 +2225,12 @@ CopyFrom(CopyState cstate)
if (cstate->oids && file_has_oids)
HeapTupleSetOid(tuple, loaded_oid);
@@ -1964,7 +1984,7 @@
/* Triggers and stuff need to be invoked in query context. */
MemoryContextSwitchTo(oldcontext);
-@@ -2102,6 +2248,9 @@ CopyFrom(CopyState cstate)
+@@ -2102,6 +2254,9 @@ CopyFrom(CopyState cstate)
}
}
@@ -1974,7 +1994,7 @@
if (!skip_tuple)
{
/* Place tuple in tuple slot */
-@@ -3364,6 +3513,18 @@ CopyGetAttnums(TupleDesc tupDesc, Relati
+@@ -3364,6 +3519,18 @@ CopyGetAttnums(TupleDesc tupDesc, Relati
break;
}
}
@@ -1993,7 +2013,7 @@
if (attnum == InvalidAttrNumber)
{
if (rel != NULL)
-@@ -3413,7 +3574,9 @@ copy_dest_receive(TupleTableSlot *slot,
+@@ -3413,7 +3580,9 @@ copy_dest_receive(TupleTableSlot *slot,
slot_getallattrs(slot);
/* And send the data */
@@ -4453,8 +4473,8 @@
+#endif /* HAVE_SELINUX */
diff -rpNU3 base/src/backend/security/sepgsql/avc.c sepgsql/src/backend/security/sepgsql/avc.c
--- base/src/backend/security/sepgsql/avc.c 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/backend/security/sepgsql/avc.c 2008-09-29 19:49:07.000000000 +0900
-@@ -0,0 +1,1107 @@
++++ sepgsql/src/backend/security/sepgsql/avc.c 2008-10-01 11:04:40.000000000 +0900
+@@ -0,0 +1,1108 @@
+
+/*
+ * src/backend/security/sepgsql/avc.c
@@ -5286,6 +5306,7 @@
+ " scontext=%s tcontext=%s tclass=%s",
+ svcon, tvcon, security_class_to_string(e_tclass))));
+
++ cache.tclass = tclass;
+ cache.allowed = trans_to_internal_perms(e_tclass, avd.allowed);
+ cache.decided = trans_to_internal_perms(e_tclass, avd.decided);
+ cache.auditallow = trans_to_internal_perms(e_tclass, avd.auditallow);
@@ -7690,8 +7711,8 @@
+}
diff -rpNU3 base/src/backend/security/sepgsql/proxy.c sepgsql/src/backend/security/sepgsql/proxy.c
--- base/src/backend/security/sepgsql/proxy.c 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/backend/security/sepgsql/proxy.c 2008-09-29 19:49:07.000000000 +0900
-@@ -0,0 +1,1444 @@
++++ sepgsql/src/backend/security/sepgsql/proxy.c 2008-10-01 11:19:37.000000000 +0900
+@@ -0,0 +1,1476 @@
+
+/*
+ * src/backend/security/sepgsql/proxy.c
@@ -9104,6 +9125,38 @@
+}
+
+/*
++ * sepgsqlCopyFile
++ *
++ * This function check permission whether the client can
++ * read from/write to the given file.
++ */
++void sepgsqlCopyFile(Relation rel, int fdesc, const char *filename, bool isFrom)
++{
++ security_context_t context;
++
++ if (fgetfilecon_raw(fdesc, &context) < 0)
++ ereport(ERROR,
++ (errcode(ERRCODE_SELINUX_ERROR),
++ errmsg("SELinux: could not get context of %s", filename)));
++
++ PG_TRY();
++ {
++ sepgsqlComputePermission(sepgsqlGetClientContext(),
++ context,
++ SECCLASS_FILE,
++ isFrom ? FILE__READ : FILE__WRITE,
++ filename);
++ }
++ PG_CATCH();
++ {
++ freecon(context);
++ PG_RE_THROW();
++ }
++ PG_END_TRY();
++ freecon(context);
++}
++
++/*
+ * sepgsqlCopyToTuple
+ *
+ * This function check permission to read the given tuple.
@@ -9999,8 +10052,8 @@
diff -rpNU3 base/src/include/security/pgace.h sepgsql/src/include/security/pgace.h
--- base/src/include/security/pgace.h 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/include/security/pgace.h 2008-09-22 17:51:21.000000000 +0900
-@@ -0,0 +1,1202 @@
++++ sepgsql/src/include/security/pgace.h 2008-10-01 11:19:37.000000000 +0900
+@@ -0,0 +1,1225 @@
+/*
+ * include/security/pgace.h
+ * headers for PostgreSQL Access Control Extension (PGACE)
@@ -10828,6 +10881,29 @@
+}
+
+/*
++ * pgaceCopyFile
++ *
++ * This hook is invoked just after a target file is opened
++ * at COPY TO/COPY FROM statement to give the guest a chance to
++ * check whether it allows to read/write the file.
++ *
++ * arguments:
++ * - rel is the target relation of this COPY TO/FROM statement.
++ * It can be NULL, when COPY (SELECT ...) TO ... is given.
++ * - isFrom is a bool to show the direction of the COPY
++ * - fdesc is the file descriptor of the target file opened.
++ * - filename is the filename of fdesc
++ */
++static inline void
++pgaceCopyFile(Relation rel, int fdesc, const char *filename, bool isFrom)
++{
++#if defined(HAVE_SELINUX)
++ if (sepgsqlIsEnabled())
++ sepgsqlCopyFile(rel, fdesc, filename, isFrom);
++#endif
++}
++
++/*
+ * pgaceCopyToTuple
+ *
+ * This hook is invoked just before output of a fetched tuple on
@@ -11205,8 +11281,8 @@
+#endif // PGACE_H
diff -rpNU3 base/src/include/security/sepgsql.h sepgsql/src/include/security/sepgsql.h
--- base/src/include/security/sepgsql.h 1970-01-01 09:00:00.000000000 +0900
-+++ sepgsql/src/include/security/sepgsql.h 2008-09-29 19:49:07.000000000 +0900
-@@ -0,0 +1,216 @@
++++ sepgsql/src/include/security/sepgsql.h 2008-10-01 11:19:37.000000000 +0900
+@@ -0,0 +1,217 @@
+/*
+ * src/include/security/sepgsql.h
+ * headers for Security-Enhanced PostgreSQL (SE-PostgreSQL)
@@ -11324,8 +11400,9 @@
+/* COPY TO/COPY FROM statement hooks */
+extern void sepgsqlCopyTable(Relation rel, List *attnumlist, bool is_from);
+
-+extern bool sepgsqlCopyToTuple(Relation rel, List *attnumlist,
-+ HeapTuple tuple);
++extern void sepgsqlCopyFile(Relation rel, int fdesc, const char *filename, bool isFrom);
++
++extern bool sepgsqlCopyToTuple(Relation rel, List *attnumlist, HeapTuple tuple);
+
+/* Loadable shared library module hooks */
+extern void sepgsqlLoadSharedModule(const char *filename);
Index: sepostgresql.init
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/F-9/sepostgresql.init,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- sepostgresql.init 30 Sep 2008 03:12:05 -0000 1.24
+++ sepostgresql.init 2 Oct 2008 01:47:01 -0000 1.25
@@ -9,7 +9,7 @@
PGVERSION="8.3.4"
PGMAJORVERSION=`echo "$PGVERSION" | sed 's/^\([0-9]*\.[0-9a-z]*\).*$/\1/'`
-SEPGVERSION="2.1067"
+SEPGVERSION="2.1076"
# source function library
. /etc/rc.d/init.d/functions
Index: sepostgresql.spec
===================================================================
RCS file: /cvs/pkgs/rpms/sepostgresql/F-9/sepostgresql.spec,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
--- sepostgresql.spec 30 Sep 2008 03:12:05 -0000 1.26
+++ sepostgresql.spec 2 Oct 2008 01:47:01 -0000 1.27
@@ -15,12 +15,14 @@
%define required_policy_version 3.4.2
%endif
+
+
%{!?ssl:%define ssl 1}
Summary: Security Enhanced PostgreSQL
Name: sepostgresql
Version: 8.3.4
-Release: 2.1067%{?sepgsql_extension}%{?dist}
+Release: 2.1076%{?sepgsql_extension}%{?dist}
License: BSD
Group: Applications/Databases
Url: http://code.google.com/p/sepgsql/
@@ -212,6 +214,10 @@
%attr(700,sepgsql,sepgsql) %dir %{_localstatedir}/lib/sepgsql/backups
%changelog
+* Thu Oct 2 2008 <kaigai at kaigai.gr.jp> - 8.3.3-2.1076
+- bugfix: "(null)" audit logs for non-cached decision making.
+- A hook is added for "COPY TO/FROM <file>" cases.
+
* Sat Sep 27 2008 <kaigai at kaigai.gr.jp> - 8.3.3-2.1066
- update base version to 8.3.4
- sepostgresql.pp was marked as obsolute
More information about the scm-commits
mailing list