diff options
| author | Pavan Deolasee | 2017-06-14 05:42:18 +0000 |
|---|---|---|
| committer | Pavan Deolasee | 2017-06-14 05:42:18 +0000 |
| commit | 15dd5274c323fb93e4e3ea9ad2185aaaec10f79c (patch) | |
| tree | 9dafb4c7f735d9429ea461dc792933af87493c33 /contrib/sepgsql | |
| parent | dfbb88e3bbb526dcb204b456b9e5cfd9d10d0d0a (diff) | |
| parent | d5cb3bab564e0927ffac7c8729eacf181a12dd40 (diff) | |
Merge from PG master upto d5cb3bab564e0927ffac7c8729eacf181a12dd40
This is the result of the "git merge remotes/PGSQL/master" upto the said commit
point. We have done some basic analysis, fixed compilation problems etc, but
bulk of the logical problems in conflict resolution etc will be handled by
subsequent commits.
Diffstat (limited to 'contrib/sepgsql')
| -rw-r--r-- | contrib/sepgsql/database.c | 2 | ||||
| -rw-r--r-- | contrib/sepgsql/dml.c | 5 | ||||
| -rw-r--r-- | contrib/sepgsql/expected/alter.out | 115 | ||||
| -rw-r--r-- | contrib/sepgsql/expected/ddl.out | 251 | ||||
| -rw-r--r-- | contrib/sepgsql/expected/dml.out | 212 | ||||
| -rw-r--r-- | contrib/sepgsql/expected/label.out | 159 | ||||
| -rw-r--r-- | contrib/sepgsql/expected/misc.out | 162 | ||||
| -rw-r--r-- | contrib/sepgsql/hooks.c | 19 | ||||
| -rw-r--r-- | contrib/sepgsql/label.c | 24 | ||||
| -rwxr-xr-x | contrib/sepgsql/launcher | 2 | ||||
| -rw-r--r-- | contrib/sepgsql/proc.c | 2 | ||||
| -rw-r--r-- | contrib/sepgsql/relation.c | 44 | ||||
| -rw-r--r-- | contrib/sepgsql/schema.c | 2 | ||||
| -rw-r--r-- | contrib/sepgsql/selinux.c | 4 | ||||
| -rw-r--r-- | contrib/sepgsql/sepgsql.h | 8 | ||||
| -rw-r--r-- | contrib/sepgsql/sql/alter.sql | 65 | ||||
| -rw-r--r-- | contrib/sepgsql/sql/ddl.sql | 27 | ||||
| -rw-r--r-- | contrib/sepgsql/sql/dml.sql | 124 | ||||
| -rw-r--r-- | contrib/sepgsql/sql/label.sql | 57 | ||||
| -rw-r--r-- | contrib/sepgsql/sql/misc.sql | 15 | ||||
| -rw-r--r-- | contrib/sepgsql/uavc.c | 8 |
21 files changed, 1196 insertions, 111 deletions
diff --git a/contrib/sepgsql/database.c b/contrib/sepgsql/database.c index 8fad1fc80c..69dd290a77 100644 --- a/contrib/sepgsql/database.c +++ b/contrib/sepgsql/database.c @@ -4,7 +4,7 @@ * * Routines corresponding to database objects * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ diff --git a/contrib/sepgsql/dml.c b/contrib/sepgsql/dml.c index d1e9f53cda..b643720e36 100644 --- a/contrib/sepgsql/dml.c +++ b/contrib/sepgsql/dml.c @@ -4,7 +4,7 @@ * * Routines to handle DML permission checks * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -190,6 +190,7 @@ check_relation_privileges(Oid relOid, switch (relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: result = sepgsql_avc_check_perms(&object, SEPG_CLASS_DB_TABLE, required, @@ -225,7 +226,7 @@ check_relation_privileges(Oid relOid, /* * Only columns owned by relations shall be checked */ - if (relkind != RELKIND_RELATION) + if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return true; /* diff --git a/contrib/sepgsql/expected/alter.out b/contrib/sepgsql/expected/alter.out index fb2545fa5c..0948139f93 100644 --- a/contrib/sepgsql/expected/alter.out +++ b/contrib/sepgsql/expected/alter.out @@ -26,6 +26,13 @@ SET search_path = regtest_schema_1, regtest_schema_2, public; CREATE TABLE regtest_table_1 (a int, b text); CREATE TABLE regtest_table_2 (c text) inherits (regtest_table_1); CREATE TABLE regtest_table_3 (x int primary key, y text); +--- +-- partitioned table parent +CREATE TABLE regtest_ptable_1 (o int, p text) PARTITION BY RANGE (o); +-- partitioned table children +CREATE TABLE regtest_ptable_1_ones PARTITION OF regtest_ptable_1 FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE regtest_ptable_1_tens PARTITION OF regtest_ptable_1 FOR VALUES FROM ('10') TO ('100'); +--- CREATE SEQUENCE regtest_seq_1; CREATE VIEW regtest_view_1 AS SELECT * FROM regtest_table_1 WHERE a > 0; CREATE FUNCTION regtest_func_1 (text) RETURNS bool @@ -54,6 +61,10 @@ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_reg LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_table_1" ALTER TABLE regtest_table_1 OWNER TO regress_sepgsql_test_user; LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_table_1" +ALTER TABLE regtest_ptable_1 OWNER TO regress_sepgsql_test_user; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_ptable_1" +ALTER TABLE regtest_ptable_1_ones OWNER TO regress_sepgsql_test_user; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_ptable_1_ones" ALTER SEQUENCE regtest_seq_1 OWNER TO regress_sepgsql_test_user; LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema_1.regtest_seq_1" ALTER SEQUENCE regtest_seq_1 OWNER TO regress_sepgsql_test_user; @@ -73,6 +84,14 @@ ALTER TABLE regtest_table_1 SET SCHEMA regtest_schema_2; LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_1" LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_table_1" +ALTER TABLE regtest_ptable_1 SET SCHEMA regtest_schema_2; +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_1" +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_ptable_1" +ALTER TABLE regtest_ptable_1_ones SET SCHEMA regtest_schema_2; +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_1" +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_1.regtest_ptable_1_ones" ALTER SEQUENCE regtest_seq_1 SET SCHEMA regtest_schema_2; LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_1" LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" @@ -97,6 +116,16 @@ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_reg LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="public" LOG: SELinux: allowed { add_name remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table_1" +--- +-- partitioned table parent +ALTER TABLE regtest_ptable_1 RENAME TO regtest_ptable; +LOG: SELinux: allowed { add_name remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_ptable_1" +-- partitioned table child +ALTER TABLE regtest_ptable_1_ones RENAME TO regtest_table_part; +LOG: SELinux: allowed { add_name remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_ptable_1_ones" +--- ALTER SEQUENCE regtest_seq_1 RENAME TO regtest_seq; LOG: SELinux: allowed { add_name remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema_2" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema_2.regtest_seq_1" @@ -170,8 +199,11 @@ LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_reg LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table column a" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_3" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table regtest_table_3 column x" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4eq(integer,integer)" ALTER TABLE regtest_table ADD CONSTRAINT test_ck CHECK (b like '%abc%') NOT VALID; -- not supported ALTER TABLE regtest_table VALIDATE CONSTRAINT test_ck; -- not supported +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" ALTER TABLE regtest_table DROP CONSTRAINT test_ck; -- not supported CREATE TRIGGER regtest_test_trig BEFORE UPDATE ON regtest_table FOR EACH ROW EXECUTE PROCEDURE suppress_redundant_updates_trigger(); @@ -194,6 +226,83 @@ ALTER TABLE regtest_table_2 NO INHERIT regtest_table; -- not supported ALTER TABLE regtest_table_2 INHERIT regtest_table; -- not supported ALTER TABLE regtest_table SET TABLESPACE pg_default; LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table" +--- +-- partitioned table parent +ALTER TABLE regtest_ptable ADD COLUMN d float; +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: ALTER TABLE regtest_ptable ADD COLUMN d float; + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.d" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.d" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.d" +ALTER TABLE regtest_ptable DROP COLUMN d; +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.d" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.d" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.d" +ALTER TABLE regtest_ptable ALTER p SET DEFAULT 'abcd'; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p SET DEFAULT 'XYZ'; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p DROP DEFAULT; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p SET NOT NULL; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.p" +ALTER TABLE regtest_ptable ALTER p DROP NOT NULL; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.p" +ALTER TABLE regtest_ptable ALTER p SET STATISTICS -1; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.p" +ALTER TABLE regtest_ptable ALTER p SET (n_distinct = 999); +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.p" +ALTER TABLE regtest_ptable ALTER p SET STORAGE PLAIN; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.p" +ALTER TABLE regtest_ptable ADD CONSTRAINT test_ck CHECK (p like '%abc%') NOT VALID; -- not supported by sepgsql +ALTER TABLE regtest_ptable DROP CONSTRAINT test_ck; -- not supported by sepgsql +ALTER TABLE regtest_ptable SET WITH OIDS; +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.oid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.oid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.oid" +ALTER TABLE regtest_ptable SET WITHOUT OIDS; +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.oid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_1_tens.oid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_ptable.oid" +ALTER TABLE regtest_ptable SET TABLESPACE pg_default; +-- partitioned table child +ALTER TABLE regtest_table_part ALTER p SET DEFAULT 'abcd'; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p SET DEFAULT 'XYZ'; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p DROP DEFAULT; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p SET NOT NULL; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +ALTER TABLE regtest_table_part ALTER p DROP NOT NULL; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +ALTER TABLE regtest_table_part ALTER p SET STATISTICS -1; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +ALTER TABLE regtest_table_part ALTER p SET (n_distinct = 999); +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +ALTER TABLE regtest_table_part ALTER p SET STORAGE PLAIN; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema_2.regtest_table_part.p" +ALTER TABLE regtest_table_part ADD CONSTRAINT test_ck CHECK (p like '%abc%') NOT VALID; -- not supported by sepgsql +ALTER TABLE regtest_table_part VALIDATE CONSTRAINT test_ck; -- not supported by sepgsql +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +ALTER TABLE regtest_table_part DROP CONSTRAINT test_ck; -- not supported by sepgsql +CREATE TRIGGER regtest_part_test_trig BEFORE UPDATE ON regtest_table_part + FOR EACH ROW EXECUTE PROCEDURE suppress_redundant_updates_trigger(); +ALTER TABLE regtest_table_part DISABLE TRIGGER regtest_part_test_trig; -- not supported by sepgsql +ALTER TABLE regtest_table_part ENABLE TRIGGER regtest_part_test_trig; -- not supported by sepgsql +ALTER TABLE regtest_table_part SET (fillfactor = 75); +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table_part" +ALTER TABLE regtest_table_part RESET (fillfactor); +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table_part" +ALTER TABLE regtest_table_part SET TABLESPACE pg_default; +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema_2.regtest_table_part" +--- ALTER VIEW regtest_view SET (security_barrier); LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema_2.regtest_view" ALTER SEQUENCE regtest_seq INCREMENT BY 10 START WITH 1000; @@ -205,13 +314,15 @@ RESET sepgsql.debug_audit; RESET client_min_messages; DROP DATABASE sepgsql_test_regression; DROP SCHEMA regtest_schema CASCADE; -NOTICE: drop cascades to 3 other objects +NOTICE: drop cascades to 4 other objects DETAIL: drop cascades to table regtest_table_2 drop cascades to table regtest_table_3 drop cascades to constraint test_fk on table regtest_table +drop cascades to table regtest_ptable_1_tens DROP SCHEMA regtest_schema_2 CASCADE; -NOTICE: drop cascades to 4 other objects +NOTICE: drop cascades to 5 other objects DETAIL: drop cascades to table regtest_table +drop cascades to table regtest_ptable drop cascades to sequence regtest_seq drop cascades to view regtest_view drop cascades to function regtest_func(text) diff --git a/contrib/sepgsql/expected/ddl.out b/contrib/sepgsql/expected/ddl.out index c04b72fe88..1c0409a7a6 100644 --- a/contrib/sepgsql/expected/ddl.out +++ b/contrib/sepgsql/expected/ddl.out @@ -76,14 +76,62 @@ LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_reg LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.oid" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.ctid" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.a" +CREATE TABLE regtest_ptable (a int) PARTITION BY RANGE (a); +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: CREATE TABLE regtest_ptable (a int) PARTITION BY RANGE (a); + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.a" +CREATE TABLE regtest_ptable_ones PARTITION OF regtest_ptable FOR VALUES FROM ('0') TO ('10'); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_ones" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.a" +CREATE TABLE regtest_ptable_tens PARTITION OF regtest_ptable FOR VALUES FROM ('10') TO ('100'); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_tens" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.a" +ALTER TABLE regtest_ptable ADD COLUMN q int; +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: ALTER TABLE regtest_ptable ADD COLUMN q int; + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.q" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.q" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.q" -- corresponding toast table should not have label and permission checks ALTER TABLE regtest_table_2 ADD COLUMN b text; LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.b" -- VACUUM FULL internally create a new table and swap them later. VACUUM FULL regtest_table; +VACUUM FULL regtest_ptable; CREATE VIEW regtest_view AS SELECT * FROM regtest_table WHERE x < 100; LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_view" +CREATE VIEW regtest_pview AS SELECT * FROM regtest_ptable WHERE a < 99; +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_pview" CREATE SEQUENCE regtest_seq; LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_seq" @@ -132,9 +180,57 @@ LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_reg LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_table_3_y_seq" +CREATE TABLE regtest_ptable_3 (o int, p serial) PARTITION BY RANGE (o); +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: CREATE TABLE regtest_ptable_3 (o int, p serial) PARTITION BY... + ^ +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_ptable_3_p_seq" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.o" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.p" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_ptable_3_p_seq" +CREATE TABLE regtest_ptable_3_ones PARTITION OF regtest_ptable_3 FOR VALUES FROM ('0') to ('10'); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3_ones" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.o" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.p" +CREATE TABLE regtest_ptable_3_tens PARTITION OF regtest_ptable_3 FOR VALUES FROM ('10') to ('100'); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3_tens" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.o" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.p" CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y; LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_view_2" +CREATE VIEW regtest_pview_2 AS SELECT * FROM regtest_ptable_3 WHERE o < p; +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_pview_2" CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql AS 'BEGIN RETURN $1 * $1 < 100; END'; LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" @@ -187,6 +283,7 @@ ALTER TABLE regtest_table_4 ALTER COLUMN y TYPE float; LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.y" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.float8(integer)" DROP INDEX regtest_index_tbl4_y; LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_4" @@ -212,6 +309,91 @@ LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regte LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.x" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.y" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_4.z" +-- For partitioned tables +CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITION BY RANGE (x); +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITIO... + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITIO... + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LINE 1: CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITIO... + ^ +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.x" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.y" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.z" +CREATE TABLE regtest_ptable_4_ones PARTITION OF regtest_ptable_4 FOR VALUES FROM ('0') TO ('10'); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.tableoid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.cmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.xmax" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.cmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.xmin" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.ctid" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.x" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.y" +LOG: SELinux: allowed { create } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.z" +CREATE INDEX regtest_pindex_tbl4_y ON regtest_ptable_4_ones(y); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +CREATE INDEX regtest_pindex_tbl4_z ON regtest_ptable_4_ones(z); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float; +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.y" +LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="pg_catalog" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.y" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.float8(integer)" +DROP INDEX regtest_pindex_tbl4_y; +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +ALTER TABLE regtest_ptable_4_ones + ADD CONSTRAINT regtest_ptbl4_con EXCLUDE USING btree (z WITH =); +LOG: SELinux: allowed { add_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +DROP TABLE regtest_ptable_4 CASCADE; +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { setattr } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4_ones" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.x" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.y" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4_ones.z" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_4" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.x" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.y" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_4.z" -- -- DROP Permission checks (with clean-up) -- @@ -233,6 +415,13 @@ ALTER TABLE regtest_table DROP COLUMN y; LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table.y" ALTER TABLE regtest_table_2 SET WITHOUT OIDS; LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table_2.oid" +ALTER TABLE regtest_ptable DROP COLUMN q CASCADE; +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.q" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.q" +NOTICE: drop cascades to view regtest_pview +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_pview" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.q" DROP TABLE regtest_table; LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_table_x_seq" @@ -248,14 +437,76 @@ LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regte LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table.ctid" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table.x" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_table.z" +DROP TABLE regtest_ptable CASCADE; +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_tens" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_tens.a" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_ones" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_ones.a" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable.a" DROP OWNED BY regress_sepgsql_test_user; LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { search } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=system_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="public" LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="regtest_schema.regtest_func_2(integer)" LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_pview_2" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_view_t:s0 tclass=db_view name="regtest_schema.regtest_view_2" LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3_tens" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.o" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_tens.p" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3_ones" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.o" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3_ones.p" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_ptable_3_p_seq" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_ptable_3" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.tableoid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.cmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.xmax" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.cmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.xmin" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.ctid" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.o" +LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="regtest_schema.regtest_ptable_3.p" +LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_seq_t:s0 tclass=db_sequence name="regtest_schema.regtest_table_3_y_seq" LOG: SELinux: allowed { remove_name } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_schema_t:s0 tclass=db_schema name="regtest_schema" LOG: SELinux: allowed { drop } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="regtest_schema.regtest_table_3" diff --git a/contrib/sepgsql/expected/dml.out b/contrib/sepgsql/expected/dml.out index 8716ac735d..31243c723b 100644 --- a/contrib/sepgsql/expected/dml.out +++ b/contrib/sepgsql/expected/dml.out @@ -21,6 +21,23 @@ SECURITY LABEL ON TABLE t5 IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0'; SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +--- +-- partitioned table parent +CREATE TABLE t1p (o int, p text, q text) PARTITION BY RANGE (o); +SECURITY LABEL ON TABLE t1p IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +-- partitioned table children +CREATE TABLE t1p_ones PARTITION OF t1p FOR VALUES FROM ('0') TO ('10'); +SECURITY LABEL ON COLUMN t1p_ones.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_ones.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_ones.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +CREATE TABLE t1p_tens PARTITION OF t1p FOR VALUES FROM ('10') TO ('100'); +SECURITY LABEL ON COLUMN t1p_tens.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_tens.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_tens.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +--- CREATE TABLE customer (cid int primary key, cname text, ccredit text); SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0'; INSERT INTO customer VALUES (1, 'Taro', '1111-2222-3333-4444'), @@ -33,24 +50,44 @@ SECURITY LABEL ON FUNCTION customer_credit(int) SELECT objtype, objname, label FROM pg_seclabels WHERE provider = 'selinux' AND objtype in ('table', 'column') - AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g') -ORDER BY objname; - objtype | objname | label ----------+---------+--------------------------------------------- - table | t1 | system_u:object_r:sepgsql_table_t:s0 - table | t2 | system_u:object_r:sepgsql_ro_table_t:s0 - table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0 - table | t4 | system_u:object_r:sepgsql_secret_table_t:s0 - table | t5 | system_u:object_r:sepgsql_table_t:s0 - column | t5.e | system_u:object_r:sepgsql_table_t:s0 - column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0 - column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0 -(8 rows) + AND objname in ('t1', 't2', 't3', 't4', + 't5', 't5.e', 't5.f', 't5.g', + 't1p', 't1p.o', 't1p.p', 't1p.q', + 't1p_ones', 't1p_ones.o', 't1p_ones.p', 't1p_ones.q', + 't1p_tens', 't1p_tens.o', 't1p_tens.p', 't1p_tens.q') +ORDER BY objname COLLATE "C"; + objtype | objname | label +---------+------------+--------------------------------------------- + table | t1 | system_u:object_r:sepgsql_table_t:s0 + table | t1p | system_u:object_r:sepgsql_table_t:s0 + column | t1p.o | system_u:object_r:sepgsql_table_t:s0 + column | t1p.p | system_u:object_r:sepgsql_ro_table_t:s0 + column | t1p.q | system_u:object_r:sepgsql_secret_table_t:s0 + table | t1p_ones | unconfined_u:object_r:sepgsql_table_t:s0 + column | t1p_ones.o | system_u:object_r:sepgsql_table_t:s0 + column | t1p_ones.p | system_u:object_r:sepgsql_ro_table_t:s0 + column | t1p_ones.q | system_u:object_r:sepgsql_secret_table_t:s0 + table | t1p_tens | unconfined_u:object_r:sepgsql_table_t:s0 + column | t1p_tens.o | system_u:object_r:sepgsql_table_t:s0 + column | t1p_tens.p | system_u:object_r:sepgsql_ro_table_t:s0 + column | t1p_tens.q | system_u:object_r:sepgsql_secret_table_t:s0 + table | t2 | system_u:object_r:sepgsql_ro_table_t:s0 + table | t3 | system_u:object_r:sepgsql_fixed_table_t:s0 + table | t4 | system_u:object_r:sepgsql_secret_table_t:s0 + table | t5 | system_u:object_r:sepgsql_table_t:s0 + column | t5.e | system_u:object_r:sepgsql_table_t:s0 + column | t5.f | system_u:object_r:sepgsql_ro_table_t:s0 + column | t5.g | system_u:object_r:sepgsql_secret_table_t:s0 +(20 rows) CREATE SCHEMA my_schema_1; CREATE TABLE my_schema_1.ts1 (a int, b text); +CREATE TABLE my_schema_1.pts1 (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE my_schema_1.pts1_ones PARTITION OF my_schema_1.pts1 FOR VALUES FROM ('0') to ('10'); CREATE SCHEMA my_schema_2; CREATE TABLE my_schema_2.ts2 (x int, y text); +CREATE TABLE my_schema_2.pts2 (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE my_schema_2.pts2_tens PARTITION OF my_schema_2.pts2 FOR VALUES FROM ('10') to ('100'); SECURITY LABEL ON SCHEMA my_schema_2 IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0'; -- Hardwired Rules @@ -99,7 +136,42 @@ SELECT e,f FROM t5; -- ok ---+--- (0 rows) -SELECT * FROM customer; -- failed +--- +-- partitioned table parent +SELECT * FROM t1p; -- failed +ERROR: SELinux: security policy violation +SELECT o,p FROM t1p; -- ok + o | p +---+--- +(0 rows) + +--partitioned table children +SELECT * FROM t1p_ones; -- failed +ERROR: SELinux: security policy violation +SELECT o FROM t1p_ones; -- ok + o +--- +(0 rows) + +SELECT o,p FROM t1p_ones; -- ok + o | p +---+--- +(0 rows) + +SELECT * FROM t1p_tens; -- failed +ERROR: SELinux: security policy violation +SELECT o FROM t1p_tens; -- ok + o +--- +(0 rows) + +SELECT o,p FROM t1p_tens; -- ok + o | p +---+--- +(0 rows) + +--- +SELECT * FROM customer; -- failed ERROR: SELinux: security policy violation SELECT cid, cname, customer_credit(cid) FROM customer; -- ok cid | cname | customer_credit @@ -108,7 +180,7 @@ SELECT cid, cname, customer_credit(cid) FROM customer; -- ok 2 | Hanako | 5555-6666-7777-???? (2 rows) -SELECT count(*) FROM t5; -- ok +SELECT count(*) FROM t5; -- ok count ------- 0 @@ -116,6 +188,34 @@ SELECT count(*) FROM t5; -- ok SELECT count(*) FROM t5 WHERE g IS NULL; -- failed ERROR: SELinux: security policy violation +--- +-- partitioned table parent +SELECT count(*) FROM t1p; -- ok + count +------- + 0 +(1 row) + +SELECT count(*) FROM t1p WHERE q IS NULL; -- failed +ERROR: SELinux: security policy violation +-- partitioned table children +SELECT count(*) FROM t1p_ones; -- ok + count +------- + 0 +(1 row) + +SELECT count(*) FROM t1p_ones WHERE q IS NULL; -- failed +ERROR: SELinux: security policy violation +SELECT count(*) FROM t1p_tens; -- ok + count +------- + 0 +(1 row) + +SELECT count(*) FROM t1p_tens WHERE q IS NULL; -- failed +ERROR: SELinux: security policy violation +--- INSERT INTO t1 VALUES (4, 'abc'); -- ok INSERT INTO t2 VALUES (4, 'xyz'); -- failed ERROR: SELinux: security policy violation @@ -127,6 +227,22 @@ ERROR: SELinux: security policy violation INSERT INTO t5 (e,f) VALUES ('abc', 'def'); -- failed ERROR: SELinux: security policy violation INSERT INTO t5 (e) VALUES ('abc'); -- ok +--- +-- partitioned table parent +INSERT INTO t1p (o,p) VALUES (9, 'mno'); -- failed +ERROR: SELinux: security policy violation +INSERT INTO t1p (o) VALUES (9); -- ok +INSERT INTO t1p (o,p) VALUES (99, 'pqr'); -- failed +ERROR: SELinux: security policy violation +INSERT INTO t1p (o) VALUES (99); -- ok +-- partitioned table children +INSERT INTO t1p_ones (o,p) VALUES (9, 'mno'); -- failed +ERROR: SELinux: security policy violation +INSERT INTO t1p_ones (o) VALUES (9); -- ok +INSERT INTO t1p_tens (o,p) VALUES (99, 'pqr'); -- failed +ERROR: SELinux: security policy violation +INSERT INTO t1p_tens (o) VALUES (99); -- ok +--- UPDATE t1 SET b = b || '_upd'; -- ok UPDATE t2 SET y = y || '_upd'; -- failed ERROR: SELinux: security policy violation @@ -138,6 +254,23 @@ UPDATE t5 SET e = 'xyz'; -- ok UPDATE t5 SET e = f || '_upd'; -- ok UPDATE t5 SET e = g || '_upd'; -- failed ERROR: SELinux: security policy violation +--- +-- partitioned table parent +UPDATE t1p SET o = 9 WHERE o < 10; -- ok +UPDATE t1p SET o = 99 WHERE o >= 10; -- ok +UPDATE t1p SET o = ascii(COALESCE(p,'upd'))%10 WHERE o < 10; -- ok +UPDATE t1p SET o = ascii(COALESCE(q,'upd'))%100 WHERE o >= 10; -- failed +ERROR: SELinux: security policy violation +-- partitioned table children +UPDATE t1p_ones SET o = 9; -- ok +UPDATE t1p_ones SET o = ascii(COALESCE(p,'upd'))%10; -- ok +UPDATE t1p_ones SET o = ascii(COALESCE(q,'upd'))%10; -- failed +ERROR: SELinux: security policy violation +UPDATE t1p_tens SET o = 99; -- ok +UPDATE t1p_tens SET o = ascii(COALESCE(p,'upd'))%100; -- ok +UPDATE t1p_tens SET o = ascii(COALESCE(q,'upd'))%100; -- failed +ERROR: SELinux: security policy violation +--- DELETE FROM t1; -- ok DELETE FROM t2; -- failed ERROR: SELinux: security policy violation @@ -149,6 +282,20 @@ DELETE FROM t5; -- ok DELETE FROM t5 WHERE f IS NULL; -- ok DELETE FROM t5 WHERE g IS NULL; -- failed ERROR: SELinux: security policy violation +--- +-- partitioned table parent +DELETE FROM t1p; -- ok +DELETE FROM t1p WHERE p IS NULL; -- ok +DELETE FROM t1p WHERE q IS NULL; -- failed +ERROR: SELinux: security policy violation +-- partitioned table children +DELETE FROM t1p_ones WHERE p IS NULL; -- ok +DELETE FROM t1p_ones WHERE q IS NULL; -- failed; +ERROR: SELinux: security policy violation +DELETE FROM t1p_tens WHERE p IS NULL; -- ok +DELETE FROM t1p_tens WHERE q IS NULL; -- failed +ERROR: SELinux: security policy violation +--- -- -- COPY TO/FROM statements -- @@ -160,6 +307,19 @@ ERROR: SELinux: security policy violation COPY t5 TO '/dev/null'; -- failed ERROR: SELinux: security policy violation COPY t5(e,f) TO '/dev/null'; -- ok +--- +-- partitioned table parent +COPY (SELECT * FROM t1p) TO '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY (SELECT (o,p) FROM t1p) TO '/dev/null'; -- ok +-- partitioned table children +COPY t1p_ones TO '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY t1p_ones(o,p) TO '/dev/null'; -- ok +COPY t1p_tens TO '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY t1p_tens(o,p) TO '/dev/null'; -- ok +--- COPY t1 FROM '/dev/null'; -- ok COPY t2 FROM '/dev/null'; -- failed ERROR: SELinux: security policy violation @@ -171,6 +331,19 @@ ERROR: SELinux: security policy violation COPY t5 (e,f) FROM '/dev/null'; -- failed ERROR: SELinux: security policy violation COPY t5 (e) FROM '/dev/null'; -- ok +--- +-- partitioned table parent +COPY t1p FROM '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY t1p (o) FROM '/dev/null'; -- ok +-- partitioned table children +COPY t1p_ones FROM '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY t1p_ones (o) FROM '/dev/null'; -- ok +COPY t1p_tens FROM '/dev/null'; -- failed +ERROR: SELinux: security policy violation +COPY t1p_tens (o) FROM '/dev/null'; -- ok +--- -- -- Schema search path -- @@ -202,8 +375,13 @@ DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t4 CASCADE; DROP TABLE IF EXISTS t5 CASCADE; +DROP TABLE IF EXISTS t1p CASCADE; DROP TABLE IF EXISTS customer CASCADE; DROP SCHEMA IF EXISTS my_schema_1 CASCADE; -NOTICE: drop cascades to table my_schema_1.ts1 +NOTICE: drop cascades to 2 other objects +DETAIL: drop cascades to table my_schema_1.ts1 +drop cascades to table my_schema_1.pts1 DROP SCHEMA IF EXISTS my_schema_2 CASCADE; -NOTICE: drop cascades to table my_schema_2.ts2 +NOTICE: drop cascades to 2 other objects +DETAIL: drop cascades to table my_schema_2.ts2 +drop cascades to table my_schema_2.pts2 diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out index 7af51897da..0300bc6fb4 100644 --- a/contrib/sepgsql/expected/label.out +++ b/contrib/sepgsql/expected/label.out @@ -53,6 +53,18 @@ CREATE TABLE var_tbl(x int, y text); INSERT INTO var_tbl VALUES (2,'xxx'), (3,'yyy'), (4,'zzz'), (5,'xyz'); SECURITY LABEL ON TABLE var_tbl IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0'; +CREATE TABLE foo_ptbl(o int, p text) PARTITION BY RANGE (o); +CREATE TABLE foo_ptbl_ones PARTITION OF foo_ptbl FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE foo_ptbl_tens PARTITION OF foo_ptbl FOR VALUES FROM ('10') TO ('100'); +INSERT INTO foo_ptbl VALUES (0, 'aaa'), (9,'bbb'), (10,'ccc'), (99,'ddd'); +SECURITY LABEL ON TABLE foo_ptbl + IS 'system_u:object_r:sepgsql_regtest_foo_table_t:s0'; +CREATE TABLE var_ptbl(q int, r text) PARTITION BY RANGE (q); +CREATE TABLE var_ptbl_ones PARTITION OF var_ptbl FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE var_ptbl_tens PARTITION OF var_ptbl FOR VALUES FROM ('10') TO ('100'); +INSERT INTO var_ptbl VALUES (0,'xxx'), (9,'yyy'), (10,'zzz'), (99,'xyz'); +SECURITY LABEL ON TABLE var_ptbl + IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0'; -- -- Tests for default labeling behavior -- @@ -72,36 +84,90 @@ SELECT sepgsql_getcon(); -- confirm client privilege CREATE TABLE t4 (m int, n text); INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo'); +SELECT sepgsql_getcon(); -- confirm client privilege + sepgsql_getcon +----------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0 +(1 row) + +CREATE TABLE tpart (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE tpart_ones PARTITION OF tpart FOR VALUES FROM ('0') TO ('10'); +SELECT sepgsql_getcon(); -- confirm client privilege + sepgsql_getcon +---------------------------------------------------- + unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0 +(1 row) + +CREATE TABLE tpart_tens PARTITION OF tpart FOR VALUES FROM ('10') TO ('100'); +INSERT INTO tpart VALUES (0, 'aaa'); +INSERT INTO tpart VALUES (9, 'bbb'); +INSERT INTO tpart VALUES (99, 'ccc'); SELECT objtype, objname, label FROM pg_seclabels - WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3'); - objtype | objname | label ----------+---------+----------------------------------------------- - table | t1 | unconfined_u:object_r:sepgsql_table_t:s0 - table | t2 | unconfined_u:object_r:sepgsql_table_t:s0 - table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0 -(3 rows) + WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3', + 'tpart', + 'tpart_ones', + 'tpart_tens') + ORDER BY objname COLLATE "C" ASC; + objtype | objname | label +---------+------------+----------------------------------------------- + table | t1 | unconfined_u:object_r:sepgsql_table_t:s0 + table | t2 | unconfined_u:object_r:sepgsql_table_t:s0 + table | t3 | unconfined_u:object_r:user_sepgsql_table_t:s0 + table | tpart | unconfined_u:object_r:user_sepgsql_table_t:s0 + table | tpart_ones | unconfined_u:object_r:user_sepgsql_table_t:s0 + table | tpart_tens | unconfined_u:object_r:sepgsql_table_t:s0 +(6 rows) SELECT objtype, objname, label FROM pg_seclabels - WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%'); - objtype | objname | label ----------+-------------+----------------------------------------------- - column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0 - column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0 - column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0 - column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0 - column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 - column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 - column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 - column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 - column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0 -(16 rows) + WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' + OR objname like 't4.%' + OR objname like 'tpart.%' + OR objname like 'tpart_ones.%' + OR objname like 'tpart_tens.%') + ORDER BY objname COLLATE "C" ASC; + objtype | objname | label +---------+---------------------+----------------------------------------------- + column | t3.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.s | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.t | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t3.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | t4.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | t4.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | t4.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | t4.m | unconfined_u:object_r:sepgsql_table_t:s0 + column | t4.n | unconfined_u:object_r:sepgsql_table_t:s0 + column | t4.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | t4.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | t4.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.o | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.p | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.cmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.cmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.ctid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.o | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.p | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.tableoid | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.xmax | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_ones.xmin | unconfined_u:object_r:user_sepgsql_table_t:s0 + column | tpart_tens.cmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart_tens.cmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart_tens.ctid | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart_tens.o | unconfined_u:object_r:sepgsql_table_t:s0 + column | tpart_tens.p | unconfined_u:object_r:sepgsql_table_t:s0 + column | tpart_tens.tableoid | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart_tens.xmax | unconfined_u:object_r:sepgsql_sysobj_t:s0 + column | tpart_tens.xmin | unconfined_u:object_r:sepgsql_sysobj_t:s0 +(40 rows) -- -- Tests for SECURITY LABEL @@ -122,6 +188,16 @@ SECURITY LABEL ON COLUMN t2 ERROR: column name must be qualified SECURITY LABEL ON COLUMN t2.b IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok +SECURITY LABEL ON TABLE tpart + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok +SECURITY LABEL ON TABLE tpart + IS 'invalid security context'; -- failed +ERROR: SELinux: invalid security label: "invalid security context" +SECURITY LABEL ON COLUMN tpart + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- failed +ERROR: column name must be qualified +SECURITY LABEL ON COLUMN tpart.o + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok -- -- Tests for Trusted Procedures -- @@ -422,8 +498,19 @@ SELECT * FROM foo_tbl; -- OK 4 | ddd (4 rows) +SELECT * FROM foo_ptbl; -- OK + o | p +----+----- + 0 | aaa + 9 | bbb + 10 | ccc + 99 | ddd +(4 rows) + SELECT * FROM var_tbl; -- failed ERROR: SELinux: security policy violation +SELECT * FROM var_ptbl; -- failed +ERROR: SELinux: security policy violation SELECT * FROM auth_tbl; -- failed ERROR: SELinux: security policy violation SELECT sepgsql_setcon(NULL); -- end of session @@ -438,11 +525,15 @@ SELECT sepgsql_getcon(); unconfined_u:unconfined_r:sepgsql_regtest_pool_t:s0 (1 row) --- the pooler cannot touch these tables directry +-- the pooler cannot touch these tables directly SELECT * FROM foo_tbl; -- failed ERROR: SELinux: security policy violation +SELECT * FROM foo_ptbl; -- failed +ERROR: SELinux: security policy violation SELECT * FROM var_tbl; -- failed ERROR: SELinux: security policy violation +SELECT * FROM var_ptbl; -- failed +ERROR: SELinux: security policy violation -- switch to "var" SELECT auth_func('var', 'b2145aac704ce76dbe1ac7adac535b23'); auth_func @@ -458,6 +549,8 @@ SELECT sepgsql_getcon(); SELECT * FROM foo_tbl; -- failed ERROR: SELinux: security policy violation +SELECT * FROM foo_ptbl; -- failed +ERROR: SELinux: security policy violation SELECT * FROM var_tbl; -- OK x | y ---+----- @@ -467,6 +560,15 @@ SELECT * FROM var_tbl; -- OK 5 | xyz (4 rows) +SELECT * FROM var_ptbl; -- OK + q | r +----+----- + 0 | xxx + 9 | yyy + 10 | zzz + 99 | xyz +(4 rows) + SELECT * FROM auth_tbl; -- failed ERROR: SELinux: security policy violation SELECT sepgsql_setcon(NULL); -- end of session @@ -501,6 +603,7 @@ DROP TABLE IF EXISTS t1 CASCADE; DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t4 CASCADE; +DROP TABLE IF EXISTS tpart CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE; diff --git a/contrib/sepgsql/expected/misc.out b/contrib/sepgsql/expected/misc.out index 1ce47c48b0..7b55142653 100644 --- a/contrib/sepgsql/expected/misc.out +++ b/contrib/sepgsql/expected/misc.out @@ -8,6 +8,10 @@ ERROR: SELinux: LOAD is not permitted -- CREATE TABLE t1 (x int, y text); INSERT INTO t1 (SELECT x, md5(x::text) FROM generate_series(1,100) x); +CREATE TABLE t1p (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE t1p_ones PARTITION OF t1p FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE t1p_tens PARTITION OF t1p FOR VALUES FROM ('10') TO ('100'); +INSERT INTO t1p (SELECT x, md5(x::text) FROM generate_series(0,99) x); SET sepgsql.debug_audit = on; SET client_min_messages = log; -- regular function and operators @@ -27,6 +31,57 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re 100 | f899139df5e1059396431415e770c6dd (6 rows) +SELECT * FROM t1p WHERE o > 50 AND p like '%64%'; +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4eq(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4le(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4eq(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4le(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4le(integer,integer)" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p column p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" + o | p +----+---------------------------------- + 77 | 28dd2c7955ce926456240b2ff0100bde + 89 | 7647966b7343c29048673252e490f736 + 90 | 8613985ec49eb8f757ae6439e879bb2a + 91 | 54229abfcfa5649e7003b83dd4755294 + 99 | ac627ab1ccbdb62ec96e702f07f6425b +(5 rows) + +SELECT * FROM t1p_ones WHERE o > 50 AND p like '%64%'; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" + o | p +---+--- +(0 rows) + +SELECT * FROM t1p_tens WHERE o > 50 AND p like '%64%'; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4gt(integer,integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" + o | p +----+---------------------------------- + 77 | 28dd2c7955ce926456240b2ff0100bde + 89 | 7647966b7343c29048673252e490f736 + 90 | 8613985ec49eb8f757ae6439e879bb2a + 91 | 54229abfcfa5649e7003b83dd4755294 + 99 | ac627ab1ccbdb62ec96e702f07f6425b +(5 rows) + -- aggregate function SELECT MIN(x), AVG(x) FROM t1; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1" @@ -41,13 +96,56 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re 1 | 50.5000000000000000 (1 row) +SELECT MIN(o), AVG(o) FROM t1p; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)" + min | avg +-----+--------------------- + 0 | 49.5000000000000000 +(1 row) + +SELECT MIN(o), AVG(o) FROM t1p_ones; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)" + min | avg +-----+-------------------- + 0 | 4.5000000000000000 +(1 row) + +SELECT MIN(o), AVG(o) FROM t1p_tens; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.avg(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4_avg_accum(bigint[],integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int8_avg(bigint[])" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.min(integer)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.int4smaller(integer,integer)" + min | avg +-----+--------------------- + 10 | 54.5000000000000000 +(1 row) + -- window function SELECT row_number() OVER (order by x), * FROM t1 WHERE y like '%86%'; LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column x" LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1 column y" -LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()" LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()" row_number | x | y ------------+----+---------------------------------- 1 | 2 | c81e728d9d4c2f636f067f89cc14862c @@ -64,9 +162,71 @@ LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_re 12 | 94 | f4b9ec30ad9f68f89b29639786cb62ef (12 rows) +SELECT row_number() OVER (order by o), * FROM t1p WHERE p like '%86%'; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p column p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column p" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()" + row_number | o | p +------------+----+---------------------------------- + 1 | 2 | c81e728d9d4c2f636f067f89cc14862c + 2 | 17 | 70efdf2ec9b086079795c442636b55fb + 3 | 22 | b6d767d2f8ed5d21a44b0e5886680cb9 + 4 | 27 | 02e74f10e0327ad868d138f2b4fdd6f0 + 5 | 33 | 182be0c5cdcd5072bb1864cdee4d3d6e + 6 | 43 | 17e62166fc8586dfa4d1bc0e1742c08b + 7 | 54 | a684eceee76fc522773286a895bc8436 + 8 | 73 | d2ddea18f00665ce8623e36bd4e3c7c5 + 9 | 76 | fbd7939d674997cdb4692d34de8633c4 + 10 | 89 | 7647966b7343c29048673252e490f736 + 11 | 90 | 8613985ec49eb8f757ae6439e879bb2a + 12 | 94 | f4b9ec30ad9f68f89b29639786cb62ef +(12 rows) + +SELECT row_number() OVER (order by o), * FROM t1p_ones WHERE p like '%86%'; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_ones" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_ones column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()" + row_number | o | p +------------+---+---------------------------------- + 1 | 2 | c81e728d9d4c2f636f067f89cc14862c +(1 row) + +SELECT row_number() OVER (order by o), * FROM t1p_tens WHERE p like '%86%'; +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_table name="public.t1p_tens" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column o" +LOG: SELinux: allowed { select } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=unconfined_u:object_r:sepgsql_table_t:s0 tclass=db_column name="table t1p_tens column p" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.textlike(pg_catalog.text,pg_catalog.text)" +LOG: SELinux: allowed { execute } scontext=unconfined_u:unconfined_r:sepgsql_regtest_superuser_t:s0-s0:c0.c255 tcontext=system_u:object_r:sepgsql_proc_exec_t:s0 tclass=db_procedure name="pg_catalog.row_number()" + row_number | o | p +------------+----+---------------------------------- + 1 | 17 | 70efdf2ec9b086079795c442636b55fb + 2 | 22 | b6d767d2f8ed5d21a44b0e5886680cb9 + 3 | 27 | 02e74f10e0327ad868d138f2b4fdd6f0 + 4 | 33 | 182be0c5cdcd5072bb1864cdee4d3d6e + 5 | 43 | 17e62166fc8586dfa4d1bc0e1742c08b + 6 | 54 | a684eceee76fc522773286a895bc8436 + 7 | 73 | d2ddea18f00665ce8623e36bd4e3c7c5 + 8 | 76 | fbd7939d674997cdb4692d34de8633c4 + 9 | 89 | 7647966b7343c29048673252e490f736 + 10 | 90 | 8613985ec49eb8f757ae6439e879bb2a + 11 | 94 | f4b9ec30ad9f68f89b29639786cb62ef +(11 rows) + RESET sepgsql.debug_audit; RESET client_min_messages; -- -- Cleanup -- DROP TABLE IF EXISTS t1 CASCADE; +DROP TABLE IF EXISTS t1p CASCADE; diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c index 4119322238..dadf99e74b 100644 --- a/contrib/sepgsql/hooks.c +++ b/contrib/sepgsql/hooks.c @@ -4,7 +4,7 @@ * * Entrypoints of the hooks in PostgreSQL, and dispatches the callbacks. * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -22,6 +22,7 @@ #include "miscadmin.h" #include "tcop/utility.h" #include "utils/guc.h" +#include "utils/queryenvironment.h" #include "sepgsql.h" @@ -297,16 +298,18 @@ sepgsql_exec_check_perms(List *rangeTabls, bool abort) * break whole of the things if nefarious user would use. */ static void -sepgsql_utility_command(Node *parsetree, +sepgsql_utility_command(PlannedStmt *pstmt, const char *queryString, ProcessUtilityContext context, ParamListInfo params, + QueryEnvironment *queryEnv, DestReceiver *dest, #ifdef PGXC bool sentToRemote, #endif /* PGXC */ char *completionTag) { + Node *parsetree = pstmt->utilityStmt; sepgsql_context_info_t saved_context_info = sepgsql_context_info; ListCell *cell; @@ -365,20 +368,16 @@ sepgsql_utility_command(Node *parsetree, } if (next_ProcessUtility_hook) - (*next_ProcessUtility_hook) (parsetree, queryString, - context, params, + (*next_ProcessUtility_hook) (pstmt, queryString, + context, params, queryEnv, dest, -#ifdef PGXC sentToRemote, -#endif completionTag); else - standard_ProcessUtility(parsetree, queryString, - context, params, + standard_ProcessUtility(pstmt, queryString, + context, params, queryEnv, dest, -#ifdef PGXC sentToRemote, -#endif completionTag); } PG_CATCH(); diff --git a/contrib/sepgsql/label.c b/contrib/sepgsql/label.c index e12a0e8cb6..6239800189 100644 --- a/contrib/sepgsql/label.c +++ b/contrib/sepgsql/label.c @@ -4,12 +4,22 @@ * * Routines to support SELinux labels (security context) * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ #include "postgres.h" +#include <selinux/label.h> + +/* + * <selinux/label.h> includes <stdbool.h>, which creates an incompatible + * #define for bool. Get rid of that so we can use our own typedef. + * (We don't care if <stdbool.h> redefines "true"/"false"; those are close + * enough.) + */ +#undef bool + #include "access/heapam.h" #include "access/htup_details.h" #include "access/genam.h" @@ -37,8 +47,6 @@ #include "sepgsql.h" -#include <selinux/label.h> - /* * Saved hook entries (if stacked) */ @@ -590,7 +598,7 @@ PG_FUNCTION_INFO_V1(sepgsql_mcstrans_in); Datum sepgsql_mcstrans_in(PG_FUNCTION_ARGS) { - text *label = PG_GETARG_TEXT_P(0); + text *label = PG_GETARG_TEXT_PP(0); char *raw_label; char *result; @@ -630,7 +638,7 @@ PG_FUNCTION_INFO_V1(sepgsql_mcstrans_out); Datum sepgsql_mcstrans_out(PG_FUNCTION_ARGS) { - text *label = PG_GETARG_TEXT_P(0); + text *label = PG_GETARG_TEXT_PP(0); char *qual_label; char *result; @@ -779,7 +787,8 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId) case RelationRelationId: relForm = (Form_pg_class) GETSTRUCT(tuple); - if (relForm->relkind == RELKIND_RELATION) + if (relForm->relkind == RELKIND_RELATION || + relForm->relkind == RELKIND_PARTITIONED_TABLE) objtype = SELABEL_DB_TABLE; else if (relForm->relkind == RELKIND_SEQUENCE) objtype = SELABEL_DB_SEQUENCE; @@ -803,7 +812,8 @@ exec_object_restorecon(struct selabel_handle * sehnd, Oid catalogId) case AttributeRelationId: attForm = (Form_pg_attribute) GETSTRUCT(tuple); - if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION) + if (get_rel_relkind(attForm->attrelid) != RELKIND_RELATION && + get_rel_relkind(attForm->attrelid) != RELKIND_PARTITIONED_TABLE) continue; /* no need to assign security label */ objtype = SELABEL_DB_COLUMN; diff --git a/contrib/sepgsql/launcher b/contrib/sepgsql/launcher index eb827a0e0a..0fc96ea0d4 100755 --- a/contrib/sepgsql/launcher +++ b/contrib/sepgsql/launcher @@ -2,7 +2,7 @@ # # A wrapper script to launch psql command in regression test # -# Copyright (c) 2010-2016, PostgreSQL Global Development Group +# Copyright (c) 2010-2017, PostgreSQL Global Development Group # # ------------------------------------------------------------------------- diff --git a/contrib/sepgsql/proc.c b/contrib/sepgsql/proc.c index 9cc21f05b5..4ccf4a5e60 100644 --- a/contrib/sepgsql/proc.c +++ b/contrib/sepgsql/proc.c @@ -4,7 +4,7 @@ * * Routines corresponding to procedure objects * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ diff --git a/contrib/sepgsql/relation.c b/contrib/sepgsql/relation.c index 1f1ab04d39..59a6d9be6e 100644 --- a/contrib/sepgsql/relation.c +++ b/contrib/sepgsql/relation.c @@ -4,7 +4,7 @@ * * Routines corresponding to relation/attribute objects * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -54,12 +54,13 @@ sepgsql_attribute_post_create(Oid relOid, AttrNumber attnum) ObjectAddress object; Form_pg_attribute attForm; StringInfoData audit_name; + char relkind = get_rel_relkind(relOid); /* - * Only attributes within regular relation have individual security - * labels. + * Only attributes within regular relations or partition relations have + * individual security labels. */ - if (get_rel_relkind(relOid) != RELKIND_RELATION) + if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* @@ -135,8 +136,9 @@ sepgsql_attribute_drop(Oid relOid, AttrNumber attnum) { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); - if (get_rel_relkind(relOid) != RELKIND_RELATION) + if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* @@ -167,8 +169,9 @@ sepgsql_attribute_relabel(Oid relOid, AttrNumber attnum, { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); - if (get_rel_relkind(relOid) != RELKIND_RELATION) + if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) ereport(ERROR, (errcode(ERRCODE_WRONG_OBJECT_TYPE), errmsg("cannot set security label on non-regular columns"))); @@ -209,8 +212,9 @@ sepgsql_attribute_setattr(Oid relOid, AttrNumber attnum) { ObjectAddress object; char *audit_name; + char relkind = get_rel_relkind(relOid); - if (get_rel_relkind(relOid) != RELKIND_RELATION) + if (relkind != RELKIND_RELATION && relkind != RELKIND_PARTITIONED_TABLE) return; /* @@ -243,7 +247,7 @@ sepgsql_relation_post_create(Oid relOid) HeapTuple tuple; Form_pg_class classForm; ObjectAddress object; - uint16 tclass; + uint16_t tclass; char *scontext; /* subject */ char *tcontext; /* schema */ char *rcontext; /* relation */ @@ -291,6 +295,7 @@ sepgsql_relation_post_create(Oid relOid) switch (classForm->relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: @@ -333,7 +338,8 @@ sepgsql_relation_post_create(Oid relOid) true); /* - * Assign the default security label on the new relation + * Assign the default security label on the new regular or partitioned + * relation. */ object.classId = RelationRelationId; object.objectId = relOid; @@ -341,10 +347,10 @@ sepgsql_relation_post_create(Oid relOid) SetSecurityLabel(&object, SEPGSQL_LABEL_TAG, rcontext); /* - * We also assigns a default security label on columns of the new regular - * tables. + * We also assign a default security label on columns of a new table. */ - if (classForm->relkind == RELKIND_RELATION) + if (classForm->relkind == RELKIND_RELATION || + classForm->relkind == RELKIND_PARTITIONED_TABLE) { Relation arel; ScanKeyData akey; @@ -413,13 +419,13 @@ sepgsql_relation_drop(Oid relOid) { ObjectAddress object; char *audit_name; - uint16_t tclass; - char relkind; + uint16_t tclass = 0; + char relkind = get_rel_relkind(relOid); - relkind = get_rel_relkind(relOid); switch (relkind) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: @@ -479,7 +485,7 @@ sepgsql_relation_drop(Oid relOid) /* * check db_column:{drop} permission */ - if (relkind == RELKIND_RELATION) + if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE) { Form_pg_attribute attForm; CatCList *attrList; @@ -521,11 +527,10 @@ sepgsql_relation_relabel(Oid relOid, const char *seclabel) { ObjectAddress object; char *audit_name; - char relkind; + char relkind = get_rel_relkind(relOid); uint16_t tclass = 0; - relkind = get_rel_relkind(relOid); - if (relkind == RELKIND_RELATION) + if (relkind == RELKIND_RELATION || relkind == RELKIND_PARTITIONED_TABLE) tclass = SEPG_CLASS_DB_TABLE; else if (relkind == RELKIND_SEQUENCE) tclass = SEPG_CLASS_DB_SEQUENCE; @@ -585,6 +590,7 @@ sepgsql_relation_setattr(Oid relOid) switch (get_rel_relkind(relOid)) { case RELKIND_RELATION: + case RELKIND_PARTITIONED_TABLE: tclass = SEPG_CLASS_DB_TABLE; break; case RELKIND_SEQUENCE: diff --git a/contrib/sepgsql/schema.c b/contrib/sepgsql/schema.c index 5285fc5452..940384bf40 100644 --- a/contrib/sepgsql/schema.c +++ b/contrib/sepgsql/schema.c @@ -4,7 +4,7 @@ * * Routines corresponding to schema objects * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c index b0b9fadede..7728a18333 100644 --- a/contrib/sepgsql/selinux.c +++ b/contrib/sepgsql/selinux.c @@ -5,7 +5,7 @@ * Interactions between userspace and selinux in kernelspace, * using libselinux api. * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -23,7 +23,7 @@ * When we ask SELinux whether the required privileges are allowed or not, * we use security_compute_av(3). It needs us to represent object classes * and access vectors using 'external' codes defined in the security policy. - * It is determinded in the runtime, not build time. So, it needs an internal + * It is determined in the runtime, not build time. So, it needs an internal * service to translate object class/access vectors which we want to check * into the code which kernel want to be given. */ diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h index c080716f8f..9d245c2780 100644 --- a/contrib/sepgsql/sepgsql.h +++ b/contrib/sepgsql/sepgsql.h @@ -4,7 +4,7 @@ * * Definitions corresponding to SE-PostgreSQL * - * Copyright (c) 2010-2016, PostgreSQL Global Development Group + * Copyright (c) 2010-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -276,12 +276,6 @@ extern char *sepgsql_get_label(Oid relOid, Oid objOid, int32 subId); extern void sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel); -extern Datum sepgsql_getcon(PG_FUNCTION_ARGS); -extern Datum sepgsql_setcon(PG_FUNCTION_ARGS); -extern Datum sepgsql_mcstrans_in(PG_FUNCTION_ARGS); -extern Datum sepgsql_mcstrans_out(PG_FUNCTION_ARGS); -extern Datum sepgsql_restorecon(PG_FUNCTION_ARGS); - /* * dml.c */ diff --git a/contrib/sepgsql/sql/alter.sql b/contrib/sepgsql/sql/alter.sql index 0bd35279fa..14000eaaee 100644 --- a/contrib/sepgsql/sql/alter.sql +++ b/contrib/sepgsql/sql/alter.sql @@ -32,6 +32,15 @@ CREATE TABLE regtest_table_2 (c text) inherits (regtest_table_1); CREATE TABLE regtest_table_3 (x int primary key, y text); +--- +-- partitioned table parent +CREATE TABLE regtest_ptable_1 (o int, p text) PARTITION BY RANGE (o); + +-- partitioned table children +CREATE TABLE regtest_ptable_1_ones PARTITION OF regtest_ptable_1 FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE regtest_ptable_1_tens PARTITION OF regtest_ptable_1 FOR VALUES FROM ('10') TO ('100'); +--- + CREATE SEQUENCE regtest_seq_1; CREATE VIEW regtest_view_1 AS SELECT * FROM regtest_table_1 WHERE a > 0; @@ -55,6 +64,8 @@ ALTER SCHEMA regtest_schema_1 OWNER TO regress_sepgsql_test_user; ALTER SCHEMA regtest_schema_1 OWNER TO regress_sepgsql_test_user; ALTER TABLE regtest_table_1 OWNER TO regress_sepgsql_test_user; ALTER TABLE regtest_table_1 OWNER TO regress_sepgsql_test_user; +ALTER TABLE regtest_ptable_1 OWNER TO regress_sepgsql_test_user; +ALTER TABLE regtest_ptable_1_ones OWNER TO regress_sepgsql_test_user; ALTER SEQUENCE regtest_seq_1 OWNER TO regress_sepgsql_test_user; ALTER SEQUENCE regtest_seq_1 OWNER TO regress_sepgsql_test_user; ALTER VIEW regtest_view_1 OWNER TO regress_sepgsql_test_user; @@ -66,6 +77,8 @@ ALTER FUNCTION regtest_func_1(text) OWNER TO regress_sepgsql_test_user; -- ALTER xxx SET SCHEMA -- ALTER TABLE regtest_table_1 SET SCHEMA regtest_schema_2; +ALTER TABLE regtest_ptable_1 SET SCHEMA regtest_schema_2; +ALTER TABLE regtest_ptable_1_ones SET SCHEMA regtest_schema_2; ALTER SEQUENCE regtest_seq_1 SET SCHEMA regtest_schema_2; ALTER VIEW regtest_view_1 SET SCHEMA regtest_schema_2; ALTER FUNCTION regtest_func_1(text) SET SCHEMA regtest_schema_2; @@ -76,6 +89,14 @@ ALTER FUNCTION regtest_func_1(text) SET SCHEMA regtest_schema_2; ALTER DATABASE sepgsql_test_regression_1 RENAME TO sepgsql_test_regression; ALTER SCHEMA regtest_schema_1 RENAME TO regtest_schema; ALTER TABLE regtest_table_1 RENAME TO regtest_table; + +--- +-- partitioned table parent +ALTER TABLE regtest_ptable_1 RENAME TO regtest_ptable; +-- partitioned table child +ALTER TABLE regtest_ptable_1_ones RENAME TO regtest_table_part; +--- + ALTER SEQUENCE regtest_seq_1 RENAME TO regtest_seq; ALTER VIEW regtest_view_1 RENAME TO regtest_view; ALTER FUNCTION regtest_func_1(text) RENAME TO regtest_func; @@ -121,6 +142,50 @@ ALTER TABLE regtest_table_2 NO INHERIT regtest_table; -- not supported ALTER TABLE regtest_table_2 INHERIT regtest_table; -- not supported ALTER TABLE regtest_table SET TABLESPACE pg_default; +--- +-- partitioned table parent +ALTER TABLE regtest_ptable ADD COLUMN d float; +ALTER TABLE regtest_ptable DROP COLUMN d; +ALTER TABLE regtest_ptable ALTER p SET DEFAULT 'abcd'; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p SET DEFAULT 'XYZ'; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p DROP DEFAULT; -- not supported by sepgsql +ALTER TABLE regtest_ptable ALTER p SET NOT NULL; +ALTER TABLE regtest_ptable ALTER p DROP NOT NULL; +ALTER TABLE regtest_ptable ALTER p SET STATISTICS -1; +ALTER TABLE regtest_ptable ALTER p SET (n_distinct = 999); +ALTER TABLE regtest_ptable ALTER p SET STORAGE PLAIN; +ALTER TABLE regtest_ptable ADD CONSTRAINT test_ck CHECK (p like '%abc%') NOT VALID; -- not supported by sepgsql +ALTER TABLE regtest_ptable DROP CONSTRAINT test_ck; -- not supported by sepgsql + +ALTER TABLE regtest_ptable SET WITH OIDS; +ALTER TABLE regtest_ptable SET WITHOUT OIDS; +ALTER TABLE regtest_ptable SET TABLESPACE pg_default; + +-- partitioned table child +ALTER TABLE regtest_table_part ALTER p SET DEFAULT 'abcd'; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p SET DEFAULT 'XYZ'; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p DROP DEFAULT; -- not supported by sepgsql +ALTER TABLE regtest_table_part ALTER p SET NOT NULL; +ALTER TABLE regtest_table_part ALTER p DROP NOT NULL; +ALTER TABLE regtest_table_part ALTER p SET STATISTICS -1; +ALTER TABLE regtest_table_part ALTER p SET (n_distinct = 999); +ALTER TABLE regtest_table_part ALTER p SET STORAGE PLAIN; +ALTER TABLE regtest_table_part ADD CONSTRAINT test_ck CHECK (p like '%abc%') NOT VALID; -- not supported by sepgsql +ALTER TABLE regtest_table_part VALIDATE CONSTRAINT test_ck; -- not supported by sepgsql +ALTER TABLE regtest_table_part DROP CONSTRAINT test_ck; -- not supported by sepgsql + +CREATE TRIGGER regtest_part_test_trig BEFORE UPDATE ON regtest_table_part + FOR EACH ROW EXECUTE PROCEDURE suppress_redundant_updates_trigger(); + +ALTER TABLE regtest_table_part DISABLE TRIGGER regtest_part_test_trig; -- not supported by sepgsql +ALTER TABLE regtest_table_part ENABLE TRIGGER regtest_part_test_trig; -- not supported by sepgsql + +ALTER TABLE regtest_table_part SET (fillfactor = 75); +ALTER TABLE regtest_table_part RESET (fillfactor); + +ALTER TABLE regtest_table_part SET TABLESPACE pg_default; +--- + ALTER VIEW regtest_view SET (security_barrier); ALTER SEQUENCE regtest_seq INCREMENT BY 10 START WITH 1000; diff --git a/contrib/sepgsql/sql/ddl.sql b/contrib/sepgsql/sql/ddl.sql index 2fc66e4c37..ae431f6cd2 100644 --- a/contrib/sepgsql/sql/ddl.sql +++ b/contrib/sepgsql/sql/ddl.sql @@ -32,13 +32,21 @@ ALTER TABLE regtest_table ADD COLUMN z int; CREATE TABLE regtest_table_2 (a int) WITH OIDS; +CREATE TABLE regtest_ptable (a int) PARTITION BY RANGE (a); +CREATE TABLE regtest_ptable_ones PARTITION OF regtest_ptable FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE regtest_ptable_tens PARTITION OF regtest_ptable FOR VALUES FROM ('10') TO ('100'); + +ALTER TABLE regtest_ptable ADD COLUMN q int; + -- corresponding toast table should not have label and permission checks ALTER TABLE regtest_table_2 ADD COLUMN b text; -- VACUUM FULL internally create a new table and swap them later. VACUUM FULL regtest_table; +VACUUM FULL regtest_ptable; CREATE VIEW regtest_view AS SELECT * FROM regtest_table WHERE x < 100; +CREATE VIEW regtest_pview AS SELECT * FROM regtest_ptable WHERE a < 99; CREATE SEQUENCE regtest_seq; @@ -57,8 +65,12 @@ SET SESSION AUTHORIZATION regress_sepgsql_test_user; SET search_path = regtest_schema, public; CREATE TABLE regtest_table_3 (x int, y serial); +CREATE TABLE regtest_ptable_3 (o int, p serial) PARTITION BY RANGE (o); +CREATE TABLE regtest_ptable_3_ones PARTITION OF regtest_ptable_3 FOR VALUES FROM ('0') to ('10'); +CREATE TABLE regtest_ptable_3_tens PARTITION OF regtest_ptable_3 FOR VALUES FROM ('10') to ('100'); CREATE VIEW regtest_view_2 AS SELECT * FROM regtest_table_3 WHERE x < y; +CREATE VIEW regtest_pview_2 AS SELECT * FROM regtest_ptable_3 WHERE o < p; CREATE FUNCTION regtest_func_2(int) RETURNS bool LANGUAGE plpgsql AS 'BEGIN RETURN $1 * $1 < 100; END'; @@ -77,6 +89,18 @@ ALTER TABLE regtest_table_4 ADD CONSTRAINT regtest_tbl4_con EXCLUDE USING btree (z WITH =); DROP TABLE regtest_table_4 CASCADE; +-- For partitioned tables +CREATE TABLE regtest_ptable_4 (x int, y int, z int) PARTITION BY RANGE (x); +CREATE TABLE regtest_ptable_4_ones PARTITION OF regtest_ptable_4 FOR VALUES FROM ('0') TO ('10'); + +CREATE INDEX regtest_pindex_tbl4_y ON regtest_ptable_4_ones(y); +CREATE INDEX regtest_pindex_tbl4_z ON regtest_ptable_4_ones(z); +ALTER TABLE regtest_ptable_4 ALTER COLUMN y TYPE float; +DROP INDEX regtest_pindex_tbl4_y; +ALTER TABLE regtest_ptable_4_ones + ADD CONSTRAINT regtest_ptbl4_con EXCLUDE USING btree (z WITH =); +DROP TABLE regtest_ptable_4 CASCADE; + -- -- DROP Permission checks (with clean-up) -- @@ -90,7 +114,10 @@ DROP VIEW regtest_view; ALTER TABLE regtest_table DROP COLUMN y; ALTER TABLE regtest_table_2 SET WITHOUT OIDS; +ALTER TABLE regtest_ptable DROP COLUMN q CASCADE; + DROP TABLE regtest_table; +DROP TABLE regtest_ptable CASCADE; DROP OWNED BY regress_sepgsql_test_user; diff --git a/contrib/sepgsql/sql/dml.sql b/contrib/sepgsql/sql/dml.sql index 7a64b9e213..19201f4b90 100644 --- a/contrib/sepgsql/sql/dml.sql +++ b/contrib/sepgsql/sql/dml.sql @@ -27,6 +27,26 @@ SECURITY LABEL ON COLUMN t5.e IS 'system_u:object_r:sepgsql_table_t:s0'; SECURITY LABEL ON COLUMN t5.f IS 'system_u:object_r:sepgsql_ro_table_t:s0'; SECURITY LABEL ON COLUMN t5.g IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +--- +-- partitioned table parent +CREATE TABLE t1p (o int, p text, q text) PARTITION BY RANGE (o); +SECURITY LABEL ON TABLE t1p IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; + +-- partitioned table children +CREATE TABLE t1p_ones PARTITION OF t1p FOR VALUES FROM ('0') TO ('10'); +SECURITY LABEL ON COLUMN t1p_ones.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_ones.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_ones.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; +CREATE TABLE t1p_tens PARTITION OF t1p FOR VALUES FROM ('10') TO ('100'); +SECURITY LABEL ON COLUMN t1p_tens.o IS 'system_u:object_r:sepgsql_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_tens.p IS 'system_u:object_r:sepgsql_ro_table_t:s0'; +SECURITY LABEL ON COLUMN t1p_tens.q IS 'system_u:object_r:sepgsql_secret_table_t:s0'; + +--- + CREATE TABLE customer (cid int primary key, cname text, ccredit text); SECURITY LABEL ON COLUMN customer.ccredit IS 'system_u:object_r:sepgsql_secret_table_t:s0'; INSERT INTO customer VALUES (1, 'Taro', '1111-2222-3333-4444'), @@ -40,13 +60,22 @@ SECURITY LABEL ON FUNCTION customer_credit(int) SELECT objtype, objname, label FROM pg_seclabels WHERE provider = 'selinux' AND objtype in ('table', 'column') - AND objname in ('t1', 't2', 't3', 't4', 't5', 't5.e', 't5.f', 't5.g') -ORDER BY objname; + AND objname in ('t1', 't2', 't3', 't4', + 't5', 't5.e', 't5.f', 't5.g', + 't1p', 't1p.o', 't1p.p', 't1p.q', + 't1p_ones', 't1p_ones.o', 't1p_ones.p', 't1p_ones.q', + 't1p_tens', 't1p_tens.o', 't1p_tens.p', 't1p_tens.q') +ORDER BY objname COLLATE "C"; CREATE SCHEMA my_schema_1; CREATE TABLE my_schema_1.ts1 (a int, b text); +CREATE TABLE my_schema_1.pts1 (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE my_schema_1.pts1_ones PARTITION OF my_schema_1.pts1 FOR VALUES FROM ('0') to ('10'); + CREATE SCHEMA my_schema_2; CREATE TABLE my_schema_2.ts2 (x int, y text); +CREATE TABLE my_schema_2.pts2 (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE my_schema_2.pts2_tens PARTITION OF my_schema_2.pts2 FOR VALUES FROM ('10') to ('100'); SECURITY LABEL ON SCHEMA my_schema_2 IS 'system_u:object_r:sepgsql_regtest_invisible_schema_t:s0'; @@ -67,12 +96,36 @@ SELECT * FROM t4; -- failed SELECT * FROM t5; -- failed SELECT e,f FROM t5; -- ok -SELECT * FROM customer; -- failed +--- +-- partitioned table parent +SELECT * FROM t1p; -- failed +SELECT o,p FROM t1p; -- ok +--partitioned table children +SELECT * FROM t1p_ones; -- failed +SELECT o FROM t1p_ones; -- ok +SELECT o,p FROM t1p_ones; -- ok +SELECT * FROM t1p_tens; -- failed +SELECT o FROM t1p_tens; -- ok +SELECT o,p FROM t1p_tens; -- ok +--- + +SELECT * FROM customer; -- failed SELECT cid, cname, customer_credit(cid) FROM customer; -- ok -SELECT count(*) FROM t5; -- ok +SELECT count(*) FROM t5; -- ok SELECT count(*) FROM t5 WHERE g IS NULL; -- failed +--- +-- partitioned table parent +SELECT count(*) FROM t1p; -- ok +SELECT count(*) FROM t1p WHERE q IS NULL; -- failed +-- partitioned table children +SELECT count(*) FROM t1p_ones; -- ok +SELECT count(*) FROM t1p_ones WHERE q IS NULL; -- failed +SELECT count(*) FROM t1p_tens; -- ok +SELECT count(*) FROM t1p_tens WHERE q IS NULL; -- failed +--- + INSERT INTO t1 VALUES (4, 'abc'); -- ok INSERT INTO t2 VALUES (4, 'xyz'); -- failed INSERT INTO t3 VALUES (4, 'stu'); -- ok @@ -81,6 +134,19 @@ INSERT INTO t5 VALUES (1,2,3); -- failed INSERT INTO t5 (e,f) VALUES ('abc', 'def'); -- failed INSERT INTO t5 (e) VALUES ('abc'); -- ok +--- +-- partitioned table parent +INSERT INTO t1p (o,p) VALUES (9, 'mno'); -- failed +INSERT INTO t1p (o) VALUES (9); -- ok +INSERT INTO t1p (o,p) VALUES (99, 'pqr'); -- failed +INSERT INTO t1p (o) VALUES (99); -- ok +-- partitioned table children +INSERT INTO t1p_ones (o,p) VALUES (9, 'mno'); -- failed +INSERT INTO t1p_ones (o) VALUES (9); -- ok +INSERT INTO t1p_tens (o,p) VALUES (99, 'pqr'); -- failed +INSERT INTO t1p_tens (o) VALUES (99); -- ok +--- + UPDATE t1 SET b = b || '_upd'; -- ok UPDATE t2 SET y = y || '_upd'; -- failed UPDATE t3 SET t = t || '_upd'; -- failed @@ -89,6 +155,21 @@ UPDATE t5 SET e = 'xyz'; -- ok UPDATE t5 SET e = f || '_upd'; -- ok UPDATE t5 SET e = g || '_upd'; -- failed +--- +-- partitioned table parent +UPDATE t1p SET o = 9 WHERE o < 10; -- ok +UPDATE t1p SET o = 99 WHERE o >= 10; -- ok +UPDATE t1p SET o = ascii(COALESCE(p,'upd'))%10 WHERE o < 10; -- ok +UPDATE t1p SET o = ascii(COALESCE(q,'upd'))%100 WHERE o >= 10; -- failed +-- partitioned table children +UPDATE t1p_ones SET o = 9; -- ok +UPDATE t1p_ones SET o = ascii(COALESCE(p,'upd'))%10; -- ok +UPDATE t1p_ones SET o = ascii(COALESCE(q,'upd'))%10; -- failed +UPDATE t1p_tens SET o = 99; -- ok +UPDATE t1p_tens SET o = ascii(COALESCE(p,'upd'))%100; -- ok +UPDATE t1p_tens SET o = ascii(COALESCE(q,'upd'))%100; -- failed +--- + DELETE FROM t1; -- ok DELETE FROM t2; -- failed DELETE FROM t3; -- failed @@ -97,6 +178,18 @@ DELETE FROM t5; -- ok DELETE FROM t5 WHERE f IS NULL; -- ok DELETE FROM t5 WHERE g IS NULL; -- failed +--- +-- partitioned table parent +DELETE FROM t1p; -- ok +DELETE FROM t1p WHERE p IS NULL; -- ok +DELETE FROM t1p WHERE q IS NULL; -- failed +-- partitioned table children +DELETE FROM t1p_ones WHERE p IS NULL; -- ok +DELETE FROM t1p_ones WHERE q IS NULL; -- failed; +DELETE FROM t1p_tens WHERE p IS NULL; -- ok +DELETE FROM t1p_tens WHERE q IS NULL; -- failed +--- + -- -- COPY TO/FROM statements -- @@ -107,6 +200,17 @@ COPY t4 TO '/dev/null'; -- failed COPY t5 TO '/dev/null'; -- failed COPY t5(e,f) TO '/dev/null'; -- ok +--- +-- partitioned table parent +COPY (SELECT * FROM t1p) TO '/dev/null'; -- failed +COPY (SELECT (o,p) FROM t1p) TO '/dev/null'; -- ok +-- partitioned table children +COPY t1p_ones TO '/dev/null'; -- failed +COPY t1p_ones(o,p) TO '/dev/null'; -- ok +COPY t1p_tens TO '/dev/null'; -- failed +COPY t1p_tens(o,p) TO '/dev/null'; -- ok +--- + COPY t1 FROM '/dev/null'; -- ok COPY t2 FROM '/dev/null'; -- failed COPY t3 FROM '/dev/null'; -- ok @@ -115,6 +219,17 @@ COPY t5 FROM '/dev/null'; -- failed COPY t5 (e,f) FROM '/dev/null'; -- failed COPY t5 (e) FROM '/dev/null'; -- ok +--- +-- partitioned table parent +COPY t1p FROM '/dev/null'; -- failed +COPY t1p (o) FROM '/dev/null'; -- ok +-- partitioned table children +COPY t1p_ones FROM '/dev/null'; -- failed +COPY t1p_ones (o) FROM '/dev/null'; -- ok +COPY t1p_tens FROM '/dev/null'; -- failed +COPY t1p_tens (o) FROM '/dev/null'; -- ok +--- + -- -- Schema search path -- @@ -132,6 +247,7 @@ DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t4 CASCADE; DROP TABLE IF EXISTS t5 CASCADE; +DROP TABLE IF EXISTS t1p CASCADE; DROP TABLE IF EXISTS customer CASCADE; DROP SCHEMA IF EXISTS my_schema_1 CASCADE; DROP SCHEMA IF EXISTS my_schema_2 CASCADE; diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql index 04085e57a4..d19c6edb4c 100644 --- a/contrib/sepgsql/sql/label.sql +++ b/contrib/sepgsql/sql/label.sql @@ -64,6 +64,22 @@ INSERT INTO var_tbl VALUES (2,'xxx'), (3,'yyy'), (4,'zzz'), (5,'xyz'); SECURITY LABEL ON TABLE var_tbl IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0'; +CREATE TABLE foo_ptbl(o int, p text) PARTITION BY RANGE (o); +CREATE TABLE foo_ptbl_ones PARTITION OF foo_ptbl FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE foo_ptbl_tens PARTITION OF foo_ptbl FOR VALUES FROM ('10') TO ('100'); + +INSERT INTO foo_ptbl VALUES (0, 'aaa'), (9,'bbb'), (10,'ccc'), (99,'ddd'); +SECURITY LABEL ON TABLE foo_ptbl + IS 'system_u:object_r:sepgsql_regtest_foo_table_t:s0'; + +CREATE TABLE var_ptbl(q int, r text) PARTITION BY RANGE (q); +CREATE TABLE var_ptbl_ones PARTITION OF var_ptbl FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE var_ptbl_tens PARTITION OF var_ptbl FOR VALUES FROM ('10') TO ('100'); + +INSERT INTO var_ptbl VALUES (0,'xxx'), (9,'yyy'), (10,'zzz'), (99,'xyz'); +SECURITY LABEL ON TABLE var_ptbl + IS 'system_u:object_r:sepgsql_regtest_var_table_t:s0'; + -- -- Tests for default labeling behavior -- @@ -75,10 +91,30 @@ INSERT INTO t3 VALUES (1, 'sss'), (2, 'ttt'), (3, 'uuu'); CREATE TABLE t4 (m int, n text); INSERT INTO t4 VALUES (1,'mmm'), (2,'nnn'), (3,'ooo'); +-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_user_t:s0 +CREATE TABLE tpart (o int, p text) PARTITION BY RANGE (o); + +CREATE TABLE tpart_ones PARTITION OF tpart FOR VALUES FROM ('0') TO ('10'); +-- @SECURITY-CONTEXT=unconfined_u:unconfined_r:sepgsql_regtest_dba_t:s0 +CREATE TABLE tpart_tens PARTITION OF tpart FOR VALUES FROM ('10') TO ('100'); + +INSERT INTO tpart VALUES (0, 'aaa'); +INSERT INTO tpart VALUES (9, 'bbb'); +INSERT INTO tpart VALUES (99, 'ccc'); + SELECT objtype, objname, label FROM pg_seclabels - WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3'); + WHERE provider = 'selinux' AND objtype = 'table' AND objname in ('t1', 't2', 't3', + 'tpart', + 'tpart_ones', + 'tpart_tens') + ORDER BY objname COLLATE "C" ASC; SELECT objtype, objname, label FROM pg_seclabels - WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' OR objname like 't4.%'); + WHERE provider = 'selinux' AND objtype = 'column' AND (objname like 't3.%' + OR objname like 't4.%' + OR objname like 'tpart.%' + OR objname like 'tpart_ones.%' + OR objname like 'tpart_tens.%') + ORDER BY objname COLLATE "C" ASC; -- -- Tests for SECURITY LABEL @@ -92,6 +128,14 @@ SECURITY LABEL ON COLUMN t2 IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- be failed SECURITY LABEL ON COLUMN t2.b IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok +SECURITY LABEL ON TABLE tpart + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok +SECURITY LABEL ON TABLE tpart + IS 'invalid security context'; -- failed +SECURITY LABEL ON COLUMN tpart + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- failed +SECURITY LABEL ON COLUMN tpart.o + IS 'system_u:object_r:sepgsql_ro_table_t:s0'; -- ok -- -- Tests for Trusted Procedures @@ -198,18 +242,22 @@ SELECT auth_func('foo', 'acbd18db4cc2f85cedef654fccc4a4d8'); SELECT sepgsql_getcon(); SELECT * FROM foo_tbl; -- OK +SELECT * FROM foo_ptbl; -- OK SELECT * FROM var_tbl; -- failed +SELECT * FROM var_ptbl; -- failed SELECT * FROM auth_tbl; -- failed SELECT sepgsql_setcon(NULL); -- end of session SELECT sepgsql_getcon(); --- the pooler cannot touch these tables directry +-- the pooler cannot touch these tables directly SELECT * FROM foo_tbl; -- failed +SELECT * FROM foo_ptbl; -- failed SELECT * FROM var_tbl; -- failed +SELECT * FROM var_ptbl; -- failed -- switch to "var" SELECT auth_func('var', 'b2145aac704ce76dbe1ac7adac535b23'); @@ -217,8 +265,10 @@ SELECT auth_func('var', 'b2145aac704ce76dbe1ac7adac535b23'); SELECT sepgsql_getcon(); SELECT * FROM foo_tbl; -- failed +SELECT * FROM foo_ptbl; -- failed SELECT * FROM var_tbl; -- OK +SELECT * FROM var_ptbl; -- OK SELECT * FROM auth_tbl; -- failed @@ -236,6 +286,7 @@ DROP TABLE IF EXISTS t1 CASCADE; DROP TABLE IF EXISTS t2 CASCADE; DROP TABLE IF EXISTS t3 CASCADE; DROP TABLE IF EXISTS t4 CASCADE; +DROP TABLE IF EXISTS tpart CASCADE; DROP FUNCTION IF EXISTS f1() CASCADE; DROP FUNCTION IF EXISTS f2() CASCADE; DROP FUNCTION IF EXISTS f3() CASCADE; diff --git a/contrib/sepgsql/sql/misc.sql b/contrib/sepgsql/sql/misc.sql index c277711781..bd5b6e27c2 100644 --- a/contrib/sepgsql/sql/misc.sql +++ b/contrib/sepgsql/sql/misc.sql @@ -10,17 +10,31 @@ LOAD '$libdir/sepgsql'; -- failed CREATE TABLE t1 (x int, y text); INSERT INTO t1 (SELECT x, md5(x::text) FROM generate_series(1,100) x); +CREATE TABLE t1p (o int, p text) PARTITION BY RANGE (o); +CREATE TABLE t1p_ones PARTITION OF t1p FOR VALUES FROM ('0') TO ('10'); +CREATE TABLE t1p_tens PARTITION OF t1p FOR VALUES FROM ('10') TO ('100'); +INSERT INTO t1p (SELECT x, md5(x::text) FROM generate_series(0,99) x); + SET sepgsql.debug_audit = on; SET client_min_messages = log; -- regular function and operators SELECT * FROM t1 WHERE x > 50 AND y like '%64%'; +SELECT * FROM t1p WHERE o > 50 AND p like '%64%'; +SELECT * FROM t1p_ones WHERE o > 50 AND p like '%64%'; +SELECT * FROM t1p_tens WHERE o > 50 AND p like '%64%'; -- aggregate function SELECT MIN(x), AVG(x) FROM t1; +SELECT MIN(o), AVG(o) FROM t1p; +SELECT MIN(o), AVG(o) FROM t1p_ones; +SELECT MIN(o), AVG(o) FROM t1p_tens; -- window function SELECT row_number() OVER (order by x), * FROM t1 WHERE y like '%86%'; +SELECT row_number() OVER (order by o), * FROM t1p WHERE p like '%86%'; +SELECT row_number() OVER (order by o), * FROM t1p_ones WHERE p like '%86%'; +SELECT row_number() OVER (order by o), * FROM t1p_tens WHERE p like '%86%'; RESET sepgsql.debug_audit; RESET client_min_messages; @@ -28,3 +42,4 @@ RESET client_min_messages; -- Cleanup -- DROP TABLE IF EXISTS t1 CASCADE; +DROP TABLE IF EXISTS t1p CASCADE; diff --git a/contrib/sepgsql/uavc.c b/contrib/sepgsql/uavc.c index 10fa9a0b0b..6fd58c7e42 100644 --- a/contrib/sepgsql/uavc.c +++ b/contrib/sepgsql/uavc.c @@ -6,7 +6,7 @@ * access control decisions recently used, and reduce number of kernel * invocations to avoid unnecessary performance hit. * - * Copyright (c) 2011-2016, PostgreSQL Global Development Group + * Copyright (c) 2011-2017, PostgreSQL Global Development Group * * ------------------------------------------------------------------------- */ @@ -498,13 +498,11 @@ sepgsql_avc_init(void) int rc; /* - * All the avc stuff shall be allocated on avc_mem_cxt + * All the avc stuff shall be allocated in avc_mem_cxt */ avc_mem_cxt = AllocSetContextCreate(TopMemoryContext, "userspace access vector cache", - ALLOCSET_DEFAULT_MINSIZE, - ALLOCSET_DEFAULT_INITSIZE, - ALLOCSET_DEFAULT_MAXSIZE); + ALLOCSET_DEFAULT_SIZES); memset(avc_slots, 0, sizeof(avc_slots)); avc_num_caches = 0; avc_lru_hint = 0; |