Allow sepgsql labels to depend on object name.

The main change here is to call security_compute_create_name_raw() rather than security_compute_create_raw(). This ups the minimum requirement for libselinux from 2.0.99 to 2.1.10, but it looks like most distributions will have picked that up before 9.3 is out. KaiGai Kohei
author: Robert Haas 2013-03-28 19:38:35 +0000
committer: Robert Haas 2013-03-28 19:41:38 +0000
commit: 0f05840bf4c256b838eca8f1be9d7b5be82ccd0e (patch)
tree: 33f506bd41aad831419e63885a63a2200706344a /contrib/sepgsql/selinux.c
parent: ae7f1c3ef2eef9584e3c9a42c395eb0c0e59a5ed (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
index f70254f2a74..863f0c143ff 100644
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
@@ -836,7 +836,8 @@ sepgsql_compute_avd(const char *scontext,
 char *
 sepgsql_compute_create(const char *scontext,
 					   const char *tcontext,
-					   uint16 tclass)
+					   uint16 tclass,
+					   const char *objname)
 {
 	security_context_t ncontext;
 	security_class_t tclass_ex;
@@ -853,9 +854,11 @@ sepgsql_compute_create(const char *scontext,
 	 * Ask SELinux what is the default context for the given object class on a
 	 * pair of security contexts
 	 */
-	if (security_compute_create_raw((security_context_t) scontext,
-									(security_context_t) tcontext,
-									tclass_ex, &ncontext) < 0)
+	if (security_compute_create_name_raw((security_context_t) scontext,
+										 (security_context_t) tcontext,
+										 tclass_ex,
+										 objname,
+										 &ncontext) < 0)
 		ereport(ERROR,
 				(errcode(ERRCODE_INTERNAL_ERROR),
 				 errmsg("SELinux could not compute a new context: "
author	Robert Haas	2013-03-28 19:38:35 +0000
committer	Robert Haas	2013-03-28 19:41:38 +0000
commit	0f05840bf4c256b838eca8f1be9d7b5be82ccd0e (patch)
tree	33f506bd41aad831419e63885a63a2200706344a /contrib/sepgsql/selinux.c
parent	ae7f1c3ef2eef9584e3c9a42c395eb0c0e59a5ed (diff)