/*
* sepgsql_avc_unlabeled
*
* Returns an alternative label to be applied when no label or an invalid
* label would otherwise be assigned.
*/
static char *
sepgsql_avc_unlabeled(void)
{
if (!avc_unlabeled)
{
security_context_t unlabeled;
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: failed to get initial security label: %m")));
PG_TRY();
{
avc_unlabeled = MemoryContextStrdup(avc_mem_cxt, unlabeled);
}
PG_CATCH();
{
freecon(unlabeled);
PG_RE_THROW();
}
PG_END_TRY();
freecon(unlabeled);
}
return avc_unlabeled;
}
/*
* sepgsql_get_label
*
* It returns a security context of the specified database object.
* If unlabeled or incorrectly labeled, the system "unlabeled" label
* shall be returned.
*/
char *
sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
{
ObjectAddress object;
char *label;
object.classId = classId;
object.objectId = objectId;
object.objectSubId = subId;
label = GetSecurityLabel(&object, SEPGSQL_LABEL_TAG);
if (!label || security_check_context_raw((security_context_t)label))
{
security_context_t unlabeled;
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
ereport(ERROR,
(errcode(ERRCODE_INTERNAL_ERROR),
errmsg("SELinux: failed to get initial security label: %m")));
PG_TRY();
{
label = pstrdup(unlabeled);
}
PG_CATCH();
{
freecon(unlabeled);
PG_RE_THROW();
}
PG_END_TRY();
freecon(unlabeled);
}
return label;
}
int security_get_initial_context(const char * name, char ** con)
{
int ret;
char * rcon;
ret = security_get_initial_context_raw(name, &rcon);
if (!ret) {
ret = selinux_raw_to_trans_context(rcon, con);
freecon(rcon);
}
return ret;
}
