selinux_8c_source.html

 /* -------------------------------------------------------------------------

  *

  * contrib/sepgsql/selinux.c

  *

  * Interactions between userspace and selinux in kernelspace,

  * using libselinux api.

  *

  * Copyright (c) 2010-2023, PostgreSQL Global Development Group

  *

  * -------------------------------------------------------------------------

  */

 #include "postgres.h"


 #include "lib/stringinfo.h"


 #include "sepgsql.h"


 /*

  * selinux_catalog

  *

  * This mapping table enables to translate the name of object classes and

  * access vectors to/from their own codes.

  * When we ask SELinux whether the required privileges are allowed or not,

  * we use security_compute_av(3). It needs us to represent object classes

  * and access vectors using 'external' codes defined in the security policy.

  * It is determined in the runtime, not build time. So, it needs an internal

  * service to translate object class/access vectors which we want to check

  * into the code which kernel want to be given.

  */

 static struct

 {

     const char *class_name;

     uint16      class_code;

     struct

     {

         const char *av_name;

         uint32      av_code;

     }           av[32];

 }           selinux_catalog[] =


 {

     {

         "process", SEPG_CLASS_PROCESS,

         {

             {

                 "transition", SEPG_PROCESS__TRANSITION

             },

             {

                 "dyntransition", SEPG_PROCESS__DYNTRANSITION

             },

             {

                 "setcurrent", SEPG_PROCESS__SETCURRENT

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "file", SEPG_CLASS_FILE,

         {

             {

                 "read", SEPG_FILE__READ

             },

             {

                 "write", SEPG_FILE__WRITE

             },

             {

                 "create", SEPG_FILE__CREATE

             },

             {

                 "getattr", SEPG_FILE__GETATTR

             },

             {

                 "unlink", SEPG_FILE__UNLINK

             },

             {

                 "rename", SEPG_FILE__RENAME

             },

             {

                 "append", SEPG_FILE__APPEND

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "dir", SEPG_CLASS_DIR,

         {

             {

                 "read", SEPG_DIR__READ

             },

             {

                 "write", SEPG_DIR__WRITE

             },

             {

                 "create", SEPG_DIR__CREATE

             },

             {

                 "getattr", SEPG_DIR__GETATTR

             },

             {

                 "unlink", SEPG_DIR__UNLINK

             },

             {

                 "rename", SEPG_DIR__RENAME

             },

             {

                 "search", SEPG_DIR__SEARCH

             },

             {

                 "add_name", SEPG_DIR__ADD_NAME

             },

             {

                 "remove_name", SEPG_DIR__REMOVE_NAME

             },

             {

                 "rmdir", SEPG_DIR__RMDIR

             },

             {

                 "reparent", SEPG_DIR__REPARENT

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "lnk_file", SEPG_CLASS_LNK_FILE,

         {

             {

                 "read", SEPG_LNK_FILE__READ

             },

             {

                 "write", SEPG_LNK_FILE__WRITE

             },

             {

                 "create", SEPG_LNK_FILE__CREATE

             },

             {

                 "getattr", SEPG_LNK_FILE__GETATTR

             },

             {

                 "unlink", SEPG_LNK_FILE__UNLINK

             },

             {

                 "rename", SEPG_LNK_FILE__RENAME

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "chr_file", SEPG_CLASS_CHR_FILE,

         {

             {

                 "read", SEPG_CHR_FILE__READ

             },

             {

                 "write", SEPG_CHR_FILE__WRITE

             },

             {

                 "create", SEPG_CHR_FILE__CREATE

             },

             {

                 "getattr", SEPG_CHR_FILE__GETATTR

             },

             {

                 "unlink", SEPG_CHR_FILE__UNLINK

             },

             {

                 "rename", SEPG_CHR_FILE__RENAME

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "blk_file", SEPG_CLASS_BLK_FILE,

         {

             {

                 "read", SEPG_BLK_FILE__READ

             },

             {

                 "write", SEPG_BLK_FILE__WRITE

             },

             {

                 "create", SEPG_BLK_FILE__CREATE

             },

             {

                 "getattr", SEPG_BLK_FILE__GETATTR

             },

             {

                 "unlink", SEPG_BLK_FILE__UNLINK

             },

             {

                 "rename", SEPG_BLK_FILE__RENAME

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "sock_file", SEPG_CLASS_SOCK_FILE,

         {

             {

                 "read", SEPG_SOCK_FILE__READ

             },

             {

                 "write", SEPG_SOCK_FILE__WRITE

             },

             {

                 "create", SEPG_SOCK_FILE__CREATE

             },

             {

                 "getattr", SEPG_SOCK_FILE__GETATTR

             },

             {

                 "unlink", SEPG_SOCK_FILE__UNLINK

             },

             {

                 "rename", SEPG_SOCK_FILE__RENAME

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "fifo_file", SEPG_CLASS_FIFO_FILE,

         {

             {

                 "read", SEPG_FIFO_FILE__READ

             },

             {

                 "write", SEPG_FIFO_FILE__WRITE

             },

             {

                 "create", SEPG_FIFO_FILE__CREATE

             },

             {

                 "getattr", SEPG_FIFO_FILE__GETATTR

             },

             {

                 "unlink", SEPG_FIFO_FILE__UNLINK

             },

             {

                 "rename", SEPG_FIFO_FILE__RENAME

             },

             {

                 NULL, 0UL

             }

         }

     },

     {

         "db_database", SEPG_CLASS_DB_DATABASE,

         {

             {

                 "create", SEPG_DB_DATABASE__CREATE

             },

             {

                 "drop", SEPG_DB_DATABASE__DROP

             },

             {

                 "getattr", SEPG_DB_DATABASE__GETATTR

             },

             {

                 "setattr", SEPG_DB_DATABASE__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_DATABASE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_DATABASE__RELABELTO

             },

             {

                 "access", SEPG_DB_DATABASE__ACCESS

             },

             {

                 "load_module", SEPG_DB_DATABASE__LOAD_MODULE

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_schema", SEPG_CLASS_DB_SCHEMA,

         {

             {

                 "create", SEPG_DB_SCHEMA__CREATE

             },

             {

                 "drop", SEPG_DB_SCHEMA__DROP

             },

             {

                 "getattr", SEPG_DB_SCHEMA__GETATTR

             },

             {

                 "setattr", SEPG_DB_SCHEMA__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_SCHEMA__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_SCHEMA__RELABELTO

             },

             {

                 "search", SEPG_DB_SCHEMA__SEARCH

             },

             {

                 "add_name", SEPG_DB_SCHEMA__ADD_NAME

             },

             {

                 "remove_name", SEPG_DB_SCHEMA__REMOVE_NAME

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_table", SEPG_CLASS_DB_TABLE,

         {

             {

                 "create", SEPG_DB_TABLE__CREATE

             },

             {

                 "drop", SEPG_DB_TABLE__DROP

             },

             {

                 "getattr", SEPG_DB_TABLE__GETATTR

             },

             {

                 "setattr", SEPG_DB_TABLE__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_TABLE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_TABLE__RELABELTO

             },

             {

                 "select", SEPG_DB_TABLE__SELECT

             },

             {

                 "update", SEPG_DB_TABLE__UPDATE

             },

             {

                 "insert", SEPG_DB_TABLE__INSERT

             },

             {

                 "delete", SEPG_DB_TABLE__DELETE

             },

             {

                 "lock", SEPG_DB_TABLE__LOCK

             },

             {

                 "truncate", SEPG_DB_TABLE__TRUNCATE

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_sequence", SEPG_CLASS_DB_SEQUENCE,

         {

             {

                 "create", SEPG_DB_SEQUENCE__CREATE

             },

             {

                 "drop", SEPG_DB_SEQUENCE__DROP

             },

             {

                 "getattr", SEPG_DB_SEQUENCE__GETATTR

             },

             {

                 "setattr", SEPG_DB_SEQUENCE__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_SEQUENCE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_SEQUENCE__RELABELTO

             },

             {

                 "get_value", SEPG_DB_SEQUENCE__GET_VALUE

             },

             {

                 "next_value", SEPG_DB_SEQUENCE__NEXT_VALUE

             },

             {

                 "set_value", SEPG_DB_SEQUENCE__SET_VALUE

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_procedure", SEPG_CLASS_DB_PROCEDURE,

         {

             {

                 "create", SEPG_DB_PROCEDURE__CREATE

             },

             {

                 "drop", SEPG_DB_PROCEDURE__DROP

             },

             {

                 "getattr", SEPG_DB_PROCEDURE__GETATTR

             },

             {

                 "setattr", SEPG_DB_PROCEDURE__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_PROCEDURE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_PROCEDURE__RELABELTO

             },

             {

                 "execute", SEPG_DB_PROCEDURE__EXECUTE

             },

             {

                 "entrypoint", SEPG_DB_PROCEDURE__ENTRYPOINT

             },

             {

                 "install", SEPG_DB_PROCEDURE__INSTALL

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_column", SEPG_CLASS_DB_COLUMN,

         {

             {

                 "create", SEPG_DB_COLUMN__CREATE

             },

             {

                 "drop", SEPG_DB_COLUMN__DROP

             },

             {

                 "getattr", SEPG_DB_COLUMN__GETATTR

             },

             {

                 "setattr", SEPG_DB_COLUMN__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_COLUMN__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_COLUMN__RELABELTO

             },

             {

                 "select", SEPG_DB_COLUMN__SELECT

             },

             {

                 "update", SEPG_DB_COLUMN__UPDATE

             },

             {

                 "insert", SEPG_DB_COLUMN__INSERT

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_tuple", SEPG_CLASS_DB_TUPLE,

         {

             {

                 "relabelfrom", SEPG_DB_TUPLE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_TUPLE__RELABELTO

             },

             {

                 "select", SEPG_DB_TUPLE__SELECT

             },

             {

                 "update", SEPG_DB_TUPLE__UPDATE

             },

             {

                 "insert", SEPG_DB_TUPLE__INSERT

             },

             {

                 "delete", SEPG_DB_TUPLE__DELETE

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_blob", SEPG_CLASS_DB_BLOB,

         {

             {

                 "create", SEPG_DB_BLOB__CREATE

             },

             {

                 "drop", SEPG_DB_BLOB__DROP

             },

             {

                 "getattr", SEPG_DB_BLOB__GETATTR

             },

             {

                 "setattr", SEPG_DB_BLOB__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_BLOB__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_BLOB__RELABELTO

             },

             {

                 "read", SEPG_DB_BLOB__READ

             },

             {

                 "write", SEPG_DB_BLOB__WRITE

             },

             {

                 "import", SEPG_DB_BLOB__IMPORT

             },

             {

                 "export", SEPG_DB_BLOB__EXPORT

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_language", SEPG_CLASS_DB_LANGUAGE,

         {

             {

                 "create", SEPG_DB_LANGUAGE__CREATE

             },

             {

                 "drop", SEPG_DB_LANGUAGE__DROP

             },

             {

                 "getattr", SEPG_DB_LANGUAGE__GETATTR

             },

             {

                 "setattr", SEPG_DB_LANGUAGE__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_LANGUAGE__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_LANGUAGE__RELABELTO

             },

             {

                 "implement", SEPG_DB_LANGUAGE__IMPLEMENT

             },

             {

                 "execute", SEPG_DB_LANGUAGE__EXECUTE

             },

             {

                 NULL, 0UL

             },

         }

     },

     {

         "db_view", SEPG_CLASS_DB_VIEW,

         {

             {

                 "create", SEPG_DB_VIEW__CREATE

             },

             {

                 "drop", SEPG_DB_VIEW__DROP

             },

             {

                 "getattr", SEPG_DB_VIEW__GETATTR

             },

             {

                 "setattr", SEPG_DB_VIEW__SETATTR

             },

             {

                 "relabelfrom", SEPG_DB_VIEW__RELABELFROM

             },

             {

                 "relabelto", SEPG_DB_VIEW__RELABELTO

             },

             {

                 "expand", SEPG_DB_VIEW__EXPAND

             },

             {

                 NULL, 0UL

             },

         }

     },

 };


 /*

  * sepgsql_mode

  *

  * SEPGSQL_MODE_DISABLED: Disabled on runtime

  * SEPGSQL_MODE_DEFAULT: Same as system settings

  * SEPGSQL_MODE_PERMISSIVE: Always permissive mode

  * SEPGSQL_MODE_INTERNAL: Same as permissive, except for no audit logs

  */

 static int  sepgsql_mode = SEPGSQL_MODE_INTERNAL;


 /*

  * sepgsql_is_enabled

  */

 bool

 sepgsql_is_enabled(void)

 {

     return (sepgsql_mode != SEPGSQL_MODE_DISABLED);

 }


 /*

  * sepgsql_get_mode

  */

 int

 sepgsql_get_mode(void)

 {

     return sepgsql_mode;

 }


 /*

  * sepgsql_set_mode

  */

 int

 sepgsql_set_mode(int new_mode)

 {

     int         old_mode = sepgsql_mode;


     sepgsql_mode = new_mode;


     return old_mode;

 }


 /*

  * sepgsql_getenforce

  *

  * It returns whether the current working mode tries to enforce access

  * control decision, or not. It shall be enforced when sepgsql_mode is

  * SEPGSQL_MODE_DEFAULT and system is running in enforcing mode.

  */

 bool

 sepgsql_getenforce(void)

 {

     if (sepgsql_mode == SEPGSQL_MODE_DEFAULT &&

         selinux_status_getenforce() > 0)

         return true;


     return false;

 }


 /*

  * sepgsql_audit_log

  *

  * It generates a security audit record. It writes out audit records

  * into standard PG's logfile.

  *

  * SELinux can control what should be audited and should not using

  * "auditdeny" and "auditallow" rules in the security policy. In the

  * default, all the access violations are audited, and all the access

  * allowed are not audited. But we can set up the security policy, so

  * we can have exceptions. So, it is necessary to follow the suggestion

  * come from the security policy. (av_decision.auditallow and auditdeny)

  *

  * Security audit is an important feature, because it enables us to check

  * what was happen if we have a security incident. In fact, ISO/IEC15408

  * defines several security functionalities for audit features.

  */

 void

 sepgsql_audit_log(bool denied,

                   bool enforcing,

                   const char *scontext,

                   const char *tcontext,

                   uint16 tclass,

                   uint32 audited,

                   const char *audit_name)

 {

     StringInfoData buf;

     const char *class_name;

     const char *av_name;

     int         i;


     /* lookup name of the object class */

     Assert(tclass < SEPG_CLASS_MAX);

     class_name = selinux_catalog[tclass].class_name;


     /* lookup name of the permissions */

     initStringInfo(&buf);

     appendStringInfo(&buf, "%s {",

                      (denied ? "denied" : "allowed"));

     for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)

     {

         if (audited & (1UL << i))

         {

             av_name = selinux_catalog[tclass].av[i].av_name;

             appendStringInfo(&buf, " %s", av_name);

         }

     }

     appendStringInfoString(&buf, " }");


     /*

      * Call external audit module, if loaded

      */

     appendStringInfo(&buf, " scontext=%s tcontext=%s tclass=%s",

                      scontext, tcontext, class_name);

     if (audit_name)

         appendStringInfo(&buf, " name=\"%s\"", audit_name);


     if (enforcing)

         appendStringInfoString(&buf, " permissive=0");

     else

         appendStringInfoString(&buf, " permissive=1");


     ereport(LOG, (errmsg("SELinux: %s", buf.data)));

 }


 /*

  * sepgsql_compute_avd

  *

  * It actually asks SELinux what permissions are allowed on a pair of

  * the security contexts and object class. It also returns what permissions

  * should be audited on access violation or allowed.

  * In most cases, subject's security context (scontext) is a client, and

  * target security context (tcontext) is a database object.

  *

  * The access control decision shall be set on the given av_decision.

  * The av_decision.allowed has a bitmask of SEPG_<class>__<perms>

  * to suggest a set of allowed actions in this object class.

  */

 void

 sepgsql_compute_avd(const char *scontext,

                     const char *tcontext,

                     uint16 tclass,

                     struct av_decision *avd)

 {

     const char *tclass_name;

     security_class_t tclass_ex;

     struct av_decision avd_ex;

     int         i,

                 deny_unknown = security_deny_unknown();


     /* Get external code of the object class */

     Assert(tclass < SEPG_CLASS_MAX);

     Assert(tclass == selinux_catalog[tclass].class_code);


     tclass_name = selinux_catalog[tclass].class_name;

     tclass_ex = string_to_security_class(tclass_name);


     if (tclass_ex == 0)

     {

         /*

          * If the current security policy does not support permissions

          * corresponding to database objects, we fill up them with dummy data.

          * If security_deny_unknown() returns positive value, undefined

          * permissions should be denied. Otherwise, allowed

          */

         avd->allowed = (security_deny_unknown() > 0 ? 0 : ~0);

         avd->auditallow = 0U;

         avd->auditdeny = ~0U;

         avd->flags = 0;


         return;

     }


     /*

      * Ask SELinux what is allowed set of permissions on a pair of the

      * security contexts and the given object class.

      */

     if (security_compute_av_flags_raw(scontext,

                                       tcontext,

                                       tclass_ex, 0, &avd_ex) < 0)

         ereport(ERROR,

                 (errcode(ERRCODE_INTERNAL_ERROR),

                  errmsg("SELinux could not compute av_decision: "

                         "scontext=%s tcontext=%s tclass=%s: %m",

                         scontext, tcontext, tclass_name)));


     /*

      * SELinux returns its access control decision as a set of permissions

      * represented in external code which depends on run-time environment. So,

      * we need to translate it to the internal representation before returning

      * results for the caller.

      */

     memset(avd, 0, sizeof(struct av_decision));


     for (i = 0; selinux_catalog[tclass].av[i].av_name; i++)

     {

         access_vector_t av_code_ex;

         const char *av_name = selinux_catalog[tclass].av[i].av_name;

         uint32      av_code = selinux_catalog[tclass].av[i].av_code;


         av_code_ex = string_to_av_perm(tclass_ex, av_name);

         if (av_code_ex == 0)

         {

             /* fill up undefined permissions */

             if (!deny_unknown)

                 avd->allowed |= av_code;

             avd->auditdeny |= av_code;


             continue;

         }


         if (avd_ex.allowed & av_code_ex)

             avd->allowed |= av_code;

         if (avd_ex.auditallow & av_code_ex)

             avd->auditallow |= av_code;

         if (avd_ex.auditdeny & av_code_ex)

             avd->auditdeny |= av_code;

     }

 }


 /*

  * sepgsql_compute_create

  *

  * It returns a default security context to be assigned on a new database

  * object. SELinux compute it based on a combination of client, upper object

  * which owns the new object and object class.

  *

  * For example, when a client (staff_u:staff_r:staff_t:s0) tries to create

  * a new table within a schema (system_u:object_r:sepgsql_schema_t:s0),

  * SELinux looks-up its security policy. If it has a special rule on the

  * combination of these security contexts and object class (db_table),

  * it returns the security context suggested by the special rule.

  * Otherwise, it returns the security context of schema, as is.

  *

  * We expect the caller already applies sanity/validation checks on the

  * given security context.

  *

  * scontext: security context of the subject (mostly, peer process).

  * tcontext: security context of the upper database object.

  * tclass: class code (SEPG_CLASS_*) of the new object in creation

  */

 char *

 sepgsql_compute_create(const char *scontext,

                        const char *tcontext,

                        uint16 tclass,

                        const char *objname)

 {

     char       *ncontext;

     security_class_t tclass_ex;

     const char *tclass_name;

     char       *result;


     /* Get external code of the object class */

     Assert(tclass < SEPG_CLASS_MAX);


     tclass_name = selinux_catalog[tclass].class_name;

     tclass_ex = string_to_security_class(tclass_name);


     /*

      * Ask SELinux what is the default context for the given object class on a

      * pair of security contexts

      */

     if (security_compute_create_name_raw(scontext,

                                          tcontext,

                                          tclass_ex,

                                          objname,

                                          &ncontext) < 0)

         ereport(ERROR,

                 (errcode(ERRCODE_INTERNAL_ERROR),

                  errmsg("SELinux could not compute a new context: "

                         "scontext=%s tcontext=%s tclass=%s: %m",

                         scontext, tcontext, tclass_name)));


     /*

      * libselinux returns malloc()'ed string, so we need to copy it on the

      * palloc()'ed region.

      */

     PG_TRY();

     {

         result = pstrdup(ncontext);

     }

     PG_FINALLY();

     {

         freecon(ncontext);

     }

     PG_END_TRY();


     return result;

 }

uint16
unsigned short uint16
Definition: c.h:489

uint32
unsigned int uint32
Definition: c.h:490

errcode
int errcode(int sqlerrcode)
Definition: elog.c:858

errmsg
int errmsg(const char *fmt,...)
Definition: elog.c:1069

LOG
#define LOG
Definition: elog.h:31

PG_TRY
#define PG_TRY(...)
Definition: elog.h:370

PG_END_TRY
#define PG_END_TRY(...)
Definition: elog.h:395

ERROR
#define ERROR
Definition: elog.h:39

PG_FINALLY
#define PG_FINALLY(...)
Definition: elog.h:387

ereport
#define ereport(elevel,...)
Definition: elog.h:149

i
int i
Definition: isn.c:73

Assert
Assert(fmt[strlen(fmt) - 1] !='\n')

pstrdup
char * pstrdup(const char *in)
Definition: mcxt.c:1644

buf
static char * buf
Definition: pg_test_fsync.c:67

postgres.h

av
struct @10::@11 av[32]

sepgsql_get_mode
int sepgsql_get_mode(void)
Definition: selinux.c:625

sepgsql_compute_avd
void sepgsql_compute_avd(const char *scontext, const char *tcontext, uint16 tclass, struct av_decision *avd)
Definition: selinux.c:739

sepgsql_mode
static int sepgsql_mode
Definition: selinux.c:610

sepgsql_compute_create
char * sepgsql_compute_create(const char *scontext, const char *tcontext, uint16 tclass, const char *objname)
Definition: selinux.c:842

sepgsql_audit_log
void sepgsql_audit_log(bool denied, bool enforcing, const char *scontext, const char *tcontext, uint16 tclass, uint32 audited, const char *audit_name)
Definition: selinux.c:678

av_name
const char * av_name
Definition: selinux.c:36

class_code
uint16 class_code
Definition: selinux.c:33

class_name
const char * class_name
Definition: selinux.c:32

sepgsql_set_mode
int sepgsql_set_mode(int new_mode)
Definition: selinux.c:634

selinux_catalog
static struct @10 selinux_catalog[]

sepgsql_is_enabled
bool sepgsql_is_enabled(void)
Definition: selinux.c:616

av_code
uint32 av_code
Definition: selinux.c:37

sepgsql_getenforce
bool sepgsql_getenforce(void)
Definition: selinux.c:651

sepgsql.h

SEPG_DIR__RENAME
#define SEPG_DIR__RENAME
Definition: sepgsql.h:76

SEPG_DB_BLOB__WRITE
#define SEPG_DB_BLOB__WRITE
Definition: sepgsql.h:194

SEPG_DB_COLUMN__CREATE
#define SEPG_DB_COLUMN__CREATE
Definition: sepgsql.h:170

SEPG_DB_COLUMN__SETATTR
#define SEPG_DB_COLUMN__SETATTR
Definition: sepgsql.h:173

SEPG_DB_TABLE__GETATTR
#define SEPG_DB_TABLE__GETATTR
Definition: sepgsql.h:139

SEPG_SOCK_FILE__RENAME
#define SEPG_SOCK_FILE__RENAME
Definition: sepgsql.h:109

SEPGSQL_MODE_INTERNAL
#define SEPGSQL_MODE_INTERNAL
Definition: sepgsql.h:30

SEPG_FIFO_FILE__READ
#define SEPG_FIFO_FILE__READ
Definition: sepgsql.h:111

SEPG_DB_SCHEMA__DROP
#define SEPG_DB_SCHEMA__DROP
Definition: sepgsql.h:128

SEPG_CLASS_DB_SCHEMA
#define SEPG_CLASS_DB_SCHEMA
Definition: sepgsql.h:45

SEPG_DB_PROCEDURE__CREATE
#define SEPG_DB_PROCEDURE__CREATE
Definition: sepgsql.h:160

SEPG_DB_LANGUAGE__RELABELTO
#define SEPG_DB_LANGUAGE__RELABELTO
Definition: sepgsql.h:203

SEPG_CLASS_DB_TABLE
#define SEPG_CLASS_DB_TABLE
Definition: sepgsql.h:46

SEPG_FIFO_FILE__WRITE
#define SEPG_FIFO_FILE__WRITE
Definition: sepgsql.h:112

SEPG_DB_SCHEMA__SETATTR
#define SEPG_DB_SCHEMA__SETATTR
Definition: sepgsql.h:130

SEPG_DB_DATABASE__CREATE
#define SEPG_DB_DATABASE__CREATE
Definition: sepgsql.h:118

SEPG_DB_BLOB__EXPORT
#define SEPG_DB_BLOB__EXPORT
Definition: sepgsql.h:196

SEPG_DB_SCHEMA__CREATE
#define SEPG_DB_SCHEMA__CREATE
Definition: sepgsql.h:127

SEPG_BLK_FILE__CREATE
#define SEPG_BLK_FILE__CREATE
Definition: sepgsql.h:99

SEPG_CLASS_DB_DATABASE
#define SEPG_CLASS_DB_DATABASE
Definition: sepgsql.h:44

SEPG_DB_PROCEDURE__RELABELFROM
#define SEPG_DB_PROCEDURE__RELABELFROM
Definition: sepgsql.h:164

SEPG_DB_BLOB__READ
#define SEPG_DB_BLOB__READ
Definition: sepgsql.h:193

SEPG_DB_TABLE__CREATE
#define SEPG_DB_TABLE__CREATE
Definition: sepgsql.h:137

SEPG_DB_SEQUENCE__CREATE
#define SEPG_DB_SEQUENCE__CREATE
Definition: sepgsql.h:150

SEPG_DB_SCHEMA__REMOVE_NAME
#define SEPG_DB_SCHEMA__REMOVE_NAME
Definition: sepgsql.h:135

SEPG_DIR__SEARCH
#define SEPG_DIR__SEARCH
Definition: sepgsql.h:77

SEPG_DB_LANGUAGE__GETATTR
#define SEPG_DB_LANGUAGE__GETATTR
Definition: sepgsql.h:200

SEPG_DB_SEQUENCE__SETATTR
#define SEPG_DB_SEQUENCE__SETATTR
Definition: sepgsql.h:153

SEPG_DB_TABLE__DELETE
#define SEPG_DB_TABLE__DELETE
Definition: sepgsql.h:146

SEPG_CLASS_BLK_FILE
#define SEPG_CLASS_BLK_FILE
Definition: sepgsql.h:41

SEPG_DB_TABLE__LOCK
#define SEPG_DB_TABLE__LOCK
Definition: sepgsql.h:147

SEPG_CLASS_FIFO_FILE
#define SEPG_CLASS_FIFO_FILE
Definition: sepgsql.h:43

SEPG_CLASS_DIR
#define SEPG_CLASS_DIR
Definition: sepgsql.h:38

SEPG_DB_LANGUAGE__DROP
#define SEPG_DB_LANGUAGE__DROP
Definition: sepgsql.h:199

SEPG_DB_SEQUENCE__RELABELFROM
#define SEPG_DB_SEQUENCE__RELABELFROM
Definition: sepgsql.h:154

SEPG_CLASS_CHR_FILE
#define SEPG_CLASS_CHR_FILE
Definition: sepgsql.h:40

SEPG_CHR_FILE__READ
#define SEPG_CHR_FILE__READ
Definition: sepgsql.h:90

SEPG_DB_TABLE__SETATTR
#define SEPG_DB_TABLE__SETATTR
Definition: sepgsql.h:140

SEPG_DB_VIEW__RELABELTO
#define SEPG_DB_VIEW__RELABELTO
Definition: sepgsql.h:212

SEPG_DB_TABLE__TRUNCATE
#define SEPG_DB_TABLE__TRUNCATE
Definition: sepgsql.h:148

SEPG_FILE__UNLINK
#define SEPG_FILE__UNLINK
Definition: sepgsql.h:67

SEPG_DB_COLUMN__DROP
#define SEPG_DB_COLUMN__DROP
Definition: sepgsql.h:171

SEPG_DB_BLOB__SETATTR
#define SEPG_DB_BLOB__SETATTR
Definition: sepgsql.h:190

SEPG_DB_TABLE__RELABELFROM
#define SEPG_DB_TABLE__RELABELFROM
Definition: sepgsql.h:141

SEPG_DB_PROCEDURE__INSTALL
#define SEPG_DB_PROCEDURE__INSTALL
Definition: sepgsql.h:168

SEPG_CLASS_LNK_FILE
#define SEPG_CLASS_LNK_FILE
Definition: sepgsql.h:39

SEPG_CLASS_FILE
#define SEPG_CLASS_FILE
Definition: sepgsql.h:37

SEPG_FILE__CREATE
#define SEPG_FILE__CREATE
Definition: sepgsql.h:65

SEPG_LNK_FILE__CREATE
#define SEPG_LNK_FILE__CREATE
Definition: sepgsql.h:85

SEPG_CHR_FILE__WRITE
#define SEPG_CHR_FILE__WRITE
Definition: sepgsql.h:91

SEPG_DB_TUPLE__RELABELTO
#define SEPG_DB_TUPLE__RELABELTO
Definition: sepgsql.h:181

SEPG_DB_DATABASE__ACCESS
#define SEPG_DB_DATABASE__ACCESS
Definition: sepgsql.h:124

SEPG_FILE__RENAME
#define SEPG_FILE__RENAME
Definition: sepgsql.h:68

SEPG_FILE__READ
#define SEPG_FILE__READ
Definition: sepgsql.h:63

SEPG_CHR_FILE__UNLINK
#define SEPG_CHR_FILE__UNLINK
Definition: sepgsql.h:94

SEPG_CHR_FILE__CREATE
#define SEPG_CHR_FILE__CREATE
Definition: sepgsql.h:92

SEPG_DB_VIEW__CREATE
#define SEPG_DB_VIEW__CREATE
Definition: sepgsql.h:207

SEPG_DB_PROCEDURE__GETATTR
#define SEPG_DB_PROCEDURE__GETATTR
Definition: sepgsql.h:162

SEPG_DB_TABLE__INSERT
#define SEPG_DB_TABLE__INSERT
Definition: sepgsql.h:145

SEPG_CLASS_SOCK_FILE
#define SEPG_CLASS_SOCK_FILE
Definition: sepgsql.h:42

SEPG_SOCK_FILE__GETATTR
#define SEPG_SOCK_FILE__GETATTR
Definition: sepgsql.h:107

SEPG_FILE__APPEND
#define SEPG_FILE__APPEND
Definition: sepgsql.h:69

SEPG_DB_COLUMN__RELABELTO
#define SEPG_DB_COLUMN__RELABELTO
Definition: sepgsql.h:175

SEPG_BLK_FILE__UNLINK
#define SEPG_BLK_FILE__UNLINK
Definition: sepgsql.h:101

SEPG_DB_PROCEDURE__DROP
#define SEPG_DB_PROCEDURE__DROP
Definition: sepgsql.h:161

SEPG_DB_SCHEMA__ADD_NAME
#define SEPG_DB_SCHEMA__ADD_NAME
Definition: sepgsql.h:134

SEPG_DB_PROCEDURE__EXECUTE
#define SEPG_DB_PROCEDURE__EXECUTE
Definition: sepgsql.h:166

SEPG_DB_SEQUENCE__RELABELTO
#define SEPG_DB_SEQUENCE__RELABELTO
Definition: sepgsql.h:155

SEPG_BLK_FILE__RENAME
#define SEPG_BLK_FILE__RENAME
Definition: sepgsql.h:102

SEPG_BLK_FILE__WRITE
#define SEPG_BLK_FILE__WRITE
Definition: sepgsql.h:98

SEPG_DB_LANGUAGE__RELABELFROM
#define SEPG_DB_LANGUAGE__RELABELFROM
Definition: sepgsql.h:202

SEPG_DB_LANGUAGE__EXECUTE
#define SEPG_DB_LANGUAGE__EXECUTE
Definition: sepgsql.h:205

SEPG_DB_SEQUENCE__GETATTR
#define SEPG_DB_SEQUENCE__GETATTR
Definition: sepgsql.h:152

SEPG_DB_DATABASE__SETATTR
#define SEPG_DB_DATABASE__SETATTR
Definition: sepgsql.h:121

SEPG_DB_BLOB__IMPORT
#define SEPG_DB_BLOB__IMPORT
Definition: sepgsql.h:195

SEPG_FILE__GETATTR
#define SEPG_FILE__GETATTR
Definition: sepgsql.h:66

SEPG_DB_VIEW__RELABELFROM
#define SEPG_DB_VIEW__RELABELFROM
Definition: sepgsql.h:211

SEPG_DIR__ADD_NAME
#define SEPG_DIR__ADD_NAME
Definition: sepgsql.h:78

SEPG_PROCESS__SETCURRENT
#define SEPG_PROCESS__SETCURRENT
Definition: sepgsql.h:61

SEPG_DB_TABLE__RELABELTO
#define SEPG_DB_TABLE__RELABELTO
Definition: sepgsql.h:142

SEPG_DIR__WRITE
#define SEPG_DIR__WRITE
Definition: sepgsql.h:72

SEPG_DB_LANGUAGE__IMPLEMENT
#define SEPG_DB_LANGUAGE__IMPLEMENT
Definition: sepgsql.h:204

SEPG_DB_TUPLE__SELECT
#define SEPG_DB_TUPLE__SELECT
Definition: sepgsql.h:182

SEPG_FILE__WRITE
#define SEPG_FILE__WRITE
Definition: sepgsql.h:64

SEPG_DB_TUPLE__INSERT
#define SEPG_DB_TUPLE__INSERT
Definition: sepgsql.h:184

SEPG_CLASS_MAX
#define SEPG_CLASS_MAX
Definition: sepgsql.h:54

SEPG_DB_TABLE__UPDATE
#define SEPG_DB_TABLE__UPDATE
Definition: sepgsql.h:144

SEPG_LNK_FILE__WRITE
#define SEPG_LNK_FILE__WRITE
Definition: sepgsql.h:84

SEPG_CHR_FILE__GETATTR
#define SEPG_CHR_FILE__GETATTR
Definition: sepgsql.h:93

SEPG_DB_BLOB__RELABELTO
#define SEPG_DB_BLOB__RELABELTO
Definition: sepgsql.h:192

SEPG_DB_VIEW__EXPAND
#define SEPG_DB_VIEW__EXPAND
Definition: sepgsql.h:213

SEPG_PROCESS__TRANSITION
#define SEPG_PROCESS__TRANSITION
Definition: sepgsql.h:59

SEPG_DB_SEQUENCE__NEXT_VALUE
#define SEPG_DB_SEQUENCE__NEXT_VALUE
Definition: sepgsql.h:157

SEPG_DB_BLOB__GETATTR
#define SEPG_DB_BLOB__GETATTR
Definition: sepgsql.h:189

SEPG_DB_COLUMN__RELABELFROM
#define SEPG_DB_COLUMN__RELABELFROM
Definition: sepgsql.h:174

SEPG_DB_PROCEDURE__RELABELTO
#define SEPG_DB_PROCEDURE__RELABELTO
Definition: sepgsql.h:165

SEPG_DB_COLUMN__GETATTR
#define SEPG_DB_COLUMN__GETATTR
Definition: sepgsql.h:172

SEPG_DB_DATABASE__RELABELTO
#define SEPG_DB_DATABASE__RELABELTO
Definition: sepgsql.h:123

SEPG_DB_TUPLE__UPDATE
#define SEPG_DB_TUPLE__UPDATE
Definition: sepgsql.h:183

SEPG_CLASS_DB_COLUMN
#define SEPG_CLASS_DB_COLUMN
Definition: sepgsql.h:49

SEPG_DB_BLOB__CREATE
#define SEPG_DB_BLOB__CREATE
Definition: sepgsql.h:187

SEPG_DIR__RMDIR
#define SEPG_DIR__RMDIR
Definition: sepgsql.h:80

SEPG_SOCK_FILE__READ
#define SEPG_SOCK_FILE__READ
Definition: sepgsql.h:104

SEPG_DB_SCHEMA__RELABELFROM
#define SEPG_DB_SCHEMA__RELABELFROM
Definition: sepgsql.h:131

SEPG_PROCESS__DYNTRANSITION
#define SEPG_PROCESS__DYNTRANSITION
Definition: sepgsql.h:60

SEPG_DB_TUPLE__RELABELFROM
#define SEPG_DB_TUPLE__RELABELFROM
Definition: sepgsql.h:180

SEPG_DB_PROCEDURE__ENTRYPOINT
#define SEPG_DB_PROCEDURE__ENTRYPOINT
Definition: sepgsql.h:167

SEPG_DIR__READ
#define SEPG_DIR__READ
Definition: sepgsql.h:71

SEPG_DB_PROCEDURE__SETATTR
#define SEPG_DB_PROCEDURE__SETATTR
Definition: sepgsql.h:163

SEPG_DIR__UNLINK
#define SEPG_DIR__UNLINK
Definition: sepgsql.h:75

SEPG_DB_LANGUAGE__CREATE
#define SEPG_DB_LANGUAGE__CREATE
Definition: sepgsql.h:198

SEPG_SOCK_FILE__WRITE
#define SEPG_SOCK_FILE__WRITE
Definition: sepgsql.h:105

SEPG_LNK_FILE__UNLINK
#define SEPG_LNK_FILE__UNLINK
Definition: sepgsql.h:87

SEPG_BLK_FILE__GETATTR
#define SEPG_BLK_FILE__GETATTR
Definition: sepgsql.h:100

SEPG_DB_TUPLE__DELETE
#define SEPG_DB_TUPLE__DELETE
Definition: sepgsql.h:185

SEPG_CLASS_DB_LANGUAGE
#define SEPG_CLASS_DB_LANGUAGE
Definition: sepgsql.h:52

SEPG_LNK_FILE__READ
#define SEPG_LNK_FILE__READ
Definition: sepgsql.h:83

SEPG_DB_DATABASE__DROP
#define SEPG_DB_DATABASE__DROP
Definition: sepgsql.h:119

SEPG_LNK_FILE__RENAME
#define SEPG_LNK_FILE__RENAME
Definition: sepgsql.h:88

SEPG_DIR__GETATTR
#define SEPG_DIR__GETATTR
Definition: sepgsql.h:74

SEPG_DB_DATABASE__GETATTR
#define SEPG_DB_DATABASE__GETATTR
Definition: sepgsql.h:120

SEPG_DIR__REMOVE_NAME
#define SEPG_DIR__REMOVE_NAME
Definition: sepgsql.h:79

SEPG_DB_DATABASE__LOAD_MODULE
#define SEPG_DB_DATABASE__LOAD_MODULE
Definition: sepgsql.h:125

SEPG_CLASS_DB_PROCEDURE
#define SEPG_CLASS_DB_PROCEDURE
Definition: sepgsql.h:48

SEPG_DB_TABLE__DROP
#define SEPG_DB_TABLE__DROP
Definition: sepgsql.h:138

SEPG_DB_SCHEMA__GETATTR
#define SEPG_DB_SCHEMA__GETATTR
Definition: sepgsql.h:129

SEPG_LNK_FILE__GETATTR
#define SEPG_LNK_FILE__GETATTR
Definition: sepgsql.h:86

SEPG_DB_VIEW__GETATTR
#define SEPG_DB_VIEW__GETATTR
Definition: sepgsql.h:209

SEPG_DB_COLUMN__INSERT
#define SEPG_DB_COLUMN__INSERT
Definition: sepgsql.h:178

SEPG_DIR__REPARENT
#define SEPG_DIR__REPARENT
Definition: sepgsql.h:81

SEPG_DB_SCHEMA__SEARCH
#define SEPG_DB_SCHEMA__SEARCH
Definition: sepgsql.h:133

SEPG_SOCK_FILE__CREATE
#define SEPG_SOCK_FILE__CREATE
Definition: sepgsql.h:106

SEPG_DB_COLUMN__SELECT
#define SEPG_DB_COLUMN__SELECT
Definition: sepgsql.h:176

SEPG_DB_TABLE__SELECT
#define SEPG_DB_TABLE__SELECT
Definition: sepgsql.h:143

SEPG_DB_COLUMN__UPDATE
#define SEPG_DB_COLUMN__UPDATE
Definition: sepgsql.h:177

SEPG_CHR_FILE__RENAME
#define SEPG_CHR_FILE__RENAME
Definition: sepgsql.h:95

SEPG_DB_VIEW__SETATTR
#define SEPG_DB_VIEW__SETATTR
Definition: sepgsql.h:210

SEPG_FIFO_FILE__CREATE
#define SEPG_FIFO_FILE__CREATE
Definition: sepgsql.h:113

SEPG_DB_BLOB__RELABELFROM
#define SEPG_DB_BLOB__RELABELFROM
Definition: sepgsql.h:191

SEPG_FIFO_FILE__GETATTR
#define SEPG_FIFO_FILE__GETATTR
Definition: sepgsql.h:114

SEPG_DIR__CREATE
#define SEPG_DIR__CREATE
Definition: sepgsql.h:73

SEPGSQL_MODE_DEFAULT
#define SEPGSQL_MODE_DEFAULT
Definition: sepgsql.h:28

SEPG_DB_LANGUAGE__SETATTR
#define SEPG_DB_LANGUAGE__SETATTR
Definition: sepgsql.h:201

SEPG_DB_SCHEMA__RELABELTO
#define SEPG_DB_SCHEMA__RELABELTO
Definition: sepgsql.h:132

SEPG_DB_SEQUENCE__SET_VALUE
#define SEPG_DB_SEQUENCE__SET_VALUE
Definition: sepgsql.h:158

SEPG_CLASS_PROCESS
#define SEPG_CLASS_PROCESS
Definition: sepgsql.h:36

SEPG_CLASS_DB_VIEW
#define SEPG_CLASS_DB_VIEW
Definition: sepgsql.h:53

SEPG_DB_BLOB__DROP
#define SEPG_DB_BLOB__DROP
Definition: sepgsql.h:188

SEPG_CLASS_DB_SEQUENCE
#define SEPG_CLASS_DB_SEQUENCE
Definition: sepgsql.h:47

SEPG_BLK_FILE__READ
#define SEPG_BLK_FILE__READ
Definition: sepgsql.h:97

SEPG_CLASS_DB_TUPLE
#define SEPG_CLASS_DB_TUPLE
Definition: sepgsql.h:50

SEPG_DB_SEQUENCE__DROP
#define SEPG_DB_SEQUENCE__DROP
Definition: sepgsql.h:151

SEPGSQL_MODE_DISABLED
#define SEPGSQL_MODE_DISABLED
Definition: sepgsql.h:31

SEPG_DB_DATABASE__RELABELFROM
#define SEPG_DB_DATABASE__RELABELFROM
Definition: sepgsql.h:122

SEPG_CLASS_DB_BLOB
#define SEPG_CLASS_DB_BLOB
Definition: sepgsql.h:51

SEPG_FIFO_FILE__UNLINK
#define SEPG_FIFO_FILE__UNLINK
Definition: sepgsql.h:115

SEPG_DB_VIEW__DROP
#define SEPG_DB_VIEW__DROP
Definition: sepgsql.h:208

SEPG_DB_SEQUENCE__GET_VALUE
#define SEPG_DB_SEQUENCE__GET_VALUE
Definition: sepgsql.h:156

SEPG_SOCK_FILE__UNLINK
#define SEPG_SOCK_FILE__UNLINK
Definition: sepgsql.h:108

SEPG_FIFO_FILE__RENAME
#define SEPG_FIFO_FILE__RENAME
Definition: sepgsql.h:116

appendStringInfo
void appendStringInfo(StringInfo str, const char *fmt,...)
Definition: stringinfo.c:91

appendStringInfoString
void appendStringInfoString(StringInfo str, const char *s)
Definition: stringinfo.c:176

initStringInfo
void initStringInfo(StringInfo str)
Definition: stringinfo.c:59

stringinfo.h

StringInfoData
Definition: stringinfo.h:37