RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2024-12-23 14:32:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
a0ea2d893d
selinux/libselinux/man/man3/selinux_binary_policy_path.3
Eamon Walsh 70aeeb918a This patch allows selabel_*() interfaces to provide an expected security context 
for the given database object identified by its name and object class.
It is necessary to implement a feature something like the restorecon on databases.

The specfile shall be described as follows:
  ------------------------
  #
  # The specfile for database objects
  # (for SE-PostgreSQL)
  #
  # <object class> <object name> <security context>
  #
  db_database     *               system_u:object_r:sepgsql_db_t:s0

  db_schema       *.pg_catalog    system_u:obejct_r:sepgsql_sys_schema_t:s0
  db_schema       *.*             system_u:object_r:sepgsql_schema_t:s0

  db_table        *.pg_catalog.*  system_u:object_r:sepgsql_sysobj_t:s0
  db_table        *.*.*           system_u:object_r:sepgsql_table_t:s0
  ------------------------

- All the characters after the '#' are ignored.
- Wildcards ('*' and '?') are available.
- It returns the first match security context.

Note that hierarchy of the namespace of database objects depends on RDBMS.
So, author of the specfile needs to write correct patterns which are suitable
for the target RDBMS. The patched selabel_*() interfaces don't have any
heuristics for the namespace hierarchy to be suitable for widespread RDBMSs.
In the case of SE-PgSQL, when we lookup an expected security context for the
'my_table' table in the 'public' schema and 'postgres' database, the caller
shall provide 'postgres.public.my_table' as a key.

In the default, it tries to read a specfile which maps database objects and security
context from the /etc/selinux/$POLICYTYPE/contexts/sepgsql_contexts.
Note that when another RDBMS uses this interface, it needs to give an explicit
SELABEL_OPT_PATH option on the selabel_open().

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Eamon Walsh <ewalsh@tycho.nsa.gov>
2010-03-15 19:01:30 -04:00

94 lines
3.0 KiB
Groff
Raw Blame History

.TH "selinux_binary_policy_path" "3" "15 November 2004" "dwalsh@redhat.com" "SELinux API Documentation"
.SH "NAME"
selinux_path, selinux_policy_root, selinux_binary_policy_path,
selinux_failsafe_context_path, selinux_removable_context_path,
selinux_default_context_path, selinux_user_contexts_path,
selinux_file_context_path, selinux_media_context_path,
selinux_contexts_path, selinux_booleans_path \- These functions return the paths to the active SELinux policy configuration
directories and files.
.SH "SYNOPSIS"
.B #include <selinux/selinux.h>
.sp
extern const char *selinux_path(void);
extern const char *selinux_policy_root(void);
extern const char *selinux_binary_policy_path(void);
extern const char *selinux_failsafe_context_path(void);
extern const char *selinux_removable_context_path(void);
extern const char *selinux_default_context_path(void);
extern const char *selinux_user_contexts_path(void);
extern const char *selinux_usersconf_path(void);
extern const char *selinux_x_context_path(void);
extern const char *selinux_sepgsql_context_path(void);
extern const char *selinux_file_context_path(void);
extern const char *selinux_media_context_path(void);
extern const char *selinux_securetty_types_path(void);
extern const char *selinux_contexts_path(void);
extern const char *selinux_booleans_path(void);
.SH "DESCRIPTION"
These functions return the paths to the active policy configuration
directories and files based on the settings in /etc/selinux/config.
.sp
selinux_path() - top-level SELinux configuration directory
.sp
selinux_policy_root() - top-level policy directory
.sp
selinux_binary_policy_path() - binary policy file loaded into kernel
.sp
selinux_default_type_path - context file mapping roles to default types.
.sp
selinux_failsafe_context_path() - failsafe context for emergency logins
.sp
selinux_removable_context_path() - filesystem context for removable media
.sp
selinux_default_context_path() - system-wide default contexts for user sessions
.sp
selinux_user_contexts_path() - directory containing per-user default contexts
.sp
selinux_usersconf_path() - file containing mapping between Linux Users and SELinux users
.sp
selinux_x_context_path() - file containing configuration for XSELinux extension
.sp
selinux_sepgsql_context_path() - file containing configuration for SE-PostgreSQL
.sp
selinux_netfilter_context_path - default netfilter context
.sp
selinux_file_context_path() - default system file contexts configuration
.sp
selinux_file_context_local_path() - local customization file contexts configuration
.sp
selinux_file_context_homedir_path() - home directory file contexts configuration
.sp
selinux_media_context_path() - file contexts for media device nodes
.sp
selinux_contexts_path() - directory containing all of the context configuration files
.sp
selinux_securetty_types_path() - defines tty types for newrole securettys
.sp
selinux_booleans_path() - initial policy boolean settings
.SH AUTHOR
This manual page was written by Dan Walsh <dwalsh@redhat.com>.
.SH "SEE ALSO"
.BR selinux "(8)"
Reference in New Issue View Git Blame Copy Permalink