Author: KaiGai Kohei <kaigai@ak.jp.nec.com> 2009
"const char *" object_name ", int " object_type ");" "int selabel_lookup_raw(struct selabel_handle *" hnd , "char **" context ,
"const char *" object_name ", int " object_type ");" .
selabel_lookup(3) describes the function with its return and error codes. The object_name should be a fully qualified name using the hierarchy of database objects. For example, the pg_class table in the postgres database and pg_catalog schema should be qualified as:
Bpostgres.pg_catalog.pg_class
SELABEL_DB_DATABASE The object_name argument specifies the name of a database itself, such as "postgres".
SELABEL_DB_SCHEMA The object_name argument specifies the name of a schema object, such as "postgres.public".
SELABEL_DB_TABLE The object_name argument specifies the name of a table object, such as "postgres.public.my_table"
SELABEL_DB_COLUMN The object_name argument specifies the name of a column object, such as "postgres.public.my_table.user_id"
SELABEL_DB_TUPLE The object_name argument specifies the name of a table object which contains the tuples to be relabeled, such as "postgresql.public.my_table". Note that we have no way to identify individual tuple objects, except for WHERE clause on DML statements, because it has no name.
SELABEL_DB_PROCEDURE The object_name argument specifies the name of a procedure object, such as "postgres.public.my_func". Note that we don't support lookup of individual security contexts for procedures which have the same name but different arguments.
SELABEL_DB_SEQUENCE The object_name argument specifies the name of a sequence object, such as "postgres.public.my_seq".
SELABEL_DB_BLOB The object_name argument specifies the name of a large object, such as "postgres.16308". Note that a large object does not have a name, so it is identified by its identifier value.
SELABEL_DB_VIEW The object_name argument specifies the name of a view object, such as "postgres.public.my_view".
SELABEL_DB_LANGUAGE The object_name argument specifies the name of a language object, such as "postgres.public.tcl".
SELABEL_DB_EXCEPTION The object_name argument specifies the name of a exception object.
SELABEL_DB_DATATYPE The object_name argument specifies the name of a type or domain object, such as postgres.public.my_type.
SELABEL_OPT_PATH A non-null value for this option specifies a path to a file that will be opened in lieu of the standard DB contexts file. It tries to open the specfile designed for SE-PostgreSQL as default, so if another RDBMS uses this interface, it needs to give an explicit specfile designed for that RDBMS (see the FILES section for details).
/etc/selinux/{SELINUXTYPE}/contexts/sepgsql_context
object_type@Text Name |
SELABEL_DB_DATABASE@db_database |
SELABEL_DB_SCHEMA@db_schema |
SELABEL_DB_VIEW@db_view |
SELABEL_DB_LANGUAGE@db_language |
SELABEL_DB_TABLE@db_table |
SELABEL_DB_COLUMN@db_column |
SELABEL_DB_TUPLE@db_tuple |
SELABEL_DB_PROCEDURE@db_procedure |
SELABEL_DB_SEQUENCE@db_sequence |
SELABEL_DB_BLOB@db_blob |
SELABEL_DB_EXCEPTION@db_exception |
SELABEL_DB_DATATYPE@db_datatype |
object_type object_name context
object_type
This is the string representation of the object type shown in the Object Name String Values section.
The key used to obtain the context based on the object_type. The entry can contain '*' for wildcard matching or '?' for substitution. Note that if the '*' is used, then be aware that the order of entries in the file is important. The '*' on its own is used to ensure a default fallback context is assigned and should be the last entry in the object_type block.
The security context that will be applied to the object.
# object_type object_name context
db_database my_database system_u:object_r:sepgsql_db_t:s0
db_database * system_u:object_r:sepgsql_db_t:s0
db_schema *.* system_u:object_r:sepgsql_schema_t:s0
db_tuple row_low system_u:object_r:sepgsql_table_t:s0
db_tuple row_high system_u:object_r:sepgsql_table_t:s0:c1023
db_tuple *.*.* system_u:object_r:sepgsql_table_t:s0 .
If a security context is required for "my_table" table in the "public" schema within the "postgres" database, then the selabel_lookup(3) parameters for object_type would be SELABEL_DB_TABLE and the object_name would be "postgres.public.my_table", the security context (if available), would be returned in context.