1selabel_db(5)              SELinux API documentation             selabel_db(5)
2
3
4

NAME

6       selabel_db  -  userspace  SELinux  labeling interface and configuration
7       file format for the RDBMS objects context backend
8

SYNOPSIS

10       #include <selinux/label.h>
11
12       int selabel_lookup(struct selabel_handle *hnd,
13                          char **context,
14                          const char *object_name, int object_type);
15
16       int selabel_lookup_raw(struct selabel_handle *hnd,
17                          char **context,
18                          const char *object_name, int object_type);
19

DESCRIPTION

21       The DB contexts backend maps from a pair of object name and class  into
22       security contexts. It is used to find the appropriate context for data‐
23       base objects when relabeling a certain database. The  returned  context
24       must be freed using freecon(3).
25       selabel_lookup(3)  describes  the  function  with  its return and error
26       codes.
27
28       The object_name should be a fully qualified name using the hierarchy of
29       database objects. For example, the pg_class table in the postgres data‐
30       base and pg_catalog schema should be qualified as:
31              Bpostgres.pg_catalog.pg_class
32
33       The NOTES section has  further  information  on  database  support  for
34       namespace hierarchies.
35
36       The object_type argument should be set to one of the following values:
37
38              SELABEL_DB_DATABASE
39                     The object_name argument specifies the name of a database
40                     itself, such as "postgres".
41
42              SELABEL_DB_SCHEMA
43                     The object_name argument specifies the name of  a  schema
44                     object, such as "postgres.public".
45
46              SELABEL_DB_TABLE
47                     The  object_name  argument  specifies the name of a table
48                     object, such as "postgres.public.my_table"
49
50              SELABEL_DB_COLUMN
51                     The object_name argument specifies the name of  a  column
52                     object, such as "postgres.public.my_table.user_id"
53
54              SELABEL_DB_TUPLE
55                     The  object_name  argument  specifies the name of a table
56                     object which contains the tuples to be relabeled, such as
57                     "postgresql.public.my_table". Note that we have no way to
58                     identify  individual  tuple  objects,  except  for  WHERE
59                     clause on DML statements, because it has no name.
60
61              SELABEL_DB_PROCEDURE
62                     The  object_name  argument specifies the name of a proce‐
63                     dure object, such as "postgres.public.my_func". Note that
64                     we  don't  support lookup of individual security contexts
65                     for procedures which have the  same  name  but  different
66                     arguments.
67
68              SELABEL_DB_SEQUENCE
69                     The object_name argument specifies the name of a sequence
70                     object, such as "postgres.public.my_seq".
71
72              SELABEL_DB_BLOB
73                     The object_name argument specifies the name  of  a  large
74                     object,  such  as  "postgres.16308".   Note  that a large
75                     object does not have a name, so it is identified  by  its
76                     identifier value.
77
78              SELABEL_DB_VIEW
79                     The  object_name  argument  specifies  the name of a view
80                     object, such as "postgres.public.my_view".
81
82              SELABEL_DB_LANGUAGE
83                     The object_name argument specifies the name of a language
84                     object, such as "postgres.public.tcl".
85
86              SELABEL_DB_EXCEPTION
87                     The  object_name  argument specifies the name of a excep‐
88                     tion object.
89
90              SELABEL_DB_DATATYPE
91                     The object_name argument specifies the name of a type  or
92                     domain object, such as postgres.public.my_type.
93
94       Any  messages  generated  by  selabel_lookup(3)  are  sent to stderr by
95       default, although this can be changed by selinux_set_callback(3).
96
97       selabel_lookup_raw(3) behaves identically to selabel_lookup(3) but does
98       not perform context translation.
99
100       The FILES section details the configuration files used to determine the
101       database object context.
102

OPTIONS

104       In addition to the global options described  in  selabel_open(3),  this
105       backend recognizes the following options:
106
107              SELABEL_OPT_PATH
108                     A  non-null  value  for this option specifies a path to a
109                     file that will be opened in lieu of the standard DB  con‐
110                     texts  file.   It tries to open the specfile designed for
111                     SE-PostgreSQL as default, so if another RDBMS  uses  this
112                     interface, it needs to give an explicit specfile designed
113                     for that RDBMS (see the FILES section for details).
114

FILES

116       The database context file used to retrieve a  context  depends  on  the
117       SELABEL_OPT_PATH parameter passed to selabel_open(3). If NULL, then the
118       SELABEL_OPT_PATH value will default to the active policy database  con‐
119       texts location (as returned by selinux_sepgsql_context_path(3)), other‐
120       wise the actual SELABEL_OPT_PATH value specified is used  (this  option
121       must be used to support databases other than SE-PostgreSQL).
122
123       The default database object contexts file is:
124              /etc/selinux/{SELINUXTYPE}/contexts/sepgsql_context
125
126       Where  {SELINUXTYPE}  is  the entry from the selinux configuration file
127       config (see selinux_config(5)).
128
129       The entries within the database contexts file are shown in  the  Object
130       Name String Values and FILE FORMAT sections.
131

Object Name String Values

133       The  string  name  assigned  to  each  object_type argument that can be
134       present in the database contexts file are:
135
136                        ┌─────────────────────┬──────────────┐
137object_typeText Name    
138                        ├─────────────────────┼──────────────┤
139SELABEL_DB_DATABASE  │ db_database  │
140                        ├─────────────────────┼──────────────┤
141SELABEL_DB_SCHEMA    │ db_schema    │
142                        ├─────────────────────┼──────────────┤
143SELABEL_DB_VIEW      │ db_view      │
144                        ├─────────────────────┼──────────────┤
145SELABEL_DB_LANGUAGE  │ db_language  │
146                        ├─────────────────────┼──────────────┤
147SELABEL_DB_TABLE     │ db_table     │
148                        ├─────────────────────┼──────────────┤
149SELABEL_DB_COLUMN    │ db_column    │
150                        ├─────────────────────┼──────────────┤
151SELABEL_DB_TUPLE     │ db_tuple     │
152                        ├─────────────────────┼──────────────┤
153SELABEL_DB_PROCEDURE │ db_procedure │
154                        ├─────────────────────┼──────────────┤
155SELABEL_DB_SEQUENCE  │ db_sequence  │
156                        ├─────────────────────┼──────────────┤
157SELABEL_DB_BLOB      │ db_blob      │
158                        ├─────────────────────┼──────────────┤
159SELABEL_DB_EXCEPTION │ db_exception │
160                        ├─────────────────────┼──────────────┤
161SELABEL_DB_DATATYPE  │ db_datatype  │
162                        └─────────────────────┴──────────────┘

FILE FORMAT

164       Each line within the database contexts file is as follows:
165              object_type object_name context
166
167       Where:
168              object_type
169                     This is the string  representation  of  the  object  type
170                     shown in the Object Name String Values section.
171              object_name
172                     The   key  used  to  obtain  the  context  based  on  the
173                     object_type.
174
175                     The entry can contain '*' for wildcard  matching  or  '?'
176                     for substitution.
177
178                     Note  that  if  the  '*'  is used, then be aware that the
179                     order of entries in the file is important. The '*' on its
180                     own  is  used  to  ensure  a  default fallback context is
181                     assigned and should be the last entry in the  object_type
182                     block.
183              context
184                     The security context that will be applied to the object.
185
186       The following example is for SE-PostgreSQL:
187
188       # ./contexts/sepgsql_contexts file
189       # object_type  object_name   context
190       db_database    my_database   system_u:object_r:sepgsql_db_t:s0
191       db_database    *             system_u:object_r:sepgsql_db_t:s0
192       db_schema      *.*           system_u:object_r:sepgsql_schema_t:s0
193       db_tuple       row_low       system_u:object_r:sepgsql_table_t:s0
194       db_tuple       row_high      system_u:object_r:sepgsql_table_t:s0:c1023
195       db_tuple       *.*.*         system_u:object_r:sepgsql_table_t:s0
196

NOTES

198       1.  A  suitable database contexts file needs to be written for the tar‐
199           get RDBMS and the SELABEL_OPT_PATH option must  be  used  in  sela‐
200           bel_open(3) to load it.
201
202       2.  The  hierarchy of the namespace for database objects depends on the
203           RDBMS, however the selabel* interfaces do  not  have  any  specific
204           support for a namespace hierarchy.
205
206           SE-PostgreSQL has a namespace hierarchy where a database is the top
207           level object with the schema being the next level. Under the schema
208           object  there can be other types of objects such as tables and pro‐
209           cedures. This hierarchy is supported as follows:
210
211                  If a security context is required for  "my_table"  table  in
212                  the "public" schema within the "postgres" database, then the
213                  selabel_lookup(3) parameters for object_type would be  SELA‐
214                  BEL_DB_TABLE  and  the  object_name  would be "postgres.pub‐
215                  lic.my_table", the security context (if available), would be
216                  returned in context.
217
218       3.  If  contexts  are  to  be  validated,  then the global option SELA‐
219           BEL_OPT_VALIDATE must be set  before  calling  selabel_open(3).  If
220           this  is  not set, then it is possible for an invalid context to be
221           returned.
222

SEE ALSO

224       selinux(8), selabel_open(3), selabel_lookup(3), selabel_stats(3),
225       selabel_close(3), selinux_set_callback(3),
226       selinux_sepgsql_context_path(3), freecon(3), selinux_config(5)
227
228
229
230Security Enhanced Linux           01 DEC 2011                    selabel_db(5)
Impressum