Skip to content

Commit 194c8f7

Browse files
robertmhaasrobertmhaas
committed
First round of cleanup of sepgsql code and documentation.
Robert Haas, with a few suggestions from Thom Brown
1 parent 968bc6f commit 194c8f7

File tree

5 files changed

+227
-271
lines changed

5 files changed

+227
-271
lines changed

contrib/sepgsql/.gitignore

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1 +1,5 @@
11
/sepgsql.sql
2+
/sepgsql-regtest.fc
3+
/sepgsql-regtest.if
4+
/sepgsql-regtest.pp
5+
/tmp

contrib/sepgsql/dml.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -171,12 +171,12 @@ check_relation_privileges(Oid relOid,
171171
SEPG_DB_TABLE__DELETE)) != 0)
172172
ereport(ERROR,
173173
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
174-
errmsg("selinux: hardwired security policy violation")));
174+
errmsg("SELinux: hardwired security policy violation")));
175175

176176
if (relkind == RELKIND_TOASTVALUE)
177177
ereport(ERROR,
178178
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
179-
errmsg("selinux: hardwired security policy violation")));
179+
errmsg("SELinux: hardwired security policy violation")));
180180
}
181181

182182
/*

contrib/sepgsql/hooks.c

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ sepgsql_client_auth(Port *port, int status)
9191
if (getpeercon_raw(port->sock, &context) < 0)
9292
ereport(FATAL,
9393
(errcode(ERRCODE_INTERNAL_ERROR),
94-
errmsg("selinux: failed to get the peer label")));
94+
errmsg("SELinux: unable to get peer label")));
9595

9696
sepgsql_set_client_label(context);
9797

@@ -318,7 +318,7 @@ sepgsql_utility_command(Node *parsetree,
318318
{
319319
ereport(ERROR,
320320
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
321-
errmsg("SELinux: LOAD is not allowed anyway.")));
321+
errmsg("SELinux: LOAD is not permitted")));
322322
}
323323
break;
324324
default:
@@ -352,8 +352,8 @@ _PG_init(void)
352352
*/
353353
if (IsUnderPostmaster)
354354
ereport(ERROR,
355-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
356-
errmsg("Not allowed to load SE-PostgreSQL now")));
355+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
356+
errmsg("sepgsql must be loaded via shared_preload_libraries")));
357357

358358
/*
359359
* Check availability of SELinux on the platform.
@@ -414,7 +414,7 @@ _PG_init(void)
414414
if (getcon_raw(&context) < 0)
415415
ereport(ERROR,
416416
(errcode(ERRCODE_INTERNAL_ERROR),
417-
errmsg("selinux: unable to get security label of server")));
417+
errmsg("SELinux: failed to get server security label")));
418418
sepgsql_set_client_label(context);
419419

420420
/* Security label provider hook */

contrib/sepgsql/label.c

Lines changed: 19 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ sepgsql_get_label(Oid classId, Oid objectId, int32 subId)
8181
if (security_get_initial_context_raw("unlabeled", &unlabeled) < 0)
8282
ereport(ERROR,
8383
(errcode(ERRCODE_INTERNAL_ERROR),
84-
errmsg("selinux: unable to get initial security label")));
84+
errmsg("SELinux: failed to get initial security label")));
8585
PG_TRY();
8686
{
8787
label = pstrdup(unlabeled);
@@ -114,7 +114,7 @@ sepgsql_object_relabel(const ObjectAddress *object, const char *seclabel)
114114
security_check_context_raw((security_context_t) seclabel) < 0)
115115
ereport(ERROR,
116116
(errcode(ERRCODE_INVALID_NAME),
117-
errmsg("invalid security label: \"%s\"", seclabel)));
117+
errmsg("SELinux: invalid security label: \"%s\"", seclabel)));
118118
/*
119119
* Do actual permission checks for each object classes
120120
*/
@@ -154,13 +154,11 @@ sepgsql_getcon(PG_FUNCTION_ARGS)
154154
char *client_label;
155155

156156
if (!sepgsql_is_enabled())
157-
ereport(ERROR,
158-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
159-
errmsg("SELinux: now disabled")));
157+
PG_RETURN_NULL();
160158

161159
client_label = sepgsql_get_client_label();
162160

163-
PG_RETURN_POINTER(cstring_to_text(client_label));
161+
PG_RETURN_TEXT_P(cstring_to_text(client_label));
164162
}
165163

166164
/*
@@ -179,14 +177,14 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
179177

180178
if (!sepgsql_is_enabled())
181179
ereport(ERROR,
182-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
183-
errmsg("SELinux: now disabled")));
180+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
181+
errmsg("sepgsql is not enabled")));
184182

185183
if (selinux_trans_to_raw_context(text_to_cstring(label),
186184
&raw_label) < 0)
187185
ereport(ERROR,
188186
(errcode(ERRCODE_INTERNAL_ERROR),
189-
errmsg("SELinux: internal error on mcstrans")));
187+
errmsg("SELinux: could not translate security label")));
190188

191189
PG_TRY();
192190
{
@@ -200,7 +198,7 @@ sepgsql_mcstrans_in(PG_FUNCTION_ARGS)
200198
PG_END_TRY();
201199
freecon(raw_label);
202200

203-
PG_RETURN_POINTER(cstring_to_text(result));
201+
PG_RETURN_TEXT_P(cstring_to_text(result));
204202
}
205203

206204
/*
@@ -219,14 +217,14 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
219217

220218
if (!sepgsql_is_enabled())
221219
ereport(ERROR,
222-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
223-
errmsg("SELinux: now disabled")));
220+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
221+
errmsg("sepgsql is not currently enabled")));
224222

225223
if (selinux_raw_to_trans_context(text_to_cstring(label),
226224
&qual_label) < 0)
227225
ereport(ERROR,
228226
(errcode(ERRCODE_INTERNAL_ERROR),
229-
errmsg("SELinux: internal error on mcstrans")));
227+
errmsg("SELinux: could not translate security label")));
230228

231229
PG_TRY();
232230
{
@@ -240,7 +238,7 @@ sepgsql_mcstrans_out(PG_FUNCTION_ARGS)
240238
PG_END_TRY();
241239
freecon(qual_label);
242240

243-
PG_RETURN_POINTER(cstring_to_text(result));
241+
PG_RETURN_TEXT_P(cstring_to_text(result));
244242
}
245243

246244
/*
@@ -360,8 +358,7 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
360358
break;
361359

362360
default:
363-
elog(ERROR, "Bug? %u is not supported to set initial labels",
364-
catalogId);
361+
elog(ERROR, "unexpected catalog id: %u", catalogId);
365362
break;
366363
}
367364

@@ -387,12 +384,12 @@ exec_object_restorecon(struct selabel_handle *sehnd, Oid catalogId)
387384
}
388385
else if (errno == ENOENT)
389386
ereport(WARNING,
390-
(errmsg("no valid initial label on %s (type=%d), skipped",
387+
(errmsg("SELinux: no initial label assigned for %s (type=%d), skipping",
391388
objname, objtype)));
392389
else
393390
ereport(ERROR,
394391
(errcode(ERRCODE_INTERNAL_ERROR),
395-
errmsg("libselinux: internal error")));
392+
errmsg("SELinux: could not determine initial security label for %s (type=%d)", objname, objtype)));
396393
}
397394
systable_endscan(sscan);
398395

@@ -422,16 +419,16 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
422419
*/
423420
if (!sepgsql_is_enabled())
424421
ereport(ERROR,
425-
(errcode(ERRCODE_FEATURE_NOT_SUPPORTED),
426-
errmsg("SELinux: now disabled")));
422+
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
423+
errmsg("sepgsql is not currently enabled")));
427424
/*
428425
* Check DAC permission. Only superuser can set up initial
429426
* security labels, like root-user in filesystems
430427
*/
431428
if (!superuser())
432429
ereport(ERROR,
433430
(errcode(ERRCODE_INSUFFICIENT_PRIVILEGE),
434-
errmsg("must be superuser to restore initial contexts")));
431+
errmsg("SELinux: must be superuser to restore initial contexts")));
435432

436433
/*
437434
* Open selabel_lookup(3) stuff. It provides a set of mapping
@@ -452,7 +449,7 @@ sepgsql_restorecon(PG_FUNCTION_ARGS)
452449
if (!sehnd)
453450
ereport(ERROR,
454451
(errcode(ERRCODE_INTERNAL_ERROR),
455-
errmsg("SELinux internal error")));
452+
errmsg("SELinux: failed to initialize labeling handle")));
456453
PG_TRY();
457454
{
458455
/*

0 commit comments

Comments
 (0)