diff options
Diffstat (limited to 'contrib/sepgsql/selinux.c')
| -rw-r--r-- | contrib/sepgsql/selinux.c | 66 |
1 files changed, 0 insertions, 66 deletions
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c index 4fe30465d74..d4713e74195 100644 --- a/contrib/sepgsql/selinux.c +++ b/contrib/sepgsql/selinux.c @@ -886,69 +886,3 @@ sepgsql_compute_create(const char *scontext, return result; } - -/* - * sepgsql_check_perms - * - * It makes access control decision without userspace caching mechanism. - * If SELinux denied the required accesses on the pair of security labels, - * it raises an error or returns false. - * - * scontext: security label of the subject (mostly, peer process) - * tcontext: security label of the object being referenced - * tclass: class code (SEPG_CLASS_*) of the object being referenced - * required: a mask of required permissions (SEPG_<class>__<perm>) - * audit_name: a human-readable object name for audit logs, or NULL. - * abort_on_violation: true, if error shall be raised on access violation - */ -bool -sepgsql_check_perms(const char *scontext, - const char *tcontext, - uint16 tclass, - uint32 required, - const char *audit_name, - bool abort_on_violation) -{ - struct av_decision avd; - uint32 denied; - uint32 audited; - bool result = true; - bool enforcing; - - sepgsql_compute_avd(scontext, tcontext, tclass, &avd); - - denied = required & ~avd.allowed; - - if (sepgsql_get_debug_audit()) - audited = (denied ? denied : required); - else - audited = (denied ? (denied & avd.auditdeny) - : (required & avd.auditallow)); - - enforcing = sepgsql_getenforce() > 0 && - (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0; - - if (denied && enforcing) - result = false; - - /* - * It records a security audit for the request, if needed. But, when - * SE-PgSQL performs 'internal' mode, it needs to keep silent. - */ - if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL) - { - sepgsql_audit_log(denied, - enforcing, - scontext, - tcontext, - tclass, - audited, - audit_name); - } - - if (!result && abort_on_violation) - ereport(ERROR, - (errcode(ERRCODE_INSUFFICIENT_PRIVILEGE), - errmsg("SELinux: security policy violation"))); - return result; -} |