Merge branch 'master' of oss.tresys.com:/home/git/selinux

3 files changed, 104 insertions, 3 deletions

diff --git a/libselinux/man/man3/selabel_open.3 b/libselinux/man/man3/selabel_open.3
index 1af2ec02..8674e377 100644
--- a/libselinux/man/man3/selabel_open.3
+++ b/libselinux/man/man3/selabel_open.3
@@ -72,15 +72,19 @@ Note that an invalid context may not be treated as an error unless it is actuall
 .TP
 .B SELABEL_CTX_FILE
 File contexts backend, described in 
-.BR selabel_file (3).
+.BR selabel_file (5).
 .TP
 .B SELABEL_CTX_MEDIA
 Media contexts backend, described in 
-.BR selabel_media (3).
+.BR selabel_media (5).
 .TP
 .B SELABEL_CTX_X
 X Windows contexts backend, described in 
-.BR selabel_x (3).
+.BR selabel_x (5).
+.TP
+.B SELABEL_CTX_DB
+Database objects contexts backend, described in
+.BR selabel_db (5).
 
 .SH "RETURN VALUE"
 A non-NULL handle value is returned on success.  On error, NULL is returned and
diff --git a/libselinux/man/man3/selinux_binary_policy_path.3 b/libselinux/man/man3/selinux_binary_policy_path.3
index 61909576..8ead1a44 100644
--- a/libselinux/man/man3/selinux_binary_policy_path.3
+++ b/libselinux/man/man3/selinux_binary_policy_path.3
@@ -29,6 +29,8 @@ extern const char *selinux_usersconf_path(void);
 
 extern const char *selinux_x_context_path(void);
 
+extern const char *selinux_sepgsql_context_path(void);
+
 extern const char *selinux_file_context_path(void);
 
 extern const char *selinux_media_context_path(void);
@@ -66,6 +68,8 @@ selinux_usersconf_path() - file containing mapping between Linux Users and SELin
 .sp
 selinux_x_context_path() - file containing configuration for XSELinux extension
 .sp
+selinux_sepgsql_context_path() - file containing configuration for SE-PostgreSQL
+.sp
 selinux_netfilter_context_path - default netfilter context 
 .sp
 selinux_file_context_path() - default system file contexts configuration
diff --git a/libselinux/man/man5/selabel_db.5 b/libselinux/man/man5/selabel_db.5
new file mode 100644
index 00000000..b699f399
--- /dev/null
+++ b/libselinux/man/man5/selabel_db.5
@@ -0,0 +1,93 @@
+.\" Hey Emacs! This file is -*- nroff -*- source.
+.\"
+.\" Author: KaiGai Kohei <kaigai@ak.jp.nec.com> 2009
+.TH "selabel_db" "5" "22 Nov 2009" "" "SELinux API documentation"
+.SH "NAME"
+selabel_db \- userspace SELinux labeling interface: DB objects contexts backend.
+.SH "SYNOPSIS"
+.B #include <selinux/selinux.h>
+
+.B #include <selinux/label.h>
+.sp
+.BI "int selabel_lookup(struct selabel_handle *" hnd ,
+.in +\w'int selabel_lookup('u
+.BI "security_context_t *" context ,
+
+.BI "const char *" object_name ", int " object_type ");"
+
+.SH "DESCRIPTION"
+The DB contexts backend maps from a pair of object name and class into security contexts. It is used to find the appropriate context for database objects when relabeling a certain database.
+
+The
+.I object_name
+should be fully qualified name using the hierarchy of database objects.
+For example, the
+.B pg_class
+table in the
+.B postgres
+database and
+.B pg_catalog
+schema should be qualified as
+.B postgres.pg_catalog.pg_class .
+
+The
+.I object_type
+argument should be set to one of the following values:
+.TP
+.B SELABEL_DB_DATABASE
+The
+.I object_name
+argument specifies the name of a database itself, such as "postgres".
+.TP
+.B SELABEL_DB_SCHEMA
+The
+.I object_name
+argument specifies the name of a schema object, such as "postgres.public".
+.TP
+.B SELABEL_DB_TABLE
+The
+.I object_name
+argument specifies the name of a table object, such as "postgres.public.my_table"
+.TP
+.B SELABEL_DB_COLUMN
+The
+.I object_name
+argument specifies the name of a column object, such as "postgres.public.my_table.user_id"
+.TP
+.B SELABEL_DB_TUPLE
+The
+.I object_name
+argument specifies the name of a table object which contains the tuples to be relabeled, such as "postgresql.public.my_table". Note that we have no way to identify individual tuple objects, except for WHERE clause on DML statements, because it has no name.
+.TP
+.B SELABEL_DB_PROCEDURE
+The
+.I object_name
+argument specifies the name of a procedure object, such as "postgres.public.my_func". Note that we don't support to lookup individual security contexts for each procedures which have same name but different arguments.
+.TP
+.B SELABEL_DB_SEQUENCE
+The
+.I object_name
+argument specifies the name of a sequence object, such as "postgres.public.my_seq".
+.TP
+.B SELABEL_DB_BLOB
+The
+.I object_name
+argument specifies the name of a large object, such as "postgres.16308".
+Note that a large object does not have its name, so it is identified by its identifier value.
+
+.SH "OPTIONS"
+In addition to the global options described in 
+.BR selabel_open (3),
+this backend recognizes the following options:
+
+.TP
+.B SELABEL_OPT_PATH
+A non-null value for this option specifies a path to a file that will be opened in lieu of the standard DB contexts file.
+It tries to open the specfile designed for SE-PostgreSQL in the default, so if another RDBMS uses this interface, it needs to give an explicit specfile designed for the RDBMS.
+
+.SH "SEE ALSO"
+.BR selabel_open (3),
+.BR selabel_lookup (3),
+.BR selabel_stats (3),
+.BR selinux (8)
+