4 files changed, 57 insertions, 1 deletions
diff --git a/contrib/sepgsql/expected/label.out b/contrib/sepgsql/expected/label.out
index daf8d08eb2a..bac169f37bf 100644
--- a/contrib/sepgsql/expected/label.out
+++ b/contrib/sepgsql/expected/label.out
@@ -22,6 +22,11 @@ CREATE FUNCTION f3 () RETURNS text
         END;' LANGUAGE plpgsql;
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
 --
 -- Tests for default labeling behavior
 --
@@ -86,6 +91,8 @@ SELECT f2();			-- trusted procedure
 
 SELECT f3();			-- trusted procedure that raises an error
 ERROR:  an exception from f3()
+SELECT f4();			-- failed on domain transition
+ERROR:  SELinux: security policy violation
 SELECT sepgsql_getcon();	-- client's label must be restored
                    sepgsql_getcon                    
 -----------------------------------------------------
@@ -107,3 +114,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;
diff --git a/contrib/sepgsql/hooks.c b/contrib/sepgsql/hooks.c
index 83a505ec18d..27e85d25b1d 100644
--- a/contrib/sepgsql/hooks.c
+++ b/contrib/sepgsql/hooks.c
@@ -251,6 +251,7 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 			if (!stack)
 			{
 				MemoryContext	oldcxt;
+				const char	   *cur_label = sepgsql_get_client_label();
 
 				oldcxt = MemoryContextSwitchTo(flinfo->fn_mcxt);
 				stack = palloc(sizeof(*stack));
@@ -260,6 +261,19 @@ sepgsql_fmgr_hook(FmgrHookEventType event,
 
 				MemoryContextSwitchTo(oldcxt);
 
+				if (strcmp(cur_label, stack->new_label) != 0)
+				{
+					/*
+					 * process:transition permission between old and new
+					 * label, when user tries to switch security label of
+					 * the client on execution of trusted procedure.
+					 */
+					sepgsql_check_perms(cur_label, stack->new_label,
+										SEPG_CLASS_PROCESS,
+										SEPG_PROCESS__TRANSITION,
+										NULL, true);
+				}
+
 				*private = PointerGetDatum(stack);
 			}
 			Assert(!stack->old_label);
diff --git a/contrib/sepgsql/sepgsql-regtest.te b/contrib/sepgsql/sepgsql-regtest.te
index 66666d0c38a..3b1def75a52 100644
--- a/contrib/sepgsql/sepgsql-regtest.te
+++ b/contrib/sepgsql/sepgsql-regtest.te
@@ -1,4 +1,8 @@
-policy_module(sepgsql-regtest, 1.01)
+policy_module(sepgsql-regtest, 1.02)
+
+gen_require(`
+	all_userspace_class_perms
+')
 
 ## <desc>
 ## <p>
@@ -9,6 +13,12 @@ policy_module(sepgsql-regtest, 1.01)
 gen_tunable(sepgsql_regression_test_mode, false)
 
 #
+# Type definitions for regression test
+#
+type sepgsql_regtest_trusted_proc_exec_t;
+postgresql_procedure_object(sepgsql_regtest_trusted_proc_exec_t)
+
+#
 # Test domains for database administrators
 #
 role sepgsql_regtest_dba_r;
@@ -57,3 +67,19 @@ optional_policy(`
 	role unconfined_r types sepgsql_regtest_user_t;
 	role unconfined_r types sepgsql_trusted_proc_t;
 ')
+
+#
+# Rule to check 
+#
+optional_policy(`
+	# These rules intends sepgsql_regtest_user_t domain to translate
+	# sepgsql_regtest_dba_t on execution of procedures labeled as
+	# sepgsql_regtest_trusted_proc_exec_t, but does not allow transition
+	# permission from sepgsql_regtest_user_t to sepgsql_regtest_dba_t.
+	#
+	gen_require(`
+		attribute sepgsql_client_type;
+	')
+	allow sepgsql_client_type sepgsql_regtest_trusted_proc_exec_t:db_procedure { getattr execute install };
+	type_transition sepgsql_regtest_user_t sepgsql_regtest_trusted_proc_exec_t:process sepgsql_regtest_dba_t;
+')
diff --git a/contrib/sepgsql/sql/label.sql b/contrib/sepgsql/sql/label.sql
index 1100fcb35a6..2b1841281c1 100644
--- a/contrib/sepgsql/sql/label.sql
+++ b/contrib/sepgsql/sql/label.sql
@@ -27,6 +27,12 @@ CREATE FUNCTION f3 () RETURNS text
 SECURITY LABEL ON FUNCTION f3()
     IS 'system_u:object_r:sepgsql_trusted_proc_exec_t:s0';
 
+CREATE FUNCTION f4 () RETURNS text
+    AS 'SELECT sepgsql_getcon()'
+    LANGUAGE sql;
+SECURITY LABEL ON FUNCTION f4()
+    IS 'system_u:object_r:sepgsql_regtest_trusted_proc_exec_t:s0';
+
 --
 -- Tests for default labeling behavior
 --
@@ -59,6 +65,7 @@ SECURITY LABEL ON COLUMN t2.b
 SELECT f1();			-- normal procedure
 SELECT f2();			-- trusted procedure
 SELECT f3();			-- trusted procedure that raises an error
+SELECT f4();			-- failed on domain transition
 SELECT sepgsql_getcon();	-- client's label must be restored
 
 --
@@ -71,3 +78,4 @@ DROP TABLE IF EXISTS t3 CASCADE;
 DROP FUNCTION IF EXISTS f1() CASCADE;
 DROP FUNCTION IF EXISTS f2() CASCADE;
 DROP FUNCTION IF EXISTS f3() CASCADE;
+DROP FUNCTION IF EXISTS f4() CASCADE;