| From: | Alvaro Herrera <alvherre(at)2ndquadrant(dot)com> |
|---|---|
| To: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com>, 张元超 <zhangyuanchao(at)highgo(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: One question about security label command |
| Date: | 2015-03-16 13:40:56 |
| Message-ID: | 20150316134056.GB3636@alvh.no-ip.org |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Kohei KaiGai wrote:
> This regression test fail come from the base security policy of selinux.
> In the recent selinux-policy package, "unconfined" domain was changed
> to have unrestricted permission as literal. So, this test case relies multi-
> category policy restricts unconfined domain, but its assumption is not
> correct now.
Makes sense.
> The attached patch fixes the policy module of regression test.
What branches need this patch? Do we need a modified patch for
earlier branches?
Could you provide a buildfarm animal that runs the sepgsql test in all
branches on a regular basis?
> However, I also think we may stop to rely permission set of pre-defined
> selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
> ought to define own domain with appropriate permission set independent
> from the base selinux-policy version.
Is this something we would backpatch?
--
Álvaro Herrera http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2015-03-16 13:51:41 | Re: One question about security label command |
| Previous Message | Simon Riggs | 2015-03-16 13:32:58 | Re: Reduce pinning in btree indexes |