Skip site navigation (1) Skip section navigation (2)

Re: [v9.2] Add GUC sepgsql.client_label

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Yeb Havinga <yebhavinga(at)gmail(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com>
Subject: Re: [v9.2] Add GUC sepgsql.client_label
Date: 2012-02-28 16:33:38
Message-ID: CADyhKSUg+SYL6mNz18ib45pk6uS5PBgCAnrNZOd00astgY0uPQ@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-hackers
2012/2/24 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-24 15:17, Yeb Havinga wrote:
>>
>> I don't know what's fishy about the mgrid user and root that causes
>> c0.c1023 to be absent.
>
>
> more info:
>
> In shells started in a x environment under Xvnc, id -Z shows the system_u
> and c0.c1023 absent.
>
> In shells started from the ssh daemon, the id -Z matches what it should be
> according to the seusers file: unconfined_u and c0.c1023 present.
>
It seems to me the reason why your security label on bash is different from
the expected default one.
Unlike sshd daemon, vncserver does not assign security label on itself
according to the /etc/selinux/targeted/seusers, thus it inherits the label
of system startup script. It is also the reason why you saw "system_u"
at the head of security context.

I'll report this topic to selinux community to discuss the preferable solution.
Anyway, please use ssh connection for the testing purpose.

Thanks,
-- 
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

pgsql-hackers by date

Next:From: Jeff JanesDate: 2012-02-28 16:36:41
Subject: Re: Initial 9.2 pgbench write results
Previous:From: Bruce MomjianDate: 2012-02-28 16:21:06
Subject: Re: pg_upgrade --logfile option documentation

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group