| From: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
|---|---|
| To: | Yeb Havinga <yebhavinga(at)gmail(dot)com> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, PgHacker <pgsql-hackers(at)postgresql(dot)org>, Joshua Brindle <jbrindle(at)tresys(dot)com> |
| Subject: | Re: [v9.2] Add GUC sepgsql.client_label |
| Date: | 2012-02-28 16:33:38 |
| Message-ID: | CADyhKSUg+SYL6mNz18ib45pk6uS5PBgCAnrNZOd00astgY0uPQ@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
2012/2/24 Yeb Havinga <yebhavinga(at)gmail(dot)com>:
> On 2012-02-24 15:17, Yeb Havinga wrote:
>>
>> I don't know what's fishy about the mgrid user and root that causes
>> c0.c1023 to be absent.
>
>
> more info:
>
> In shells started in a x environment under Xvnc, id -Z shows the system_u
> and c0.c1023 absent.
>
> In shells started from the ssh daemon, the id -Z matches what it should be
> according to the seusers file: unconfined_u and c0.c1023 present.
>
It seems to me the reason why your security label on bash is different from
the expected default one.
Unlike sshd daemon, vncserver does not assign security label on itself
according to the /etc/selinux/targeted/seusers, thus it inherits the label
of system startup script. It is also the reason why you saw "system_u"
at the head of security context.
I'll report this topic to selinux community to discuss the preferable solution.
Anyway, please use ssh connection for the testing purpose.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jeff Janes | 2012-02-28 16:36:41 | Re: Initial 9.2 pgbench write results |
| Previous Message | Bruce Momjian | 2012-02-28 16:21:06 | Re: pg_upgrade --logfile option documentation |