Re: One question about security label command

From: Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>
To: Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com>, 张元超 <zhangyuanchao(at)highgo(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: One question about security label command
Date: 2015-03-11 23:54:17
Message-ID: CADyhKSXBokUYwz3=1JdiGNQHbqt1r3iAfNhZv=ZdRDtuqZxq9Q@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

2015-03-12 1:27 GMT+09:00 Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>:
> Robert Haas wrote:
>> On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> > ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
>> > Please see the attached one.
>>
>> Committed. I did not bother back-patching this, but I can do that if
>> people think it's important.
>
> I don't really care myself.
>
>> The sepgsql regression tests don't seem
>> to pass for me any more; I wonder if some expected-output changes are
>> needed as a result of core changes.
>> I'm guessing these tests are not running in an automated fashion anywhere?
>
> Oops, that's bad. I vaguely recall asking someone for a buildfarm
> animal running these tests, but I guess that didn't happen.
>
This regression test fail come from the base security policy of selinux.
In the recent selinux-policy package, "unconfined" domain was changed
to have unrestricted permission as literal. So, this test case relies multi-
category policy restricts unconfined domain, but its assumption is not
correct now.
The attached patch fixes the policy module of regression test.
However, I also think we may stop to rely permission set of pre-defined
selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
ought to define own domain with appropriate permission set independent
from the base selinux-policy version.
Please give me time to investigate.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

Attachment Content-Type Size
sepgsql-fixup-regtest-policy.patch application/octet-stream 17.7 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Michael Paquier 2015-03-12 00:21:32 Re: moving from contrib to bin
Previous Message Peter Eisentraut 2015-03-11 23:50:26 Re: moving from contrib to bin