From: | Jacob Champion <pchampion(at)vmware(dot)com> |
---|---|
To: | "robertmhaas(at)gmail(dot)com" <robertmhaas(at)gmail(dot)com>, "dpage(at)pgadmin(dot)org" <dpage(at)pgadmin(dot)org> |
Cc: | "andrew(at)dunslane(dot)net" <andrew(at)dunslane(dot)net>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "tgl(at)sss(dot)pgh(dot)pa(dot)us" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Subject: | Re: sepgsql logging |
Date: | 2022-01-11 00:04:32 |
Message-ID: | 24b9c56a21860955933afc0bfd11106e5b292b37.camel@vmware.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Wed, Apr 14, 2021 at 8:42 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:
> Attached is a patch to clean this up. It will log denials as such
> regardless of whether or not either selinux or sepgsql is in
> permissive mode. When either is in permissive mode, it'll add "
> permissive=1" to the end of the log messages. e.g.
Dave,
Just to clarify -- it looks like this patch *only* adds the
"permissive=1" part, right? I don't see any changes around denied-vs-
allowed.
I read the previous posts to mean that you were seeing "allowed" when
you should have been seeing "denied". I don't see that behavior --
without this patch, I see the correct "denied" entries even when
running in permissive mode. (It's been a while since the patch was
posted, so I checked to make sure there hadn't been any relevant
changes in the meantime, and none jumped out at me.)
That said, the patch looks good as-is and seems to be working for me on
a Rocky 8 VM. (You weren't kidding about the setup difficulty.) Having
permissive mode show up in the logs seems very useful.
As an aside, I don't see the "allowed" verbiage that sepgsql uses in
any of the SELinux documentation. I do see third-party references to
"granted", though, as in e.g.
avc: granted { execute } for ...
That's not something that I think this patch should touch, but it
seemed tangentially relevant for future convergence work.
On Wed, 2021-04-14 at 09:49 -0400, Robert Haas wrote:
> Looks superficially reasonable on first glance, but I think we should
> try to get an opinion from someone who knows more about SELinux.
I am not that someone, but this looks straightforward, it's been
stalled for a while, and I think it should probably go in.
--Jacob
From | Date | Subject | |
---|---|---|---|
Next Message | Bossart, Nathan | 2022-01-11 00:06:21 | Re: Throttling WAL inserts when the standby falls behind more than the configured replica_lag_in_bytes |
Previous Message | Tom Lane | 2022-01-11 00:01:36 | Re: Use -fvisibility=hidden for shared libraries |