| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Yuli Khodorkovskiy <yuli(dot)khodorkovskiy(at)crunchydata(dot)com> |
| Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, Kohei KaiGai <kaigai(at)heterodb(dot)com>, pgsql-hackers(at)lists(dot)postgresql(dot)org, Joshua Brindle <joshua(dot)brindle(at)crunchydata(dot)com>, Mike P <mike(dot)palmiotto(at)crunchydata(dot)com> |
| Subject: | Re: add a MAC check for TRUNCATE |
| Date: | 2019-09-06 18:18:13 |
| Message-ID: | 4913.1567793893@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Yuli Khodorkovskiy <yuli(dot)khodorkovskiy(at)crunchydata(dot)com> writes:
> On Fri, Sep 6, 2019 at 11:57 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Well, the larger question, independent of the regression tests, is
>> will the new policy work at all on older SELinux? If not, that
>> doesn't seem very acceptable.
> The default SELinux policy on Fedora ships with deny_unknown set to 0.
> Deny_unknown was added to the kernel in 2.6.24, so unless someone is
> using RHEL 5.x, which is in ELS, they will have the ability to
> override the default behavior on CentOS/RHEL.
OK, that sounds like it will work.
> On RHEL 6, which goes into ELS in 2020, it's a bit more complicated
> and requires rebuilding the base SELinux module from source.
sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
a newer version of libselinux than what ships in RHEL6. So I'm not
concerned about that. We do need to worry about RHEL7, and whatever
is the oldest version of Fedora that is running the sepgsql tests
in the buildfarm.
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2019-09-06 18:26:13 | Re: pgsql: Use data directory inode number, not port, to select SysV resour |
| Previous Message | Yuli Khodorkovskiy | 2019-09-06 18:13:01 | Re: add a MAC check for TRUNCATE |