From: | Ted Toth <txtoth(at)gmail(dot)com> |
---|---|
To: | Joe Conway <mail(at)joeconway(dot)com> |
Cc: | pgsql-hackers(at)lists(dot)postgresql(dot)org |
Subject: | Re: [PATCH] Add <<none>> support to sepgsql_restorecon |
Date: | 2023-01-16 14:55:07 |
Message-ID: | CAFPpqQEK50Y65oivgwSTXTBg5AWf1twnsxJ8WXhWQd1SY-e_dQ@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Sun, Jan 15, 2023 at 1:11 PM Joe Conway <mail(at)joeconway(dot)com> wrote:
> On 11/21/22 17:35, Joe Conway wrote:
> > On 11/21/22 15:57, Ted Toth wrote:
> >> In SELinux file context files you can specify <<none>> for a file
> >> meaning you don't want restorecon to relabel it. <<none>> is
> >> especially useful in an SELinux MLS environment when objects are
> >> created at a specific security level and you don't want restorecon to
> >> relabel them to the wrong security level.
> >
> > +1
> >
> > Please add to the next commitfest here:
> > https://commitfest.postgresql.org/41/
>
>
> Comments:
>
> 1. It seems like the check for a "<<none>>" context should go into
> sepgsql_object_relabel() directly rather than exec_object_restorecon().
> The former gets registered as a hook in _PG_init(), so the with the
> current location we would fail to skip the relabel when that gets called.
>
The intent is not to stop all relabeling only to stop sepgsql_restorecon
from doing a bulk relabel. I believe sepgsql_object_relabel is called by
the 'SECURITY LABEL' statement which I'm using to set the label of db
objects to a specific context which I would not want altered later by a
restorecon.
> 2. Please provide one or more test case (likely in label.sql)
>
> 3. An example, or at least a note, mentioning "<<none>>" context and the
> implications would be appropriate.
>
> --
> Joe Conway
> PostgreSQL Contributors Team
> RDS Open Source Databases
> Amazon Web Services: https://aws.amazon.com
>
>
From | Date | Subject | |
---|---|---|---|
Next Message | Joe Conway | 2023-01-16 14:58:12 | Re: [PATCH] Add <<none>> support to sepgsql_restorecon |
Previous Message | vignesh C | 2023-01-16 14:39:41 | Re: [PATCH] Fix alter subscription concurrency errors |