Re: One question about security label command

Kohei KaiGai wrote:

> This regression test fail come from the base security policy of selinux.
> In the recent selinux-policy package, "unconfined" domain was changed
> to have unrestricted permission as literal. So, this test case relies multi-
> category policy restricts unconfined domain, but its assumption is not
> correct now.

Makes sense.

> The attached patch fixes the policy module of regression test.

What branches need this patch?  Do we need a modified patch for
earlier branches?

Could you provide a buildfarm animal that runs the sepgsql test in all
branches on a regular basis?

> However, I also think we may stop to rely permission set of pre-defined
> selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
> ought to define own domain with appropriate permission set independent
> from the base selinux-policy version.

Is this something we would backpatch?

-- 
Álvaro Herrera                http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services