Re: [v9.2] Add GUC sepgsql.client_label

Поиск
Список
Период
Сортировка
От Yeb Havinga
Тема Re: [v9.2] Add GUC sepgsql.client_label
Дата
Msg-id 4F479BE8.1040809@gmail.com
обсуждение исходный текст
Ответ на Re: [v9.2] Add GUC sepgsql.client_label  (Kohei KaiGai <kaigai@kaigai.gr.jp>)
Ответы Re: [v9.2] Add GUC sepgsql.client_label
Список pgsql-hackers
Дерево обсуждения 
On 2012-02-24 14:20, Kohei KaiGai wrote:
>
> It seems to me you try to expand categories of the client.
> The log saids sepgsql_setcon() tries to switch to "...:s0:c0.c15" from "...:s0".
> It is not an admitted operations because of increasion of categories.

Yes I had my eye on the missing c0.c1023 before but couldn't remember 
changing it, so wrongfully assumed that it would be semantically 
equivalent to c0.c1023.
>> LOG:  SELinux: denied { dyntransition }
>> scontext=unconfined_u:unconfined_r:unconfined_t:s0
>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0:c0.c15 tclass=process
> May I see your /etc/selinux/targeted/seusers ?
>
> I think "__default__" entry is configured to "unconfined_u:s0", instead of
> "unconfined_u:s0:c0.c1023" as default.
>
> In my environment, it is configured as follows:
>
>    [root@iwashi ~]# cat /etc/selinux/targeted/seusers
>    # This file is auto-generated by libsemanage
>    # Do not edit directly.
>
>    system_u:system_u:s0-s0:c0.c1023
>    root:unconfined_u:s0-s0:c0.c1023
>    __default__:unconfined_u:s0-s0:c0.c1023<=== (*)
>

[mgrid@mgfedora ~]$ cat /etc/selinux/targeted/seusers
# This file is auto-generated by libsemanage
# Do not edit directly.

system_u:system_u:s0-s0:c0.c1023
root:unconfined_u:s0-s0:c0.c1023
__default__:unconfined_u:s0-s0:c0.c1023

but still

[mgrid@mgfedora ~]$ id -Z
system_u:unconfined_r:unconfined_t:s0
(I changed bash to run in the unconfined_u context before starting the 
regression test)

and

[root@mgfedora targeted]# id -Z
system_u:unconfined_r:unconfined_t:s0

When I created a new test user, it's selinux context showed the c0.c1023 
- I don't know what's fishy about the mgrid user and root that causes 
c0.c1023 to be absent. Maybe I should reinstall this virtual machine. 
After setting the user "mgrid" on s0-s0:c0.c1023 with

semanage login -a -S targeted -s "unconfined_u" -r s0-s0:c0.c1023 mgrid

the regression tests pass :-)

test label                    ... ok
test dml                      ... ok
test create                   ... ok
test misc                     ... ok

I'll continue reviewing the patch.

-- 
Yeb Havinga
http://www.mgrid.net/
Mastering Medical Data

В списке pgsql-hackers по дате отправления: