Re: [PATCH] Add <> support to sepgsql_restorecon

On 1/16/23 09:55, Ted Toth wrote:
> 
> 
> On Sun, Jan 15, 2023 at 1:11 PM Joe Conway <mail@joeconway.com 
> <mailto:mail@joeconway.com>> wrote:
> 
>     On 11/21/22 17:35, Joe Conway wrote:
>      > On 11/21/22 15:57, Ted Toth wrote:
>      >> In SELinux file context files you can specify <<none>> for a file
>      >> meaning you don't want restorecon to relabel it. <<none>> is
>      >> especially useful in an SELinux MLS environment when objects are
>      >> created at a specific security level and you don't want
>     restorecon to
>      >> relabel them to the wrong security level.
>      >
>      > +1
>      >
>      > Please add to the next commitfest here:
>      > https://commitfest.postgresql.org/41/
>     <https://commitfest.postgresql.org/41/>
> 
> 
>     Comments:
> 
>     1. It seems like the check for a "<<none>>" context should go into
>     sepgsql_object_relabel() directly rather than exec_object_restorecon().
>     The former gets registered as a hook in _PG_init(), so the with the
>     current location we would fail to skip the relabel when that gets
>     called.
> 
> 
> The intent is not to stop all relabeling only to stop sepgsql_restorecon 
> from doing a bulk relabel. I believe sepgsql_object_relabel is called by 
> the 'SECURITY LABEL'  statement which I'm using to set the label of db 
> objects to a specific context which I would not want altered later by a 
> restorecon.


Ok, sounds reasonable. Maybe just add a comment to that effect.

-- 
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com