Re: [v9.1] sepgsql - userspace access vector cache

On Thu, Aug 18, 2011 at 12:46 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> On Thu, Jul 21, 2011 at 5:29 AM, Kohei Kaigai <Kohei.Kaigai@emea.nec.com> wrote:
>> The attached patch is revised userspace-avc patch.
>>
>> List of updates:
>> - The GUC of sepgsql.avc_threshold was removed.
>> - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid".
>> - Comments added onto static variables
>> - Comments of sepgsql_avc_unlabeled() was revised.
>> - Comments of sepgsql_avc_compute() was simplified.
>> - Comments of sepgsql_avc_check_perms_label() also mention about
>>  permissive domain, that performs similar to system's permissive mode.
>> - selinux_status_close() become invoked on on_proc_exit() hook.
>
> I tried to give this a test drive today but got stuck.  I got sepgsql
> compiled OK, but look what happens when I try to start the server:
>
> [rhaas@f15selinux ~]$ postgres
> FATAL:  could not load library
> "/home/rhaas/project/lib/postgresql/sepgsql.so":
> /home/rhaas/project/lib/postgresql/sepgsql.so: undefined symbol:
> getpeercon_raw
>
> This is Fedora 15, with all available updates applied.

Oh.  Apparently, this is what happens when you try to build sepgsql
without passing --with-selinux to configure.

That's lame.  I think we need to patch contrib/sepgsql so that it
fails to build in that case, rather than building and then not
working.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company