Re: One question about security label command
| От | Kohei KaiGai |
|---|---|
| Тема | Re: One question about security label command |
| Дата | |
| Msg-id | CADyhKSXPotbYvexOkAPP-Z2GwpAhBamO3d1FiHUnYjfgtFM_ZA@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: One question about security label command (Kohei KaiGai <kaigai@kaigai.gr.jp>) |
| Ответы |
Re: One question about security label command
Re: One question about security label command |
| Список | pgsql-hackers |
2015-05-01 9:52 GMT+09:00 Kohei KaiGai <kaigai@kaigai.gr.jp>: > 2015-05-01 7:40 GMT+09:00 Alvaro Herrera <alvherre@2ndquadrant.com>: >> Kouhei Kaigai wrote: >>> > * Tom Lane (tgl@sss.pgh.pa.us) wrote: >>> > > The idea of making the regression test entirely independent of the >>> > > system's policy would presumably solve this problem, so I'd kind of >>> > > like to see progress on that front. >>> > >>> > Apologies, I guess it wasn't clear, but that's what I was intending to >>> > advocate. >>> > >>> OK, I'll try to design a new regression test policy that is independent >>> from the system's policy assumption, like unconfined domain. >>> >>> Please give me time for this work. >> >> Any progress here? >> > Not done. > The last version I rebuild had a trouble on user/role transition from > unconfined_u/unconfined_r to the self defined user/role... > So, I'm trying to keep the user/role field (that is not redefined for > several years) but to define self domain/types (that have been > redefined multiple times) for the regression test at this moment. > The second approach above works. I defined a own privileged domain (sepgsql_regtest_superuser_t) instead of system's unconfined_t domain. The reason why regression test gets failed was, definition of unconfined_t in the system default policy was changed to bypass multi-category rules; which our regression test depends on. So, the new sepgsql_regtest_superuser_t domain performs almost like as unconfined_t, but restricted by multi-category policy as traditional unconfined_t did. It is self defined domain, so will not affected by system policy change. Even though the sepgsql-regtest.te still uses unconfined_u and unconfined_r pair for selinux-user and role, it requires users to define additional selinux-user by hand if we try to define own one. In addition, its definition has not been changed for several years. So, I thought it has less risk to rely on unconfined_u/unconfined_r field unlike unconfined_t domain. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
Вложения
В списке pgsql-hackers по дате отправления: