Re: add a MAC check for TRUNCATE
| От | Yuli Khodorkovskiy |
|---|---|
| Тема | Re: add a MAC check for TRUNCATE |
| Дата | |
| Msg-id | CAFL5wJeKNV3h-fSJR502eSiSm_aOjAa9oNicQEnBquoB1qsZ1g@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: add a MAC check for TRUNCATE (Joe Conway <mail@joeconway.com>) |
| Список | pgsql-hackers |
On Fri, Sep 6, 2019 at 4:31 PM Joe Conway <mail@joeconway.com> wrote: > > On 9/6/19 2:13 PM, Yuli Khodorkovskiy wrote: > > As Joe Conway pointed out to me out of band, the build animal for RHEL > > 7 has handle_unknown set to `0`. Are there any other concerns with > > this approach? > > > You mean deny_unknown I believe. I do, thanks. Not sure where I pulled handle_unknown from. > > "Allow unknown object class / permissions. This will set the returned AV > with all 1's." > > As I understand it, this would make the sepgsql behavior unchanged from > before if the policy does not support the new permission. > > Joe > > > On Fri, Sep 6, 2019 at 1:00 PM Yuli Khodorkovskiy wrote: > >> The default SELinux policy on Fedora ships with deny_unknown set to 0. > >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is > >> using RHEL 5.x, which is in ELS, they will have the ability to > >> override the default behavior on CentOS/RHEL. > > > > -- > Crunchy Data - http://crunchydata.com > PostgreSQL Support for Secure Enterprises > Consulting, Training, & Open Source Development
В списке pgsql-hackers по дате отправления: