Re: contrib/sepgsql fails on Fedora 28
| От | Mike Palmiotto |
|---|---|
| Тема | Re: contrib/sepgsql fails on Fedora 28 |
| Дата | |
| Msg-id | a6ad52b1-2995-bb3e-cce8-854ec615f8d9@crunchydata.com обсуждение исходный текст |
| Ответ на | contrib/sepgsql fails on Fedora 28 (Tom Lane <tgl@sss.pgh.pa.us>) |
| Ответы |
Re: contrib/sepgsql fails on Fedora 28
|
| Список | pgsql-hackers |
On 05/24/2018 03:30 PM, Tom Lane wrote: > I tried to run the regression test for sepgsql on F28 (so I could > fix the now-obsolete expected-file therein). It fails at this > preparatory step: > > $ sudo semodule -u sepgsql-regtest.pp > The --upgrade option is deprecated. Use --install instead. > neverallow check failed at /var/lib/selinux/targeted/tmp/modules/100/base/cil:4703 > (neverallow base_typeattr_6 base_typeattr_7 (process (fork transition sigchld sigkill sigstop signull signal ptrace getschedsetsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinhdyntransition setcurrent execmem execstack execheap setkeycreate setsockcreate getrlimit))) > <root> > allow at /var/lib/selinux/targeted/tmp/modules/100/postgresql/cil:769 > (allow sepgsql_client_type sepgsql_ranged_proc_t (process (transition))) > <root> > ... lots more ... > optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1617 > optional at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1676 > allow at /var/lib/selinux/targeted/tmp/modules/400/sepgsql-regtest/cil:1679 > (allow sepgsql_regtest_superuser_t sepgsql_client_type (process (dyntransition))) > > Failed to generate binary > semodule: Failed> > For the moment I'll try an older Fedora release, but it seems > we have some work to do here. For a bit of background on the issue, `neverallow` is intended to prevent policy that would violate certain information flow security models. This error appears to be due to an update to the userspace install tools, which do the proper `neverallow` check that was previously not happening. It appears that at least part of this fix needs to take place in the upstream policy repo, but in the meantime I've attached a patch that should stop the build errors. This has not yet tested been on F27 and earlier. Since the error you were seeing is a policy-install error and the policy updates are using interfaces that were available pre-F28, it should not affect the outcome of the build. I have also not yet run the regression tests with the change, but likewise, this patch should not affect that. I will go ahead and test the fix on other platforms and make sure the regtest is passing, but this should solve the problem for now. Let me know if anything else catches fire. Thanks, -- Mike Palmiotto Software Engineer Crunchy Data Solutions https://crunchydata.com
Вложения
В списке pgsql-hackers по дате отправления: