Re: [PATCH] Add <> support to sepgsql_restorecon
| От | Joe Conway |
|---|---|
| Тема | Re: [PATCH] Add < |
| Дата | |
| Msg-id | d74c5087-fa63-4dbd-f684-df58395201ec@joeconway.com обсуждение исходный текст |
| Ответ на |
Re: [PATCH] Add < |
| Ответы |
Re: [PATCH] Add < |
| Список | pgsql-hackers |
On 11/21/22 17:35, Joe Conway wrote: > On 11/21/22 15:57, Ted Toth wrote: >> In SELinux file context files you can specify <<none>> for a file >> meaning you don't want restorecon to relabel it. <<none>> is >> especially useful in an SELinux MLS environment when objects are >> created at a specific security level and you don't want restorecon to >> relabel them to the wrong security level. > > +1 > > Please add to the next commitfest here: > https://commitfest.postgresql.org/41/ Comments: 1. It seems like the check for a "<<none>>" context should go into sepgsql_object_relabel() directly rather than exec_object_restorecon(). The former gets registered as a hook in _PG_init(), so the with the current location we would fail to skip the relabel when that gets called. 2. Please provide one or more test case (likely in label.sql) 3. An example, or at least a note, mentioning "<<none>>" context and the implications would be appropriate. -- Joe Conway PostgreSQL Contributors Team RDS Open Source Databases Amazon Web Services: https://aws.amazon.com
В списке pgsql-hackers по дате отправления: