Re: add a MAC check for TRUNCATE
Joe Conway <mail@joeconway.com>
From: Joe Conway <mail@joeconway.com>
To: Tom Lane <tgl@sss.pgh.pa.us>,
Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
Cc: Stephen Frost <sfrost@snowman.net>, Kohei KaiGai <kaigai@heterodb.com>,
pgsql-hackers@lists.postgresql.org,
Joshua Brindle <joshua.brindle@crunchydata.com>,
Mike P <mike.palmiotto@crunchydata.com>
Date: 2019-09-06T19:50:09Z
Lists: pgsql-hackers
On 9/6/19 2:18 PM, Tom Lane wrote: > Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com> writes: >> On Fri, Sep 6, 2019 at 11:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote: >>> Well, the larger question, independent of the regression tests, is >>> will the new policy work at all on older SELinux? If not, that >>> doesn't seem very acceptable. > >> The default SELinux policy on Fedora ships with deny_unknown set to 0. >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is >> using RHEL 5.x, which is in ELS, they will have the ability to >> override the default behavior on CentOS/RHEL. > > OK, that sounds like it will work. > >> On RHEL 6, which goes into ELS in 2020, it's a bit more complicated >> and requires rebuilding the base SELinux module from source. > > sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires > a newer version of libselinux than what ships in RHEL6. So I'm not > concerned about that. We do need to worry about RHEL7, and whatever > is the oldest version of Fedora that is running the sepgsql tests > in the buildfarm. I could be wrong, but as far as I know rhinoceros is the only buildfarm animal running sepgsql tests. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
Commits
-
Update sepgsql to add mandatory access control for TRUNCATE
- 4f66c93f6143 13.0 landed
-
Add object TRUNCATE hook
- f7a2002e82cf 13.0 landed
-
postgres_fdw: Fix error message for PREPARE TRANSACTION.
- 879c11761571 13.0 cited