Re: add a MAC check for TRUNCATE

Joe Conway <mail@joeconway.com>

From: Joe Conway <mail@joeconway.com>
To: Tom Lane <tgl@sss.pgh.pa.us>, Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
Cc: Stephen Frost <sfrost@snowman.net>, Kohei KaiGai <kaigai@heterodb.com>, pgsql-hackers@lists.postgresql.org, Joshua Brindle <joshua.brindle@crunchydata.com>, Mike P <mike.palmiotto@crunchydata.com>
Date: 2019-09-06T19:50:09Z
Lists: pgsql-hackers
On 9/6/19 2:18 PM, Tom Lane wrote:
> Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com> writes:
>> On Fri, Sep 6, 2019 at 11:57 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
>>> Well, the larger question, independent of the regression tests, is
>>> will the new policy work at all on older SELinux?  If not, that
>>> doesn't seem very acceptable.
> 
>> The default SELinux policy on Fedora ships with deny_unknown set to 0.
>> Deny_unknown was added to the kernel in 2.6.24, so unless someone is
>> using RHEL 5.x, which is in ELS, they will have the ability to
>> override the default behavior on CentOS/RHEL.
> 
> OK, that sounds like it will work.
> 
>> On RHEL 6, which goes into ELS in 2020, it's a bit more complicated
>> and requires rebuilding the base SELinux module from source.
> 
> sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
> a newer version of libselinux than what ships in RHEL6.  So I'm not
> concerned about that.  We do need to worry about RHEL7, and whatever
> is the oldest version of Fedora that is running the sepgsql tests
> in the buildfarm.


I could be wrong, but as far as I know rhinoceros is the only buildfarm
animal running sepgsql tests.

Joe

-- 
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development



Commits

  1. Update sepgsql to add mandatory access control for TRUNCATE

  2. Add object TRUNCATE hook

  3. postgres_fdw: Fix error message for PREPARE TRANSACTION.