From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | John R Pierce <pierce(at)hogranch(dot)com> |
Cc: | pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #11365: denied apache cgi connect |
Date: | 2014-09-08 06:24:26 |
Message-ID: | 11376.1410157466@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
John R Pierce <pierce(at)hogranch(dot)com> writes:
> On 9/7/2014 10:02 PM, Jan Wieck wrote:
>> So please be more precise in what exactly that special RPM should set
>> or enable.
> this RPM would be called something like
> postgresqlXY-apache-selinuxpolicy, and if installed, it would add the
> selinux policy that allows apache to connect to postgres version X.Y as
> installed from the same repository. if uninstalled, it would remove
> that policy.
Hm ... would that not be in direct conflict with existing policy
variables?
I don't actually know a lot about what the standard Red Hat selinux
policy does in this area. If it were seriously broken, I'd probably
have heard more about it during the years I worked there. Not that
that's much of an argument, but it's some evidence for "there's no
fire here, only smoke". Anyway, I remain of the opinion that it'd
be best to press Red Hat's selinux people to fix/clarify/document
their policy's behavior for apache-to-database connections. Trying
to override the system policy with drive-by updates seems like a recipe
for disaster.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | John R Pierce | 2014-09-08 07:00:50 | Re: BUG #11365: denied apache cgi connect |
Previous Message | John R Pierce | 2014-09-08 06:06:20 | Re: BUG #11365: denied apache cgi connect |