Re: add a MAC check for TRUNCATE

On 9/6/19 2:18 PM, Tom Lane wrote:
> Yuli Khodorkovskiy <yuli(dot)khodorkovskiy(at)crunchydata(dot)com> writes:
>> On Fri, Sep 6, 2019 at 11:57 AM Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>>> Well, the larger question, independent of the regression tests, is
>>> will the new policy work at all on older SELinux? If not, that
>>> doesn't seem very acceptable.
>
>> The default SELinux policy on Fedora ships with deny_unknown set to 0.
>> Deny_unknown was added to the kernel in 2.6.24, so unless someone is
>> using RHEL 5.x, which is in ELS, they will have the ability to
>> override the default behavior on CentOS/RHEL.
>
> OK, that sounds like it will work.
>
>> On RHEL 6, which goes into ELS in 2020, it's a bit more complicated
>> and requires rebuilding the base SELinux module from source.
>
> sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires
> a newer version of libselinux than what ships in RHEL6. So I'm not
> concerned about that. We do need to worry about RHEL7, and whatever
> is the oldest version of Fedora that is running the sepgsql tests
> in the buildfarm.

I could be wrong, but as far as I know rhinoceros is the only buildfarm
animal running sepgsql tests.

Joe

--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development