On Wed, Apr 14, 2021 at 8:42 AM Dave Page <dp...@pgadmin.org> wrote: > Attached is a patch to clean this up. It will log denials as such > regardless of whether or not either selinux or sepgsql is in > permissive mode. When either is in permissive mode, it'll add " > permissive=1" to the end of the log messages. e.g.
Dave, Just to clarify -- it looks like this patch *only* adds the "permissive=1" part, right? I don't see any changes around denied-vs- allowed. I read the previous posts to mean that you were seeing "allowed" when you should have been seeing "denied". I don't see that behavior -- without this patch, I see the correct "denied" entries even when running in permissive mode. (It's been a while since the patch was posted, so I checked to make sure there hadn't been any relevant changes in the meantime, and none jumped out at me.) That said, the patch looks good as-is and seems to be working for me on a Rocky 8 VM. (You weren't kidding about the setup difficulty.) Having permissive mode show up in the logs seems very useful. As an aside, I don't see the "allowed" verbiage that sepgsql uses in any of the SELinux documentation. I do see third-party references to "granted", though, as in e.g. avc: granted { execute } for ... That's not something that I think this patch should touch, but it seemed tangentially relevant for future convergence work. On Wed, 2021-04-14 at 09:49 -0400, Robert Haas wrote: > Looks superficially reasonable on first glance, but I think we should > try to get an opinion from someone who knows more about SELinux. I am not that someone, but this looks straightforward, it's been stalled for a while, and I think it should probably go in. --Jacob