All, > The second approach above works. > I defined a own privileged domain (sepgsql_regtest_superuser_t) > instead of system's unconfined_t domain. > The reason why regression test gets failed was, definition of > unconfined_t in the system default policy was changed to bypass > multi-category rules; which our regression test depends on. > So, the new sepgsql_regtest_superuser_t domain performs almost > like as unconfined_t, but restricted by multi-category policy as > traditional unconfined_t did. > It is self defined domain, so will not affected by system policy > change. > Even though the sepgsql-regtest.te still uses unconfined_u and > unconfined_r pair for selinux-user and role, it requires users to > define additional selinux-user by hand if we try to define own one. > In addition, its definition has not been changed for several years. > So, I thought it has less risk to rely on unconfined_u/unconfined_r > field unlike unconfined_t domain.
I have reviewed and tested this patch against 'master' at 781ed2b. The patch applies without issue and all tests pass on EL7. -Adam -- Adam Brightwell - adam.brightw...@crunchydatasolutions.com Database Engineer - www.crunchydatasolutions.com -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
