John R Pierce <pierce@hogranch.com> writes:
> On 9/7/2014 10:02 PM, Jan Wieck wrote:
>> So please be more precise in what exactly that special RPM should set
>> or enable.
> this RPM would be called something like
> postgresqlXY-apache-selinuxpolicy, and if installed, it would add the
> selinux policy that allows apache to connect to postgres version X.Y as
> installed from the same repository. if uninstalled, it would remove
> that policy.
Hm ... would that not be in direct conflict with existing policy
variables?
I don't actually know a lot about what the standard Red Hat selinux
policy does in this area. If it were seriously broken, I'd probably
have heard more about it during the years I worked there. Not that
that's much of an argument, but it's some evidence for "there's no
fire here, only smoke". Anyway, I remain of the opinion that it'd
be best to press Red Hat's selinux people to fix/clarify/document
their policy's behavior for apache-to-database connections. Trying
to override the system policy with drive-by updates seems like a recipe
for disaster.
regards, tom lane
