Re: [v9.1] sepgsql - userspace access vector cache - Mailing list pgsql-hackers

From Robert Haas
Subject Re: [v9.1] sepgsql - userspace access vector cache
Date
Msg-id CA+Tgmobj9kWv4qOQHBnUQj-GC3R8dd3Z0-nVSoPxK1ExyKq_xQ@mail.gmail.com
Whole thread Raw
In response to Re: [v9.1] sepgsql - userspace access vector cache  (Robert Haas <robertmhaas@gmail.com>)
Responses Re: [v9.1] sepgsql - userspace access vector cache
List pgsql-hackers
On Thu, Aug 18, 2011 at 12:52 PM, Robert Haas <robertmhaas@gmail.com> wrote:
> On Thu, Aug 18, 2011 at 12:46 PM, Robert Haas <robertmhaas@gmail.com> wrote:
>> On Thu, Jul 21, 2011 at 5:29 AM, Kohei Kaigai <Kohei.Kaigai@emea.nec.com> wrote:
>>> The attached patch is revised userspace-avc patch.
>>>
>>> List of updates:
>>> - The GUC of sepgsql.avc_threshold was removed.
>>> - "char *ucontext" of avc_cache was replaced by "bool tcontext_is_valid".
>>> - Comments added onto static variables
>>> - Comments of sepgsql_avc_unlabeled() was revised.
>>> - Comments of sepgsql_avc_compute() was simplified.
>>> - Comments of sepgsql_avc_check_perms_label() also mention about
>>>  permissive domain, that performs similar to system's permissive mode.
>>> - selinux_status_close() become invoked on on_proc_exit() hook.
>>
>> I tried to give this a test drive today but got stuck.  I got sepgsql
>> compiled OK, but look what happens when I try to start the server:
>>
>> [rhaas@f15selinux ~]$ postgres
>> FATAL:  could not load library
>> "/home/rhaas/project/lib/postgresql/sepgsql.so":
>> /home/rhaas/project/lib/postgresql/sepgsql.so: undefined symbol:
>> getpeercon_raw
>>
>> This is Fedora 15, with all available updates applied.
>
> Oh.  Apparently, this is what happens when you try to build sepgsql
> without passing --with-selinux to configure.
>
> That's lame.  I think we need to patch contrib/sepgsql so that it
> fails to build in that case, rather than building and then not
> working.

Also, I get these warnings:

/etc/selinux/targeted/contexts/sepgsql_contexts:  line 33 has invalid
object type db_blobs
/etc/selinux/targeted/contexts/sepgsql_contexts:  line 36 has invalid
object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts:  line 37 has invalid
object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts:  line 38 has invalid
object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts:  line 39 has invalid
object type db_language
/etc/selinux/targeted/contexts/sepgsql_contexts:  line 40 has invalid
object type db_language 1: sepgsql_restorecon = "t"    (typeid = 16, len = 1, typmod = -1, byval = t)

The first is mentioned in the latest documentation, but the rest are not.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company


pgsql-hackers by date:

Previous
From: Robert Haas
Date:
Subject: Re: [v9.1] sepgsql - userspace access vector cache
Next
From: Kohei Kaigai
Date:
Subject: Re: [v9.1] sepgsql - userspace access vector cache