Re: [v9.2] Add GUC sepgsql.client_label - Mailing list pgsql-hackers

From Kohei KaiGai
Subject Re: [v9.2] Add GUC sepgsql.client_label
Date
Msg-id CADyhKSUg+SYL6mNz18ib45pk6uS5PBgCAnrNZOd00astgY0uPQ@mail.gmail.com
Whole thread Raw
In response to Re: [v9.2] Add GUC sepgsql.client_label  (Yeb Havinga <yebhavinga@gmail.com>)
List pgsql-hackers
2012/2/24 Yeb Havinga <yebhavinga@gmail.com>:
> On 2012-02-24 15:17, Yeb Havinga wrote:
>>
>> I don't know what's fishy about the mgrid user and root that causes
>> c0.c1023 to be absent.
>
>
> more info:
>
> In shells started in a x environment under Xvnc, id -Z shows the system_u
> and c0.c1023 absent.
>
> In shells started from the ssh daemon, the id -Z matches what it should be
> according to the seusers file: unconfined_u and c0.c1023 present.
>
It seems to me the reason why your security label on bash is different from
the expected default one.
Unlike sshd daemon, vncserver does not assign security label on itself
according to the /etc/selinux/targeted/seusers, thus it inherits the label
of system startup script. It is also the reason why you saw "system_u"
at the head of security context.

I'll report this topic to selinux community to discuss the preferable solution.
Anyway, please use ssh connection for the testing purpose.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>


pgsql-hackers by date:

Previous
From: Bruce Momjian
Date:
Subject: Re: pg_upgrade --logfile option documentation
Next
From: Jeff Janes
Date:
Subject: Re: Initial 9.2 pgbench write results