All,
> The second approach above works.
> I defined a own privileged domain (sepgsql_regtest_superuser_t)
> instead of system's unconfined_t domain.
> The reason why regression test gets failed was, definition of
> unconfined_t in the system default policy was changed to bypass
> multi-category rules; which our regression test depends on.
> So, the new sepgsql_regtest_superuser_t domain performs almost
> like as unconfined_t, but restricted by multi-category policy as
> traditional unconfined_t did.
> It is self defined domain, so will not affected by system policy
> change.
> Even though the sepgsql-regtest.te still uses unconfined_u and
> unconfined_r pair for selinux-user and role, it requires users to
> define additional selinux-user by hand if we try to define own one.
> In addition, its definition has not been changed for several years.
> So, I thought it has less risk to rely on unconfined_u/unconfined_r
> field unlike unconfined_t domain.
I have reviewed and tested this patch against 'master' at 781ed2b.
The patch applies without issue and all tests pass on EL7.
-Adam
--
Adam Brightwell - adam.brightwell@crunchydatasolutions.com
Database Engineer - www.crunchydatasolutions.com
