On 11/21/22 17:35, Joe Conway wrote:
> On 11/21/22 15:57, Ted Toth wrote:
>> In SELinux file context files you can specify <<none>> for a file
>> meaning you don't want restorecon to relabel it. <<none>> is
>> especially useful in an SELinux MLS environment when objects are
>> created at a specific security level and you don't want restorecon to
>> relabel them to the wrong security level.
>
> +1
>
> Please add to the next commitfest here:
> https://commitfest.postgresql.org/41/
Comments:
1. It seems like the check for a "<<none>>" context should go into
sepgsql_object_relabel() directly rather than exec_object_restorecon().
The former gets registered as a hook in _PG_init(), so the with the
current location we would fail to skip the relabel when that gets called.
2. Please provide one or more test case (likely in label.sql)
3. An example, or at least a note, mentioning "<<none>>" context and the
implications would be appropriate.
--
Joe Conway
PostgreSQL Contributors Team
RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
