On Fri, Sep 6, 2019 at 4:31 PM Joe Conway <m...@joeconway.com> wrote: > > On 9/6/19 2:13 PM, Yuli Khodorkovskiy wrote: > > As Joe Conway pointed out to me out of band, the build animal for RHEL > > 7 has handle_unknown set to `0`. Are there any other concerns with > > this approach? > > > You mean deny_unknown I believe.
I do, thanks. Not sure where I pulled handle_unknown from. > > "Allow unknown object class / permissions. This will set the returned AV > with all 1's." > > As I understand it, this would make the sepgsql behavior unchanged from > before if the policy does not support the new permission. > > Joe > > > On Fri, Sep 6, 2019 at 1:00 PM Yuli Khodorkovskiy wrote: > >> The default SELinux policy on Fedora ships with deny_unknown set to 0. > >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is > >> using RHEL 5.x, which is in ELS, they will have the ability to > >> override the default behavior on CentOS/RHEL. > > > > -- > Crunchy Data - http://crunchydata.com > PostgreSQL Support for Secure Enterprises > Consulting, Training, & Open Source Development
