> So if I label a table with an SELinux context and the type of my > client connection does not have policy to be able to access the table > type will an AVC be generated and the access denied? > Of course, it depends on the policy of the system.
If client connection come from none-SELinux system, use netlabelctl to configure default fallback security context. It gives getpeercon(3) the client label shall be applied when netlabel is not configured on the connection. Thanks, -- NEC Business Creation Division / PG-Strom Project KaiGai Kohei <kai...@ak.jp.nec.com> > -----Original Message----- > From: pgsql-hackers-ow...@postgresql.org > [mailto:pgsql-hackers-ow...@postgresql.org] On Behalf Of Ted Toth > Sent: Wednesday, July 15, 2015 2:59 AM > To: Kohei KaiGai > Cc: Robert Haas; Adam Brightwell; Andres Freund; pgsql-hackers@postgresql.org; > Alvaro Herrera > Subject: Re: [HACKERS] security labels on databases are bad for dump & restore > > So if I label a table with an SELinux context and the type of my > client connection does not have policy to be able to access the table > type will an AVC be generated and the access denied? > > Ted > > On Tue, Jul 14, 2015 at 12:53 PM, Kohei KaiGai <kai...@kaigai.gr.jp> wrote: > > 2015-07-15 2:39 GMT+09:00 Ted Toth <txt...@gmail.com>: > >> That's exactly what I'm talking about like I said KaiGais branch was > >> never merged into the mainline so I do not believe that it is used at > >> all. > >> > > It depends on the definition of "integrated". > > The PostgreSQL core offers an infrastructure for label based security > > mechanism, not only selinux. Also, one extension module that is > > usually distributed with PosgreSQL bridges the world of database and > > the world of selinux (even though all the features I initially designed > > are not yet implemented). I like to say it is integrated. > > > >> On Tue, Jul 14, 2015 at 12:28 PM, Robert Haas <robertmh...@gmail.com> > >> wrote: > >>> On Tue, Jul 14, 2015 at 1:22 PM, Ted Toth <txt...@gmail.com> wrote: > >>>> I'm sort of new to this so maybe I'm missing something but since the > >>>> sepgsql SELinux userspace object manager was never integrated into > >>>> postgresql (AFAIK KaiGais branch was never merged into the mainline) > >>>> who uses these labels? What use are they? > >>> > >>> See contrib/sepgsql > >>> > >>> -- > >>> Robert Haas > >>> EnterpriseDB: http://www.enterprisedb.com > >>> The Enterprise PostgreSQL Company > > > > > > > > -- > > KaiGai Kohei <kai...@kaigai.gr.jp> > > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
