On 09/15/2015 11:36 AM, Joe Conway wrote:
> On 09/13/2015 10:29 AM, Kouhei Kaigai wrote:
>> The attached one is the regression test fixup in v9.2.
>> As we applied to the v9.3 or later, it replaces unconfined_t domain
>> by the self defined sepgsql_regtest_superuser_t.
> Thanks -- I'll look throug
On 09/13/2015 10:29 AM, Kouhei Kaigai wrote:
> The attached one is the regression test fixup in v9.2.
> As we applied to the v9.3 or later, it replaces unconfined_t domain
> by the self defined sepgsql_regtest_superuser_t.
>
> Unfortunately, I found a bug to process SELECT INTO statement.
> Becaus
.com
> Subject: Re: [HACKERS] One question about security label command
>
> On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> >>>>> 3.) Rework patch for 9.2 (Kohei)
> >>
> > Could you wait for the next Monday?
> > I'll try to work this in the nex
On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> 3.) Rework patch for 9.2 (Kohei)
>>
> Could you wait for the next Monday?
> I'll try to work this in the next weekend.
Sure, that would be great.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting,
onway.com]
> Sent: Tuesday, September 08, 2015 6:54 AM
> To: Adam Brightwell
> Cc: Stephen Frost; Alvaro Herrera; Kohei KaiGai; Kaigai Kouhei(海外 浩平); Tom
> Lane; Robert Haas; 张元超; pgsql-hackers@postgresql.org;
> adam.brightw...@crunchydata.com
> Subject: Re: [HACKERS] One question about sec
On 08/30/2015 11:17 AM, Joe Conway wrote:
>>> 3.) Rework patch for 9.2 (Kohei)
>>> 4.) Finish standing up the RHEL/CentOS 7.x buildfarm member to
>>> test sepgsql on 9.2 and up. The animal (rhinoceros) is running
>>> already, but still needs some custom scripting. (Joe, Andrew)
>>> 5.) Additional
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/28/2015 07:21 PM, Adam Brightwell wrote:
> On 08/28/2015 08:37 AM, Joe Conway wrote:
>> So given all that, here is what I propose we do:
>>
>> 1.) Commit Kouhei's patch against HEAD and 9.5 (Joe) 2.) Commit
>> my modified patch against 9.4 and 9
> * It is really the version of libselinux.so that matters here. RHEL
> 7.x has libselinux 2.2.x whereas RHEL 6.x has 2.0.x. The latter lacks
> functionality required by sepgsql starting with PG 9.2.
Yes, that has been my observation as well.
> So given all that, here is what I propose we do:
>
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 06:54 PM, Joe Conway wrote:
> On 08/25/2015 06:03 PM, Joe Conway wrote:
>> I'm arriving late to this party, so maybe everyone else already
>> knows this, but apparently sepgsql is not compatible with the
>> version of selinux available
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 06:03 PM, Joe Conway wrote:
> I'm arriving late to this party, so maybe everyone else already
> knows this, but apparently sepgsql is not compatible with the
> version of selinux available on RHEL 6.x. So there doesn't seem to
> be much r
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 02:27 PM, Joe Conway wrote:
> On 08/25/2015 01:02 PM, Stephen Frost wrote:
>> * Adam Brightwell (adam.brightw...@crunchydatasolutions.com)
>> wrote:
So what about the buildfarm animal that was offered for
this? We still have th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 01:02 PM, Stephen Frost wrote:
> * Adam Brightwell (adam.brightw...@crunchydatasolutions.com)
> wrote:
>>> So what about the buildfarm animal that was offered for this?
>>> We still have this module completely uncovered in the buildfarm
>
* Adam Brightwell (adam.brightw...@crunchydatasolutions.com) wrote:
> > So what about the buildfarm animal that was offered for this? We still
> > have this module completely uncovered in the buildfarm ...
>
> I believe that is in the works and should be made available soon.
Right, Joe commented
> So what about the buildfarm animal that was offered for this? We still
> have this module completely uncovered in the buildfarm ...
I believe that is in the works and should be made available soon.
-Adam
--
Adam Brightwell - adam.brightw...@crunchydatasolutions.com
Database Engineer - www.cr
So what about the buildfarm animal that was offered for this? We still
have this module completely uncovered in the buildfarm ...
--
Álvaro Herrerahttp://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
--
Sent via pgsql-hackers mailin
All,
> The second approach above works.
> I defined a own privileged domain (sepgsql_regtest_superuser_t)
> instead of system's unconfined_t domain.
> The reason why regression test gets failed was, definition of
> unconfined_t in the system default policy was changed to bypass
> multi-category ru
Stephen,
> Stephen, would you have the time to review this patch, and commit if
> appropriate, please? And if you could set up the buildfarm animal to run
> this, even better.
I gave this a quick review/test against master (0a0fe2f). Everything
builds and installs as would be expected.
All of t
On 05/13/2015 03:49 PM, Kohei KaiGai wrote:
2015-05-13 21:45 GMT+09:00 Robert Haas :
Can you add this to the next CommitFest?
OK, done
https://commitfest.postgresql.org/5/249/
Aaand the commitfest has began..
Stephen, would you have the time to review this patch, and commit if
appropriate
2015-05-13 21:45 GMT+09:00 Robert Haas :
> On Sun, May 10, 2015 at 3:15 AM, Kohei KaiGai wrote:
>> 2015-05-01 9:52 GMT+09:00 Kohei KaiGai :
>>> 2015-05-01 7:40 GMT+09:00 Alvaro Herrera :
Kouhei Kaigai wrote:
> > * Tom Lane (t...@sss.pgh.pa.us) wrote:
> > > The idea of making the regre
On Sun, May 10, 2015 at 3:15 AM, Kohei KaiGai wrote:
> 2015-05-01 9:52 GMT+09:00 Kohei KaiGai :
>> 2015-05-01 7:40 GMT+09:00 Alvaro Herrera :
>>> Kouhei Kaigai wrote:
> * Tom Lane (t...@sss.pgh.pa.us) wrote:
> > The idea of making the regression test entirely independent of the
> >
Alvaro,
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
> Stephen Frost wrote:
> > * Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
>
> > > Could you provide a buildfarm animal that runs the sepgsql test in all
> > > branches on a regular basis?
> >
> > Would be great if KaiGai can, of cour
2015-05-01 7:40 GMT+09:00 Alvaro Herrera :
> Kouhei Kaigai wrote:
>> > * Tom Lane (t...@sss.pgh.pa.us) wrote:
>> > > The idea of making the regression test entirely independent of the
>> > > system's policy would presumably solve this problem, so I'd kind of
>> > > like to see progress on that fron
Stephen Frost wrote:
Hi,
> * Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
> > Could you provide a buildfarm animal that runs the sepgsql test in all
> > branches on a regular basis?
>
> Would be great if KaiGai can, of course, but I'm planning to stand one
> up here soon in any case.
I don
Kouhei Kaigai wrote:
> > * Tom Lane (t...@sss.pgh.pa.us) wrote:
> > > The idea of making the regression test entirely independent of the
> > > system's policy would presumably solve this problem, so I'd kind of
> > > like to see progress on that front.
> >
> > Apologies, I guess it wasn't clear, b
>
> The attached patch fixes the policy module of regression test.
> However, I also think we may stop to rely permission set of pre-defined
> selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
> ought to define own domain with appropriate permission set independent
> from the b
rom Project
KaiGai Kohei
> -Original Message-
> From: Stephen Frost [mailto:sfr...@snowman.net]
> Sent: Monday, March 16, 2015 7:16 AM
> To: Tom Lane
> Cc: Alvaro Herrera; Kohei KaiGai; Robert Haas; Kaigai Kouhei(海外 浩平); 张元
> 超; pgsql-hackers@postgresql.org
> Subject:
Tom,
* Tom Lane (t...@sss.pgh.pa.us) wrote:
> The idea of making the regression test entirely independent of the
> system's policy would presumably solve this problem, so I'd kind of
> like to see progress on that front.
Apologies, I guess it wasn't clear, but that's what I was intending to
advoc
Stephen Frost writes:
> * Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
>> Kohei KaiGai wrote:
>>> The attached patch fixes the policy module of regression test.
>> Is this something we would backpatch?
> As it's just a change to the regression tests, it seems like it'd be a
> good idea to ba
Alvaro, KaiGai,
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
> Kohei KaiGai wrote:
>
> > This regression test fail come from the base security policy of selinux.
> > In the recent selinux-policy package, "unconfined" domain was changed
> > to have unrestricted permission as literal. So, thi
Kohei KaiGai wrote:
> This regression test fail come from the base security policy of selinux.
> In the recent selinux-policy package, "unconfined" domain was changed
> to have unrestricted permission as literal. So, this test case relies multi-
> category policy restricts unconfined domain, but i
On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai wrote:
> ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
> Please see the attached one.
Committed. I did not bother back-patching this, but I can do that if
people think it's important. The sepgsql regression tests don't seem
to pass for
2015-03-12 1:27 GMT+09:00 Alvaro Herrera :
> Robert Haas wrote:
>> On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai wrote:
>> > ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
>> > Please see the attached one.
>>
>> Committed. I did not bother back-patching this, but I can do that if
>> p
Robert Haas wrote:
> On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai wrote:
> > ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
> > Please see the attached one.
>
> Committed. I did not bother back-patching this, but I can do that if
> people think it's important.
I don't really care m
ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
Please see the attached one.
Thanks,
2015-03-11 4:34 GMT+09:00 Robert Haas :
> On Tue, Mar 10, 2015 at 9:41 AM, Alvaro Herrera
> wrote:
>> And perhaps make it an ereport also, with errcode etc.
>
> Yeah, definitely.
>
> --
> Robert Haas
On Tue, Mar 10, 2015 at 9:41 AM, Alvaro Herrera
wrote:
> And perhaps make it an ereport also, with errcode etc.
Yeah, definitely.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
T
Kohei KaiGai wrote:
> The attached patch revises error message when security label
> is specified on unsupported object.
> getObjectTypeDescription() may be better than oid of catalog.
Agreed.
> postgres=# SECURITY LABEL FOR selinux ON ROLE kaigai
> postgres-# IS 'system_u:object_r:unlabeled_t:
The attached patch revises error message when security label
is specified on unsupported object.
getObjectTypeDescription() may be better than oid of catalog.
postgres=# SECURITY LABEL FOR selinux ON ROLE kaigai
postgres-# IS 'system_u:object_r:unlabeled_t:s0';
ERROR: sepgsql provider does not
On Tue, Mar 3, 2015 at 5:01 AM, Kouhei Kaigai wrote:
> From standpoint of SQL syntax, yep, SECURITY LABEL command support
> the object types below, however, it fully depends on security label
> provider; sepgsql.so in this case.
> At this moment, it supports database, schema, function, tables and
> To: pgsql-hackers@postgresql.org
> Subject: [HACKERS] One question about security label command
>
> Greetings,
> I got a problem when i used the 'security label on role ...' command to
> make
> a label for a database role.
> It show me an error like "E
Greetings,
I got a problem when i used the 'security label on role ...' command to
make a label for a database role.
It show me an error like "ERROR: unsupported object type: 1260".So i read the
document about 'security label' command ,it show me like this:
SECURITY LABEL [ FOR provider ]
40 matches
Mail list logo
