Joshua Brindle wrote: > KaiGai Kohei wrote: >> By the way, I'm seeking sponsors who can review SE-PostgreSQL package. >> >> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522 >> >> If you can volunteer the reviewing process, please contact me. >> > > So, I tried grabbing the sepostgres srpm and building it (you didn't > provide an x86_64 rpm) and I get these compilation errors: > > gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions > -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall > -Wmissing-prototypes -Wpointer-arith -Winline > -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -g -D > SECCLASS_DATABASE= -I../../../src/include -D_GNU_SOURCE -c -o > sepgsqlCore.o sepgsqlCore.c > sepgsqlCore.c: In function 'sepgsqlGetDatabaseContext': > sepgsqlCore.c:792: error: expected expression before ')' token > sepgsqlCore.c: In function 'sepgsqlInitialize': > sepgsqlCore.c:836: error: expected expression before ',' token > sepgsqlCore.c:854: error: expected expression before ',' token > make[3]: *** [sepgsqlCore.o] Error 1 > make[3]: Leaving directory > `/usr/src/redhat/BUILD/postgresql-8.2.4/src/backend/security' > make[2]: *** [security-recursive] Error 2 Joshua, It seems to me that SECCLASS_DATABASE is defined as empty. It is normally computed at %build section of the specfile as follows: SECCLASS_DATABASE=`grep ^define %{_datadir}/selinux/devel/include/support/all_perms.spt \ | cat -n | grep all_database_perms | awk '{print $1}'` make CUSTOM_COPT=" -D SECCLASS_DATABASE=${SECCLASS_DATABASE}" %{?_smp_mflags} Thus, selinux-policy-devel-xxx-sepgsql have to be installed to build. If SECCLASS_DATABASE is not defined, it's defined as 61 being next to SECCLASS_DCCP_SOCKET. It is correct, if Fedora 6. But incorrect on the latest Fedora 7 and Rawhide. As you mentioned, I also think this trick is not a good idea. However, the number of object classes is not constant between policy versions, so I had to handle the difference and to follow the version up. I modified it by hand at first, but conditional definition for SECCLASS_DATABASE got necessary, because the number of object classes got differ between Fedora core 6 and Fedora 7. I think integration of these definitions into the base policy is the best way to avoid such a ugly implementation. :) Thanks, > As an aside to this, I notice that you tried to integrate policy > management into the RPM, and I had to modify my spec file to not do this > because I have my own custom policies on the system. I don't think this > is the best way, long term, to handle policy integration, though, > unfortunately, I don't have any better suggestions. This is something I > intend to look into soon though so I'll provide some feedback on the > previous thread when I have something useful to say :) -- KaiGai Kohei <kaigai@xxxxxxxxxxxx> -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
