On Tue, 2008-06-03 at 19:25 +0900, KaiGai Kohei wrote: > Christopher J. PeBenito wrote: > > I'm out of arguments; clearly I'm in the minority on this issue. I > > already said I wouldn't block the policy over this, so KaiGai, if you > > would send a last patch based on the revisions I made [1], let see if we > > can finally get this merged. > > > > [1] http://marc.info/?l=selinux&m=120999566809541&w=2 > > I'll submit a revised version later. > (Now we cannot update SVN repository, due to server maintenance.) > > Before this, I want to modify the following points: > > - neverallow rule should be removed, as you suggested before. > > - The type_transition rule for newly created database should be > described with "self" as its target, like: > type_transition sepgsql_client_type self : db_database sepgsql_db_t; > The purpose is to make clear its meanings that this type_transition > has no appropriate parent as socket creation. Unfortunately self doesn't work in type_transitions. > - postgresql_unconfined() interface should also associate a domin > with sepgsql_client_type, not only sepgsql_unconfined_type. > dontaudit rules on row-level logs are not disabled for unconfined > clients. And, it's not useful to write additional policy module. I don't understand what you mean about the dontaudits. Otherwise, you should recheck the unconfined rules. I'm fairly sure I copied anything relevant from the client rules into unconfined so I didn't have to add both attributes in postgresql_unconfined(). -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
