mirror of
https://github.com/zebrajr/postgres.git
synced 2025-12-07 12:20:31 +01:00
e90a629e12
The regression tests for sepgsql were broken by changes in the
base distro as-shipped policies. Specifically, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules, which the regression test depended on.
Fix that by defining a custom privileged domain
(sepgsql_regtest_superuser_t) and using it instead of system's
unconfined_t domain. The new sepgsql_regtest_superuser_t domain
performs almost like the current unconfined_t, but restricted by
multi-category policy as the traditional unconfined_t was.
The custom policy module is a self defined domain, and so should not
be affected by related future system policy changes. However, it still
uses the unconfined_u:unconfined_r pair for selinux-user and role.
Those definitions have not been changed for several years and seem
less risky to rely on than the unconfined_t domain. Additionally, if
we define custom user/role, they would need to be manually defined
at the operating system level, adding more complexity to an already
non-standard and complex regression test.
Applies only to 9.2. Unlike the previous similar patch, commit
|
||
|---|---|---|
| .. | ||
| expected | ||
| sql | ||
| .gitignore | ||
| database.c | ||
| dml.c | ||
| hooks.c | ||
| label.c | ||
| launcher | ||
| Makefile | ||
| proc.c | ||
| relation.c | ||
| schema.c | ||
| selinux.c | ||
| sepgsql-regtest.te | ||
| sepgsql.h | ||
| sepgsql.sql.in | ||
| test_sepgsql | ||
| uavc.c | ||