On 9/6/19 2:18 PM, Tom Lane wrote: > Yuli Khodorkovskiy <yuli.khodorkovs...@crunchydata.com> writes: >> On Fri, Sep 6, 2019 at 11:57 AM Tom Lane <t...@sss.pgh.pa.us> wrote: >>> Well, the larger question, independent of the regression tests, is >>> will the new policy work at all on older SELinux? If not, that >>> doesn't seem very acceptable. > >> The default SELinux policy on Fedora ships with deny_unknown set to 0. >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is >> using RHEL 5.x, which is in ELS, they will have the ability to >> override the default behavior on CentOS/RHEL. > > OK, that sounds like it will work. > >> On RHEL 6, which goes into ELS in 2020, it's a bit more complicated >> and requires rebuilding the base SELinux module from source. > > sepgsql hasn't worked on RHEL6 in a long time, if ever; it requires > a newer version of libselinux than what ships in RHEL6. So I'm not > concerned about that. We do need to worry about RHEL7, and whatever > is the oldest version of Fedora that is running the sepgsql tests > in the buildfarm.
I could be wrong, but as far as I know rhinoceros is the only buildfarm animal running sepgsql tests. Joe -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development