On 9/6/19 2:13 PM, Yuli Khodorkovskiy wrote: > As Joe Conway pointed out to me out of band, the build animal for RHEL > 7 has handle_unknown set to `0`. Are there any other concerns with > this approach?
You mean deny_unknown I believe. "Allow unknown object class / permissions. This will set the returned AV with all 1's." As I understand it, this would make the sepgsql behavior unchanged from before if the policy does not support the new permission. Joe > On Fri, Sep 6, 2019 at 1:00 PM Yuli Khodorkovskiy wrote: >> The default SELinux policy on Fedora ships with deny_unknown set to 0. >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is >> using RHEL 5.x, which is in ELS, they will have the ability to >> override the default behavior on CentOS/RHEL. -- Crunchy Data - http://crunchydata.com PostgreSQL Support for Secure Enterprises Consulting, Training, & Open Source Development
