On 09/15/2015 11:36 AM, Joe Conway wrote:
> On 09/13/2015 10:29 AM, Kouhei Kaigai wrote:
>> The attached one is the regression test fixup in v9.2.
>> As we applied to the v9.3 or later, it replaces unconfined_t domain
>> by the self defined sepgsql_regtest_superuser_t.
> Thanks -- I'll look
On 09/13/2015 10:29 AM, Kouhei Kaigai wrote:
> The attached one is the regression test fixup in v9.2.
> As we applied to the v9.3 or later, it replaces unconfined_t domain
> by the self defined sepgsql_regtest_superuser_t.
>
> Unfortunately, I found a bug to process SELECT INTO statement.
>
ightw...@crunchydata.com
> Subject: Re: [HACKERS] One question about security label command
>
> On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> >>>>> 3.) Rework patch for 9.2 (Kohei)
> >>
> > Could you wait for the next Monday?
> > I'll try to
On 08/30/2015 11:17 AM, Joe Conway wrote:
>>> 3.) Rework patch for 9.2 (Kohei)
>>> 4.) Finish standing up the RHEL/CentOS 7.x buildfarm member to
>>> test sepgsql on 9.2 and up. The animal (rhinoceros) is running
>>> already, but still needs some custom scripting. (Joe, Andrew)
>>> 5.)
On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> 3.) Rework patch for 9.2 (Kohei)
>>
> Could you wait for the next Monday?
> I'll try to work this in the next weekend.
Sure, that would be great.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
[mailto:m...@joeconway.com]
> Sent: Tuesday, September 08, 2015 6:54 AM
> To: Adam Brightwell
> Cc: Stephen Frost; Alvaro Herrera; Kohei KaiGai; Kaigai Kouhei(海外 浩平); Tom
> Lane; Robert Haas; 张元超; pgsql-hackers@postgresql.org;
> adam.brightw...@crunchydata.com
> Subject: Re: [HACKE
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/28/2015 07:21 PM, Adam Brightwell wrote:
On 08/28/2015 08:37 AM, Joe Conway wrote:
So given all that, here is what I propose we do:
1.) Commit Kouhei's patch against HEAD and 9.5 (Joe) 2.) Commit
my modified patch against 9.4 and 9.3 (Joe)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 06:54 PM, Joe Conway wrote:
On 08/25/2015 06:03 PM, Joe Conway wrote:
I'm arriving late to this party, so maybe everyone else already
knows this, but apparently sepgsql is not compatible with the
version of selinux available on
* It is really the version of libselinux.so that matters here. RHEL
7.x has libselinux 2.2.x whereas RHEL 6.x has 2.0.x. The latter lacks
functionality required by sepgsql starting with PG 9.2.
Yes, that has been my observation as well.
So given all that, here is what I propose we do:
1.)
All,
The second approach above works.
I defined a own privileged domain (sepgsql_regtest_superuser_t)
instead of system's unconfined_t domain.
The reason why regression test gets failed was, definition of
unconfined_t in the system default policy was changed to bypass
multi-category rules;
So what about the buildfarm animal that was offered for this? We still
have this module completely uncovered in the buildfarm ...
--
Álvaro Herrerahttp://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training Services
--
Sent via pgsql-hackers
* Adam Brightwell (adam.brightw...@crunchydatasolutions.com) wrote:
So what about the buildfarm animal that was offered for this? We still
have this module completely uncovered in the buildfarm ...
I believe that is in the works and should be made available soon.
Right, Joe commented on
So what about the buildfarm animal that was offered for this? We still
have this module completely uncovered in the buildfarm ...
I believe that is in the works and should be made available soon.
-Adam
--
Adam Brightwell - adam.brightw...@crunchydatasolutions.com
Database Engineer -
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 01:02 PM, Stephen Frost wrote:
* Adam Brightwell (adam.brightw...@crunchydatasolutions.com)
wrote:
So what about the buildfarm animal that was offered for this?
We still have this module completely uncovered in the buildfarm
...
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 02:27 PM, Joe Conway wrote:
On 08/25/2015 01:02 PM, Stephen Frost wrote:
* Adam Brightwell (adam.brightw...@crunchydatasolutions.com)
wrote:
So what about the buildfarm animal that was offered for
this? We still have this module
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/25/2015 06:03 PM, Joe Conway wrote:
I'm arriving late to this party, so maybe everyone else already
knows this, but apparently sepgsql is not compatible with the
version of selinux available on RHEL 6.x. So there doesn't seem to
be much
Stephen,
Stephen, would you have the time to review this patch, and commit if
appropriate, please? And if you could set up the buildfarm animal to run
this, even better.
I gave this a quick review/test against master (0a0fe2f). Everything
builds and installs as would be expected.
All of the
2015-05-13 21:45 GMT+09:00 Robert Haas robertmh...@gmail.com:
On Sun, May 10, 2015 at 3:15 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2015-05-01 9:52 GMT+09:00 Kohei KaiGai kai...@kaigai.gr.jp:
2015-05-01 7:40 GMT+09:00 Alvaro Herrera alvhe...@2ndquadrant.com:
Kouhei Kaigai wrote:
* Tom
On Sun, May 10, 2015 at 3:15 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
2015-05-01 9:52 GMT+09:00 Kohei KaiGai kai...@kaigai.gr.jp:
2015-05-01 7:40 GMT+09:00 Alvaro Herrera alvhe...@2ndquadrant.com:
Kouhei Kaigai wrote:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
The idea of making the
Alvaro,
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
Stephen Frost wrote:
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
Could you provide a buildfarm animal that runs the sepgsql test in all
branches on a regular basis?
Would be great if KaiGai can, of course, but I'm
2015-05-01 7:40 GMT+09:00 Alvaro Herrera alvhe...@2ndquadrant.com:
Kouhei Kaigai wrote:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
The idea of making the regression test entirely independent of the
system's policy would presumably solve this problem, so I'd kind of
like to see progress on
Kouhei Kaigai wrote:
* Tom Lane (t...@sss.pgh.pa.us) wrote:
The idea of making the regression test entirely independent of the
system's policy would presumably solve this problem, so I'd kind of
like to see progress on that front.
Apologies, I guess it wasn't clear, but that's what
Stephen Frost wrote:
Hi,
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
Could you provide a buildfarm animal that runs the sepgsql test in all
branches on a regular basis?
Would be great if KaiGai can, of course, but I'm planning to stand one
up here soon in any case.
I don't
The attached patch fixes the policy module of regression test.
However, I also think we may stop to rely permission set of pre-defined
selinux domains. Instead of pre-defined one, sepgsql-regtest.te may be
ought to define own domain with appropriate permission set independent
from the base
Kohei KaiGai wrote:
This regression test fail come from the base security policy of selinux.
In the recent selinux-policy package, unconfined domain was changed
to have unrestricted permission as literal. So, this test case relies multi-
category policy restricts unconfined domain, but its
Alvaro, KaiGai,
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
Kohei KaiGai wrote:
This regression test fail come from the base security policy of selinux.
In the recent selinux-policy package, unconfined domain was changed
to have unrestricted permission as literal. So, this test
Tom,
* Tom Lane (t...@sss.pgh.pa.us) wrote:
The idea of making the regression test entirely independent of the
system's policy would presumably solve this problem, so I'd kind of
like to see progress on that front.
Apologies, I guess it wasn't clear, but that's what I was intending to
Stephen Frost sfr...@snowman.net writes:
* Alvaro Herrera (alvhe...@2ndquadrant.com) wrote:
Kohei KaiGai wrote:
The attached patch fixes the policy module of regression test.
Is this something we would backpatch?
As it's just a change to the regression tests, it seems like it'd be a
good
: Stephen Frost [mailto:sfr...@snowman.net]
Sent: Monday, March 16, 2015 7:16 AM
To: Tom Lane
Cc: Alvaro Herrera; Kohei KaiGai; Robert Haas; Kaigai Kouhei(海外 浩平); 张元
超; pgsql-hackers@postgresql.org
Subject: Re: [HACKERS] One question about security label command
Tom,
* Tom Lane (t
On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
Please see the attached one.
Committed. I did not bother back-patching this, but I can do that if
people think it's important. The sepgsql regression tests don't
2015-03-12 1:27 GMT+09:00 Alvaro Herrera alvhe...@2ndquadrant.com:
Robert Haas wrote:
On Tue, Mar 10, 2015 at 6:58 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote:
ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
Please see the attached one.
Committed. I did not bother back-patching
Kohei KaiGai wrote:
The attached patch revises error message when security label
is specified on unsupported object.
getObjectTypeDescription() may be better than oid of catalog.
Agreed.
postgres=# SECURITY LABEL FOR selinux ON ROLE kaigai
postgres-# IS 'system_u:object_r:unlabeled_t:s0';
The attached patch revises error message when security label
is specified on unsupported object.
getObjectTypeDescription() may be better than oid of catalog.
postgres=# SECURITY LABEL FOR selinux ON ROLE kaigai
postgres-# IS 'system_u:object_r:unlabeled_t:s0';
ERROR: sepgsql provider does not
On Tue, Mar 10, 2015 at 9:41 AM, Alvaro Herrera
alvhe...@2ndquadrant.com wrote:
And perhaps make it an ereport also, with errcode etc.
Yeah, definitely.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
--
Sent via pgsql-hackers mailing list
ERRCODE_FEATURE_NOT_SUPPORTED is suitable error code here.
Please see the attached one.
Thanks,
2015-03-11 4:34 GMT+09:00 Robert Haas robertmh...@gmail.com:
On Tue, Mar 10, 2015 at 9:41 AM, Alvaro Herrera
alvhe...@2ndquadrant.com wrote:
And perhaps make it an ereport also, with errcode etc.
On Tue, Mar 3, 2015 at 5:01 AM, Kouhei Kaigai kai...@ak.jp.nec.com wrote:
From standpoint of SQL syntax, yep, SECURITY LABEL command support
the object types below, however, it fully depends on security label
provider; sepgsql.so in this case.
At this moment, it supports database, schema,
PM
To: pgsql-hackers@postgresql.org
Subject: [HACKERS] One question about security label command
Greetings,
I got a problem when i used the 'security label on role ...' command to
make
a label for a database role.
It show me an error like ERROR: unsupported object type: 1260.So i
Greetings,
I got a problem when i used the 'security label on role ...' command to
make a label for a database role.
It show me an error like ERROR: unsupported object type: 1260.So i read the
document about 'security label' command ,it show me like this:
SECURITY LABEL [ FOR provider ]
38 matches
Mail list logo
