From: dwalsh@redhat.com (Daniel J Walsh)
Date: Mon, 18 Nov 2013 15:07:37 -0500
Subject: [refpolicy] [PATCH] Only label administrative postgres commands
 as postgresql_exec_t
In-Reply-To: <20131118174649.1c833f67@gentp.lnet>
References: <1384692777-9505-1-git-send-email-aranea@aixah.de>	<528A1FAD.4000809@redhat.com>
	<20131118174649.1c833f67@gentp.lnet>
Message-ID: <528A7389.6090806@redhat.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/18/2013 11:46 AM, Luis Ressel wrote:
> On Mon, 18 Nov 2013 09:09:49 -0500 Daniel J Walsh <dwalsh@redhat.com>
> wrote:
> 
>> I hate adding ifdef code to fc files, it is usually just clutter.  If I
>> have an init script named /etc/init\.d/postgresql-.*	 I would figure all
>> distributions would want this labeled this way.
>> 
>> If this labeling makes sense for other distributions, then we should 
>> remove the ifdef.
>> 
>> Also bin_t should never be listed in an fc file other then 
>> corecommands.fc
> 
> Sorry, the ifdefs were there in the original gentoo patch, but it makes 
> sense to me to drop them. But how else should I label these files, if not
> bin_t? Yet another separate type like "postgresql_user_exec_t"?
> 
> 
> Regards, Luis Ressel
> 
I believe by default then should be bin_t unless they match someother regex.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKKc4kACgkQrlYvE4MpobOUCACeJZNXl6Ln8FoXSp845tdpMCF2
1IwAoKQXRD0iZ4gyesvoQrTqdIu7/as2
=8Kgl
-----END PGP SIGNATURE-----