Summary: | postgresql-9.0 init script not SELinux-compatible with current policies | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sven Vermeulen <sven.vermeulen> |
Component: | [OLD] Server | Assignee: | SE Linux Bugs <selinux> |
Status: | VERIFIED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | AMD64 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sven Vermeulen
2011-06-13 14:43:20 UTC
Should be fixed in hardened-dev overlay now. Fix also includes allowing any failure to be shown on the screen ;) (In reply to comment #1) > Should be fixed in hardened-dev overlay now. Fix also includes allowing any > failure to be shown on the screen ;) Care to share? (^_^) Certainly. When the init script calls pg_ctl, it's output is treated by "su" which runs in the initrc_su_t domain. However, the users' terminal at that point is in the initrc_devpts_t domain to which initrc_su_t has no read/write access towards. The new policies allow initrc_su_t to read/write to initrc_devpts_t (in case of character files). Without this issue, any error message shown by pg_ctl wouldn't be noticed - we would just trap the return code and say it failed. Is in portage tree: sec-policy/selinux-base-policy-2.20101213-r18 (~arch for now) |