On Fri, Sep 6, 2019 at 4:31 PM Joe Conway <mail@joeconway.com> wrote:
>
> On 9/6/19 2:13 PM, Yuli Khodorkovskiy wrote:
> > As Joe Conway pointed out to me out of band, the build animal for RHEL
> > 7 has handle_unknown set to `0`. Are there any other concerns with
> > this approach?
>
>
> You mean deny_unknown I believe.
I do, thanks. Not sure where I pulled handle_unknown from.
>
> "Allow unknown object class / permissions. This will set the returned AV
> with all 1's."
>
> As I understand it, this would make the sepgsql behavior unchanged from
> before if the policy does not support the new permission.
>
> Joe
>
> > On Fri, Sep 6, 2019 at 1:00 PM Yuli Khodorkovskiy wrote:
> >> The default SELinux policy on Fedora ships with deny_unknown set to 0.
> >> Deny_unknown was added to the kernel in 2.6.24, so unless someone is
> >> using RHEL 5.x, which is in ELS, they will have the ability to
> >> override the default behavior on CentOS/RHEL.
>
>
>
> --
> Crunchy Data - http://crunchydata.com
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development