(2010/08/17 11:37), Robert Haas wrote:
>> I might have a reason why the script need to launch in single-user
>> mode, but it is not clear right now, sorry.
>
> Another point here is that I wonder if we really need to label system
> objects at all. Are you applying the same label to all of them? If
> so, perhaps it might be feasible to set up the code so that it simply
> assumes that label for every object in the pg_catalog namespace.
>
No, SELinux provides APIs to suggest what database object should have
what security label on initialization time.
(selabel_open(3), selabel_lookup(3) and selabel_close(3))
It depends on configurations by system admin, so we cannot assume
a certain label for every object in a certain namespace.
> And if you're NOT setting the label the same way on all of them, then
> there's a maintenance issue to think about.
>
Right, I don't want to have multiple way to label them.
Thanks,
--
KaiGai Kohei <kaigai@ak.jp.nec.com>