Bug 249522 - Review Request: sepostgresql - Security-Enhanced PostgreSQL
Review Request: sepostgresql - Security-Enhanced PostgreSQL
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Mamoru TASAKA
Fedora Extras Quality Assurance
:
Depends On: 250494
Blocks:
  Show dependency treegraph
 
Reported: 2007-07-25 08:01 EDT by KaiGai Kohei
Modified: 2007-11-30 17:12 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-01 11:00:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
mtasaka: fedora‑review+
kevin: fedora‑cvs+


Attachments (Terms of Use)
spec file patch (2.28 KB, patch)
2007-08-01 19:25 EDT, rob
no flags Details | Diff
mock build log of 8.2.4-0.409.beta on rawhide i386 (34.57 KB, text/plain)
2007-08-05 03:47 EDT, Mamoru TASAKA
no flags Details
specfile diff 0.409 to 0.410 (6.09 KB, text/plain)
2007-08-07 11:35 EDT, KaiGai Kohei
no flags Details
mock build log of 410 (478.14 KB, text/plain)
2007-08-07 12:46 EDT, Mamoru TASAKA
no flags Details
init script of sepostgresql-8.2.4-0.418.beta.fc8 (5.52 KB, text/plain)
2007-08-10 02:44 EDT, KaiGai Kohei
no flags Details

  None (edit)
Description KaiGai Kohei 2007-07-25 08:01:21 EDT
Spec URL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SRPM URL: http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.403.beta.fc7.src.rpm
Description:
Security-Enhanced PostgreSQL (SE-PostgreSQL) is an extension built-in
PostgreSQL. It applies fine grained mandatory access control to database
objects based on the security policy of SELinux.
This enables consistent application of access controls, as the kernel
and SE-PostgreSQL share a unified security policy scheme.

These features allow the implementation of consistent information flow
control schemes integrated at both the operating system and database
levels. This significantly enhances the security capabilities of the
system, to more robustly protect against security threats such as
information leaking, unauthorized manipulation and destruction of
information.
Comment 1 Yuichi Nakamura 2007-07-30 04:16:42 EDT
Hi, I am not a sponsor, but I saw you spec file.

1)
>Buildrequires: checkpolicy libselinux-devel >= 2.0.13 selinux-policy-devel =
2.6.4-26.sepgsql.fc7
>Requires: policycoreutils >= 2.0.16 libselinux >= 2.0.13 selinux-policy =
2.6.4-26.sepgsql.fc7
I could not build your package.
What is selinux-policy-devel = "2.6.4-26.sepgsql.fc7"?
It it included in fedora?

2)
You have to use more macros throughout spec file.
Such as:
sepostgresql -> %{name}
/usr/share/selinux/devel/Makefile -> %{__datadir}/selinux/devel/Makefile
and also /usr/sbin etc, you can replace them with macros.
See: http://fedoraproject.org/wiki/Packaging/RPMMacros

3)
Your package does not include documentation.
http://fedoraproject.org/wiki/Packaging/Guidelines#head-9bbfa57478f0460c6160947a6bf795249488182b
http://fedoraproject.org/wiki/Packaging/ReviewGuidelines
> - MUST: If (and only if) the source package includes the text of the
license(s) in its own file, then that file, containing the text of the
license(s) for the package must be included in %doc.

4)
Are you using $RPM_OPT_FLAGS/%{optflags}?
http://fedoraproject.org/wiki/Packaging/Guidelines#head-8b14098227aebff1cf6188939e9d0877295ac448
Comment 2 Yuichi Nakamura 2007-07-30 04:32:17 EDT
One more comment,
I can not find download url for source files.

This may be useful:
http://fedoraproject.org/wiki/Packaging/SourceURL

Comment 3 KaiGai Kohei 2007-07-31 12:12:35 EDT
Thanks for your reviewing. The packages are updated based on them.
http://code.google.com/p/sepgsql/downloads/list
Spec URL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SRPM URL: http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-
0.407.beta.fc8.src.rpm

> (1).
> I could not build your package.
> What is selinux-policy-devel = "2.6.4-26.sepgsql.fc7"?
> It it included in fedora?
It is a modified selinux-policy package.
Several Definitions for database related object classes and access vectores are 
added. Because these definitons are currently included in the default selinux-
policy package, we also have to submit the additional definitions into the 
default selinux-policy package.

You can obtain the additional definitions from here:
http://sepgsql.googlecode.com/svn/policy/refpolicy-add-sepgsql-
definitions.fedora8.patch

> (2)
> You have to use more macros throughout spec file.
> Such as:
> sepostgresql -> %{name}
> /usr/share/selinux/devel/Makefile -> %{__datadir}/selinux/devel/Makefile
> and also /usr/sbin etc, you can replace them with macros.

Several standard paths are replaced by the macros.
/etc/rc.d/init.d -> %{_initrddir}
/usr/share -> %{_datadir}
However, I kept a part using /usr/sbin as a path of commands, like semodule,
because these are not changed when %{_prefix} of sepostgresql is over-written.
In addition, this manner follows the "Packaging SELinux Policy Modules (draft)".
  http://fedoraproject.org/wiki/PackagingDrafts/SELinux/PolicyModules

> (3)
> Your package does not include documentation.
The following line was added.
  %doc COPYRIGHT README HISTORY

SE-PostgreSQL is distributed under BSD license, as PostgreSQL.

> (4)
> I can not find download url for source files.

"Source0" got a full location to indicate full location, as follows:
Source0: ftp://ftp.postgresql.org/pub/source/v%{version}/postgresql-%
{version}.tar.gz

Thanks,
Comment 4 KaiGai Kohei 2007-07-31 21:40:25 EDT
Oops, some fix in my comments:

OLD:(1)  Because these definitons are currently included in ...
NEW:(1)' Because these definitons are NOT currently included in ...

OLD:(4)  "Source0" got a full location to indicate full location, as follows:
NEW:(4)' "Source0" got a full location to indicate, as follows:

(In reply to comment #3)
Comment 5 rob 2007-08-01 19:25:59 EDT
Created attachment 160476 [details]
spec file patch

- removes a duplicate Group entry
- changes the buildroot to comply with fedora packaging guidelines
- uses the useradd scriptlet recipe from:
  http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups
- does not delete users and groups in postun, per the same guidelines
Comment 6 rob 2007-08-01 19:26:49 EDT
did you successfully build this in mock?  there seem to be missing buildrequires
when i attempt it.

current rpmlint output:
E: sepostgresql non-standard-uid /var/lib/sepgsql sepgsql
E: sepostgresql non-standard-gid /var/lib/sepgsql sepgsql
E: sepostgresql non-standard-dir-perm /var/lib/sepgsql 0700
E: sepostgresql non-standard-uid /var/lib/sepgsql/data sepgsql
E: sepostgresql non-standard-gid /var/lib/sepgsql/data sepgsql
E: sepostgresql non-standard-dir-perm /var/lib/sepgsql/data 0700
E: sepostgresql non-standard-uid /var/lib/sepgsql/backups sepgsql
E: sepostgresql non-standard-gid /var/lib/sepgsql/backups sepgsql
E: sepostgresql non-standard-dir-perm /var/lib/sepgsql/backups 0700
W: sepostgresql incoherent-version-in-changelog 8.2.4-0.407 8.2.4-0.407.beta.fc8
W: sepostgresql dangerous-command-in-%postun userdel
E: sepostgresql subsys-not-used /etc/rc.d/init.d/sepostgresql
Comment 7 KaiGai Kohei 2007-08-01 23:56:53 EDT
Thanks for your comments.

(In reply to comment #5)
> Created an attachment (id=160476) [edit]
> spec file patch
> - removes a duplicate Group entry
> - changes the buildroot to comply with fedora packaging guidelines
> - uses the useradd scriptlet recipe from:
>   http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups
I applied these fixes.

> - does not delete users and groups in postun, per the same guidelines
I commented out the userdel and groupdel commands, not removed, because the 
postgresql-server package contains the same commands.
I want to keep it for a while, if no matter.
Comment 8 KaiGai Kohei 2007-08-02 00:08:00 EDT
(In reply to comment #6)
> did you successfully build this in mock?  there seem to be missing 
buildrequires
> when i attempt it.

Your patch intended to add "Requires(pre): shadow-utils", but it is not 
necessary because we can assume some fundamental packages are installed.
See, http://fedoraproject.org/wiki/Packaging/FullExceptionList
The shadow-utils is also contained the list.

> current rpmlint output:
> E: sepostgresql non-standard-uid /var/lib/sepgsql sepgsql
> E: sepostgresql non-standard-gid /var/lib/sepgsql sepgsql
> E: sepostgresql non-standard-dir-perm /var/lib/sepgsql 0700
> E: sepostgresql non-standard-uid /var/lib/sepgsql/data sepgsql
> E: sepostgresql non-standard-gid /var/lib/sepgsql/data sepgsql
> E: sepostgresql non-standard-dir-perm /var/lib/sepgsql/data 0700
> E: sepostgresql non-standard-uid /var/lib/sepgsql/backups sepgsql
> E: sepostgresql non-standard-gid /var/lib/sepgsql/backups sepgsql
> E: sepostgresql non-standard-dir-perm /var/lib/sepgsql/backups 0700

The rpmlint generate same errors, except for paths, for the postgresql-server 
package.
I don't think it's a problem.

> W: sepostgresql incoherent-version-in-changelog 8.2.4-0.407 8.2.4-
0.407.beta.fc8

> W: sepostgresql dangerous-command-in-%postun userdel
As I mentioned above, it's commented out.

> E: sepostgresql subsys-not-used /etc/rc.d/init.d/sepostgresql
/etc/rc.d/init.d/sepostgresql uses pg_ctl to start/stop SE-PostgreSQL server 
process, and it creates lock file under the /var/lib/sepgsql.
Should it be fixed?
Comment 9 rob 2007-08-02 11:41:10 EDT
(In reply to comment #8)
> (In reply to comment #6)
> > did you successfully build this in mock?  there seem to be missing 
> buildrequires
> > when i attempt it.
> 
> Your patch intended to add "Requires(pre): shadow-utils", but it is not 
> necessary because we can assume some fundamental packages are installed.
> See, http://fedoraproject.org/wiki/Packaging/FullExceptionList
> The shadow-utils is also contained the list.

My patch was not meant to address missing BuildRequires.  It was intended to
follow the recipe from the newly ratified users and groups guidelines.

As far as I can tell, the following BuildRequires are missing:
autoconf readline-devel zlib-devel bison

This is a problem because once #250494 is resolved, and the appropriate object
classes are in the selinux policy, sepostgresql will still not build in the
Fedora buildsystem.

> > E: sepostgresql subsys-not-used /etc/rc.d/init.d/sepostgresql
> /etc/rc.d/init.d/sepostgresql uses pg_ctl to start/stop SE-PostgreSQL server 
> process, and it creates lock file under the /var/lib/sepgsql.
> Should it be fixed?

Good question- I am not sure.
Comment 10 Mamoru TASAKA 2007-08-03 01:29:33 EDT
Well, I will read this thread later.
Comment 11 Mamoru TASAKA 2007-08-03 12:04:57 EDT
Umm.. actually I am not familiar with SELinux and I don't know
how to deal with SELinux policy, so I may be missing a lot, however:

* What is the difference between that you ask dwalsh@redhat.com
  to include your SELinux policy of PostgreSQL and that we don't
  modify the default policy of PostgreSQL and release the different
  variant of PostgreSQL as SE-PostgreSQL? (Again I may be missing
  a lot, so please explain....)

  Putting several variants of the same package is generally unwilling.
  For example, once bugs (especially security issues) against
  one variants are reported, we have to ping all variants and check
  if all variants fixed the issues.
  
Comment 12 KaiGai Kohei 2007-08-03 13:36:08 EDT
(In reply to comment #11)

Tasaka-san, Thanks for your comments.

SELinux is a feature implemented in the kernel. It hooks any system call to 
make a decision based on the security policy, whether it should be allowed, or 
not. It enables to control accesses onto resources managed by the kernel, like 
file, socket and so on.
However, the kernel cannot identify user space objects like a window of X, or a 
table of database. It means bare-SELinux cannot control accesses onto user 
space objects.

* What is differences between PostgreSQL with SELinux and SE-PostgreSQL
Both PostgreSQL and SE-PostgreSQL execute system calls to operate something. 
SELinux hooks them as mentioned above. In addition, SE-PostgreSQL hooks any SQL 
query to make a decision based on the policy, whether it should be allowed, or 
not. It means that the security policy enables to control accesses onto 
userspace objects including tables, columns and so on. PostgreSQL does not have 
such a mechanism, so any operation are out of scope of the security policy.
It is the most fundamental difference.

* The reason why I submit a patch for selinux-policy
SELinux has a feature of loadable policy package. It enables to plug/unplug a 
set of security policy without modification of policy source. But some kinds of 
policy are exception.
The definitions of object classes and access vectors are one of exception. It 
defines permissions related to a specific object type.
No need to say, object classes related to database is a new concept for 
SELinux, so these permissions are currently undefined.
The patch I posted complement these lacking definitions.
If these definitions are integrated into the base security policy, we can pack 
the rest of policy within RPM of SE-PostgreSQL. Thus, it is necessary the patch 
to be merged.
Comment 13 Mamoru TASAKA 2007-08-05 03:47:19 EDT
Created attachment 160709 [details]
mock build log of 8.2.4-0.409.beta on rawhide i386

Just from packaging issue:

* Patch0
--------------------------------------------------
Patch0: sepostgresql-%{version}-%{release}.patch
--------------------------------------------------
  - Please don't write in this way. This surely
    fails on F-7 FC-6 (i.e. except for rawhide) because
    release is defined as:
--------------------------------------------------
Release: 0.409%{?sepgextension}%{?dist}
--------------------------------------------------

* BuildRequires
  - rebuild fails at least on rawhide i386. At least 
    autoconf is missing for BuildRequires.

    Even after adding autoconf to BuildRequiers, rebuild
    still fails (build log attached). 
    I cannot proceed review without making srpm rebuilt..

* AutoProv: no
  - Why is this needed?

* CFLAGS
--------------------------------------------------
CFLAGS=`echo $CFLAGS|xargs -n 1|grep -v ffast-math|xargs -n 100`
--------------------------------------------------
  - This is redundant because Fedora's CFLAGS does not contain
    -ffast-math

* Macros
  - Please use macros correctly.
    /var -> %_localstatedir
    /usr/sbin -> %_sbindir

* Install usage
  - Please make sure that "install" "cp" commands keep timestamp.
    i.e. Use "-p" option when using "install" or "cp".

* For group/user adding scripts:
  (from http://fedoraproject.org/wiki/PackagingDrafts/UsersAndGroups :
   this is ratified and now this is not a draft)

(In reply to comment #8)
> Your patch intended to add "Requires(pre): shadow-utils", but it is not 
> necessary because we can assume some fundamental packages are installed.
> See, http://fedoraproject.org/wiki/Packaging/FullExceptionList
> The shadow-utils is also contained the list.
  - FullExceptionList is for BuildRequires, not for Requires.
    So adding "Requires(pre): shadow-utils" is still needed

* Initscripts Conventions
  (check the section "Services"
   http://fedoraproject.org/wiki/Packaging/ScriptletSnippets )
  - Add some Requires(pre) or so on according to the description
    written on above.

* Directory ownership
  - Please make it sure that all the directories newly creted
    by installing this package are surely owned by this package.
    Currently the following directories are not owned.
-----------------------------------------------------------
%{_datadir}/sepgsql/
%{_libdir}/sepgsql/
------------------------------------------------------------

* From the brief check of sepostgresql.init:
  - Usually the commands which are not within normal users' paths
    must be specified with full path (otherwith this will cause
    problems when invoked with sudo rpm -Fvh , for example)
Comment 14 Mamoru TASAKA 2007-08-05 03:49:00 EDT
BTW now rawhide has selinux-policy-3.0.5-1.fc8
Comment 15 KaiGai Kohei 2007-08-05 11:20:10 EDT
(In reply to comment #13)

> * Patch0
> --------------------------------------------------
> Patch0: sepostgresql-%{version}-%{release}.patch
> --------------------------------------------------
>   - Please don't write in this way. This surely
>     fails on F-7 FC-6 (i.e. except for rawhide) because
>     release is defined as:
> --------------------------------------------------
> Release: 0.409%{?sepgextension}%{?dist}
> --------------------------------------------------

Is it possible to use an immediate version identifier instead of "${version}-%
{release}", like "Patch0: sepostgresql-0.409.patch" ?
If not so, we cannot identify differenct patches.

> * AutoProv: no
>   - Why is this needed?

It got unnecessary in the current version.
I'll remove it.

> * CFLAGS
> --------------------------------------------------
> CFLAGS=`echo $CFLAGS|xargs -n 1|grep -v ffast-math|xargs -n 100`
> --------------------------------------------------
>   - This is redundant because Fedora's CFLAGS does not contain
>     -ffast-math

It's just a copy from postgresql.spec.
I'll remove it.

> * Macros
>   - Please use macros correctly.
>     /var -> %_localstatedir
>     /usr/sbin -> %_sbindir

The translation of "/usr/sbin -> %_sbindir" also targets /usr/sbin/semodule?
In my understanding, the location of external commands don't have any 
relationship with %_prefix of sepostgresql.

I don't have any specific note for the rest of your comments.
I'll fix them. Please wait for updating the specfile.

Thanks,
Comment 16 Mamoru TASAKA 2007-08-05 13:16:01 EDT
(In reply to comment #15)
> The translation of "/usr/sbin -> %_sbindir" also targets /usr/sbin/semodule?
  Yes.
> In my understanding, the location of external commands don't have any 
> relationship with %_prefix of sepostgresql.
 - Actually policycoreutils spec file uses %_sbindir . Using proper
   macros is necessary because we have to make it sure that spec files in
   Fedora follow FHS. So we expect that semodule is under %_sbindir.
   Let's say %_prefix changes, then if macros are used properly, all the
   affected commands will change the location properly. If you still
   use /usr/sbin, it surely fails.
Comment 17 KaiGai Kohei 2007-08-07 11:35:43 EDT
Created attachment 160820 [details]
specfile diff 0.409 to 0.410
Comment 18 Mamoru TASAKA 2007-08-07 11:42:34 EDT
Please upload full spec/srpm so that we can check them
easily :)
Comment 19 KaiGai Kohei 2007-08-07 11:46:48 EDT
Comment on attachment 160820 [details]
specfile diff 0.409 to 0.410

I updated sepostgresql.spec as the attachment.
* Macros are removed from Patch0: line.
* "AutoProv: no" is removed.
* Several needed packages are added into BuildRequires. These are imported from
the postgresql package's description.
* Several needed packages are added into Requires(xxx).
* add '-p' option into cp and install command.
* Redundant script to strip -ffast-math is removed.
* unnecessary '/' is removed.
* '/var' -> %{_localstatedir}
* '/usr/sbin' -> %{_sbindir}
* using /sbin/service instead of /etc/init.d/%{name}
* %dir %{_datadir}/sepgsql and %dir %{_libdir}/sepgsql are added, for owning
directories.
Comment 20 KaiGai Kohei 2007-08-07 11:48:59 EDT
(In reply to comment #18)
> Please upload full spec/srpm so that we can check them
> easily :)

SpecUrl: http://sepgsql.googlecode.com/files/sepostgresql.spec
SrpmUrl: http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-
0.410.beta.fc8.src.rpm
Comment 21 KaiGai Kohei 2007-08-07 11:55:42 EDT
(In reply to comment #14)
> BTW now rawhide has selinux-policy-3.0.5-1.fc8

I found a problem with the selinux-policy-devel-3.0.5-1.fc8 as I reported to 
fedora-selinux list as follows:
http://marc.info/?l=fedora-selinux-list&m=118645893208232&w=2

Thus, the base policy of SE-PostgreSQL is still selinux-policy-3.0.4-1.fc8 for 
the rawhide.
Comment 22 Mamoru TASAKA 2007-08-07 12:46:02 EDT
Created attachment 160828 [details]
mock build log of 410

This time many files are installed but not listed.
Comment 23 KaiGai Kohei 2007-08-08 00:04:08 EDT
(In reply to comment #22)
> mock build log of 410
> This time many files are installed but not listed.

These unpacked files are not necessary for the sepostgresql package.

SE-PostgreSQL provides several features as a database server, like as 
postgresql-server package provides, so we don't need to pack all of files 
installed, such as frontend utilities, HTML documentation and header and 
library files.

In the native postgresql case, these are also unpacked in postgresql-server 
package. Rest of subpackages contain them.

Removing them makes harder to maintain the package, so I 
applied "_unpackaged_files_terminate_build" configuration.

Thanks,
Comment 24 Mamoru TASAKA 2007-08-08 13:26:36 EDT
Well, actually unless bug 250494 is resolved, it seems that
I cannot go further on this review request??

However for initscripts:
* lock file and pid file
  - Usually when daemon is running, there should be two files
    - /var/run/<daemon name>.pid - contains the info of the pid
                                   number
    - /var/lock/subsys/<daemon name>
    (Please refer to
     http://fedoraproject.org/wiki/FCNewInit/Initscripts 
     Although I am not sure to what degree we should follow
     these guidelines... and "Init Script Functions" seems to
     be supported only partially)

* status
  - and what does "service sepostgresql status" return?
    Usually the format is:
----------------------------------------------------
[root@localhost ~]# LANG=C service xfs status
xfs (pid 2343) is running...
----------------------------------------------------
Comment 25 KaiGai Kohei 2007-08-10 02:44:38 EDT
Created attachment 161040 [details]
init script of sepostgresql-8.2.4-0.418.beta.fc8

Here is the new version of SE-PostgreSQL
SpecURL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SrpmURL:
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.418.beta.fc8.src.rpm

(In reply to comment #24)
> Well, actually unless bug 250494 is resolved, it seems that
> I cannot go further on this review request??

Yes, it depends on selinux-package with object classes definition for
SE-PostgreSQL, so it has to be resolved.
Fortunatelly, these new object classes are merged into the upstreamed reference
policy yesterday.
I think it will be integrated within the selinux-policy package soon.
  http://marc.info/?l=selinux&m=118666527208126&w=2

The new version of SE-PostgreSQL contains some modifications of the init
script.
> However for initscripts:
> * lock file and pid file
>   - Usually when daemon is running, there should be two files
>     - /var/run/<daemon name>.pid - contains the info of the pid
>				     number
>     - /var/lock/subsys/<daemon name>
I added a code to create lock file and pid file on startup, and to remove them
on shutdown. rpmlint got a silent.

I uses "/var/lock/subsys/${NAME}.lock" as a pathname of the lock file.
It is same manner with postgresql's one, but rpmlint made warnings.
Should it be replaced by an immediate value?

> * status
>   - and what does "service sepostgresql status" return?
>     Usually the format is:
> ----------------------------------------------------
> [root@localhost ~]# LANG=C service xfs status
> xfs (pid 2343) is running...
> ----------------------------------------------------

It displays the following message.
------------------------------------------
[root@masu ~]# service sepostgresql status
sepostgresql: server is running (PID: 11726)
[root@masu ~]# service sepostgresql stop
Stopping sepostgresql service:				   [  OK  ]
[root@masu ~]# service sepostgresql status
sepostgresql: no server running
[root@masu ~]# echo $?
3
[root@masu ~]#
------------------------------------------

In addition, I updated the path of the commands run by /sbin/runuser as
follows:
| cd ${SEPGSQL_BIN}
| /sbin/runuser sepgsql -- -c "./pg_ctl -D ${SEPGSQL_DATA} status"

When /sbin/runuser is run with CWD sepgsql cannot access, typically /root, a
noisy warnning message will be generated.
"cd ${SEPGSQL_BIN}" ensure that sepgsql can be placed on his accesable CWD.
Comment 26 KaiGai Kohei 2007-08-18 14:54:25 EDT
SpecURL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SrpmURL: http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-
0.427.beta.fc8.src.rpm

The SE-PostgreSQL package is updated.
It contains the following fixes.

1. A bug in the sepostgresql security policy module was fixed.
  An administration domain could execute a function with sepgsql_user_proc_t.
  The policy developer intend to deny it.

2. A script in the specfile was fixed.
  The name of the SELinux object classes are changed.
  We appanded "db_" prefix onto any object classed related to SE-PostgreSQL 
  while we have a discussion in the selinux-list.
  Therefore, "SECCLASS_DATABASE" is also renamed to "SECCLASS_DB_DATABSE",
  and a script to calculate its value in %build section is changed.

3. sepostgresql-pg_dump-renaming.patch is added
  pg_dumpall calls pg_dump internally, however, SE-PostgreSQL package installs
  an enhanced pg_dump(all) as sepg_dump(all) to avoid confliction with the
  native postgresql package.
  This small patch enables sepg_dumpall to use sepg_dump.
Comment 27 KaiGai Kohei 2007-08-18 15:00:46 EDT
FYI:

dwalsh has a plan to merge the upstreamed reference policy into the selinux-
policy package on the next Monday.
It contains the required definitions of object classes/permission, so we will 
restart the reviewing process soon. :)
Comment 28 Mamoru TASAKA 2007-08-18 20:23:10 EDT
(In reply to comment #27)
> FYI:
> 
> dwalsh has a plan to merge the upstreamed reference policy into the selinux-
> policy package on the next Monday.

Good news!
Then I will recheck this package again.
Comment 29 Mamoru TASAKA 2007-08-18 20:32:26 EDT
(When new selinux-policy is published, please update your
 spec/srpm.
 And you are splitting writing srpm URL into two lines? Please
 write srpm URL in one line (even if it is long) so that we can
 download it easily)
Comment 30 KaiGai Kohei 2007-08-22 13:18:27 EDT
SpecURL: http://sepgsql.googlecode.com/files/sepostgresql.spec
SrpmURL: http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-
0.428.beta.fc8.src.rpm

The SE-PostgreSQL package is updated.
It depends on selinux-policy-3.0.6 or latest, not a SE-PostgreSQL specific one.

(In reply to comment #29)
>  And you are splitting writing srpm URL into two lines?
Unfortunatelly, it is splitted into two lines implicitly. :(
Comment 31 KaiGai Kohei 2007-08-22 22:17:29 EDT
[Spec URL]
http://sepgsql.googlecode.com/files/sepostgresql.spec
[SRPM URL]
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.428.beta.fc8.src.rpm

# just a test to avoid splitting, please ignore.
Comment 32 Mamoru TASAKA 2007-08-24 02:26:37 EDT
Now selinux-policy 3.0.6-1.fc8 is rebuilt.
I am checking comment 31 now, however:
-------------------------------------------------------------
NOTE: Before being sponsored:

This package may be accepted with another few (or some) work. 
But before I accept this package, someone (I am a candidate) 
must sponsor you.

Once you are sponsored, you have the right to review other 
submitters' review requests and approve the packages formally. 
For this reason, the person who want to be sponsored (like you) 
are required to "show that you have an understanding 
of the process and of the packaging guidelines" as is described
on :
http://fedoraproject.org/wiki/PackageMaintainers/HowToGetSponsored

Usually there are two ways to show this.
A. submit other review requests with enough quality.
B. Do a "pre-review" of other person's review request
   (at the time you are not sponsored, you cannot do
   a formal review)

When you have submitted a new review request or have pre-reviewed other 
person's review request, please write the bug number on this bug report 
so that I can check your comments or review request.

Fedora package collection review requests which are waiting for someone to
review can be checked on:
http://fedoraproject.org/PackageReviewStatus/NEW.html
(NOTE: please don't choose "Merge Review")


Review guidelines are described mainly on:
http://fedoraproject.org/wiki/Packaging/ReviewGuidelines
http://fedoraproject.org/wiki/Packaging/Guidelines
http://fedoraproject.org/wiki/Packaging/ScriptletSnippets
------------------------------------------------------------
Comment 33 Mamoru TASAKA 2007-08-24 03:58:22 EDT
Well, for 428:

= rebuild
  - rebuild seems okay on all archs (i386 x86_64 ppc ppc64)
    http://koji.fedoraproject.org/koji/taskinfo?taskID=123684

* Scriptlets requirement
  - As %post and %postun calls commands in policycoreutils,
    "Requires(post)" and "Requires(postun)" should also have
    policycoreutils.

* macros in %changelog
  - Please don't use macros in changelog. If you want to
    write .fc8 in %changelog, please write it explicitly
    (normally, we simply omit %dist part)
    https://www.redhat.com/archives/fedora-devel-list/2007-August/msg01580.html

Other things are okay. Also check my comment 32.
Comment 34 KaiGai Kohei 2007-08-24 07:48:13 EDT
I updated the packeges as follows:
[Spec URL]
http://sepgsql.googlecode.com/files/sepostgresql.spec
[SRPM Url]
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.429.beta.fc8.src.rpm

- "policycoreutils" is added into Requires(post) and Requires(postun)
- Any macro are simply removed from %changelog

(In reply to comment #32)
> Once you are sponsored, you have the right to review other 
> submitters' review requests and approve the packages formally. 

OK, I'll join the reviewing for several packages.
Comment 35 Mamoru TASAKA 2007-08-24 11:09:22 EDT
(In reply to comment #34)
> (In reply to comment #32)
> > Once you are sponsored, you have the right to review other 
> > submitters' review requests and approve the packages formally. 
> 
> OK, I'll join the reviewing for several packages.

Well, just to confirm that I want to see your pre-review or your another
review request _before_ I approve this package.
Comment 36 KaiGai Kohei 2007-08-24 11:25:37 EDT
At first, I posted my reviews for two PostgreSQL related packages.

Bug #251805: postgresql-orafce - Implementation of some Oracle functions into 
PostgreSQL
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=251805

Bug #246782: postgresql-plr - Procedural language interface between PostgreSQL 
and R
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=246782

(In reply to comment #35)
> Well, just to confirm that I want to see your pre-review or your another
> review request _before_ I approve this package.

Is it correct for your intention?
Comment 37 Mamoru TASAKA 2007-08-24 12:30:53 EDT
(In reply to comment #36)
> (In reply to comment #35)
> > Well, just to confirm that I want to see your pre-review or your another
> > review request _before_ I approve this package.
> 
> Is it correct for your intention?

Actually "before".

Okay.
* spec/srpm good
* rebuilds properly
  http://koji.fedoraproject.org/koji/taskinfo?taskID=125954
* can be installed properly, seems to work well
* from very quick check your pre-review seems good

-------------------------------------------------------------
   This package (sepostgresql) is APPROVED by me
-------------------------------------------------------------

Please follow the procedure according to:
http://fedoraproject.org/wiki/PackageMaintainers/Join
from "Get a Fedora Account".
At a point a mail should be sent to sponsor members which notifies
that you need a sponsor (at the stage, please also write on
this bug for confirmation that you requested for sponsorship)
Then I will sponsor you.

If you want to import this package into Fedora 7, you also have
to look at
http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT
(after once you rebuilt this package on Fedora rebuilding system).

If you have questions, please ask me.

Comment 38 Mamoru TASAKA 2007-08-24 13:43:07 EDT
Now I am sponsoring you.
Comment 39 KaiGai Kohei 2007-08-24 13:50:27 EDT
(In reply to comment #37)
> Okay.
> * spec/srpm good
> * rebuilds properly
>   http://koji.fedoraproject.org/koji/taskinfo?taskID=125954
> * can be installed properly, seems to work well
> * from very quick check your pre-review seems good
> -------------------------------------------------------------
>    This package (sepostgresql) is APPROVED by me
> -------------------------------------------------------------

Thanks,

> Please follow the procedure according to:
> http://fedoraproject.org/wiki/PackageMaintainers/Join
> from "Get a Fedora Account".
> At a point a mail should be sent to sponsor members which notifies
> that you need a sponsor (at the stage, please also write on
> this bug for confirmation that you requested for sponsorship)
> Then I will sponsor you.

I got a Fedora account as "kaigai", and made a request to belong to
"cvsextras" and "fedoradebugs" group.
(And it was approved during I'm writing this comment.)

I have to set up the Build-System Client Tools next, don't you?

> If you want to import this package into Fedora 7, you also have
> to look at
> http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT
> (after once you rebuilt this package on Fedora rebuilding system).
> If you have questions, please ask me.

Unfortunatelly, it is not possible, because the selinux-policy package in 
Fedora 7 does not contains the definitions of object classes and permissions, 
as mentioned in Bug #250494 .
Comment 40 Mamoru TASAKA 2007-08-24 13:57:15 EDT
(In reply to comment #39)
> I got a Fedora account as "kaigai", and made a request to belong to
> "cvsextras" and "fedoradebugs" group.
> (And it was approved during I'm writing this comment.)
> 
> I have to set up the Build-System Client Tools next, don't you?
Yes, please go on.

> > If you want to import this package into Fedora 7, you also have
> > to look at
> > http://fedoraproject.org/wiki/Infrastructure/UpdatesSystem/Bodhi-info-DRAFT
> > (after once you rebuilt this package on Fedora rebuilding system).
> > If you have questions, please ask me.
> 
> Unfortunatelly, it is not possible, because the selinux-policy package in 
> Fedora 7 does not contains the definitions of object classes and permissions, 
> as mentioned in Bug #250494 .
Okay.

Comment 41 KaiGai Kohei 2007-08-25 09:25:57 EDT
New Package CVS Request
=======================
Package Name: sepostgresql
Short Description: Security-Enhanced PostgreSQL
Owners: kaigai
Branches:
InitialCC:
Cvsextras Commits: no
Comment 42 KaiGai Kohei 2007-08-25 21:07:31 EDT
New Package CVS Request
=======================
Package Name: sepostgresql
Short Description: Security-Enhanced PostgreSQL
Owners: kaigai
Branches:
InitialCC:
Cvsextras Commits: no

----
I'm wondering whether the New Package CVS Request is delivered correctly, 
because the Comment #41 has not appeared on the fedora-package-review list for 
half of a day.
(Is there something related to yesterday's maintenance of the Bugzilla?)
Comment 43 Kevin Fenzi 2007-08-26 17:41:28 EDT
I see that this package "Conflicts: postgresql-server". Why? 
Can't you simply add a 'se' prefix on to conflicting filenames from that package? 
See: http://fedoraproject.org/wiki/Packaging/Conflicts

In particular: "There are many types of files which can conflict between
multiple packages. Fedora strongly discourages using Conflicts: to resolve these
cases."
Comment 44 KaiGai Kohei 2007-08-26 18:59:57 EDT
It is not possible obviously.
The PostgreSQL implimentation which SE-PostgreSQL is based on uses its program 
name internally, so it is hard to prove the renaming gives us no degrading.

In addition, SE-PostgreSQL has to work for the database clients as if native 
PostgreSQL works on. Therefore, SE-PostgreSQL provides its service using the 
same network port (5432) to avoid client side modifications, but we cannot use 
both packages in same time.
It is a "implicit conflicts" with postgresql-server package.

Thanks,
Comment 45 Mamoru TASAKA 2007-08-27 00:49:42 EDT
So Kevin, what prevents this from getting imported?
Comment 46 Toshio Ernie Kuratomi 2007-08-27 13:35:32 EDT
Rereading the Conflicts Guidelines with your comments in mind I think I see a
point of confusion.  The "Implicit Conflicts" section highlights the fact that
implicit conflicts are never acceptable.  It says that all conflicts must be
explicit (marked with Conflicts: PKG).  If I understand, your reading of that
section is what leads you to mark the package Conflicts: postgresql-server.

However, that section, taken in context with the preceding paragraph is meant
only to convey that implicit conflicts are disallowed.  To use "Conflicts: PKG"
you still need to fit under one of the other categories (presently "Other
Functionality" or "Compat Packages") which this package does not.

This package comes closest to the "Binary Name Conflicts" section.  In that
section, two alternatives are given: Rename the files (in this case you would
also have to use a different port) or use alternatives to manage the dual install.

This package is a prime candidate for alternatives as it creates binaries that
are commandline compatible with postgresql-server and needs to use the same
port.  You'll need to talk to Tom Lane (tgl redhat.com; now CC'd), the
postgresql maintainer about how he feels about doing that with the main postgres
package.  He might also have a different idea on how to make the packages co-exist.

If you and tgl decide that Conflicts really is the best way to go, present your
reasoning to the Packaging Committee (fedora-packaging redhat.com) so they can
consider adding another case where "Conflicts: PKG" is allowed. 

As a side note: I think that using rm to clean up files that you don't want to
include in the package is much cleaner than using
  %define _unpackaged_files_terminate_build 0
Turning off the check is using a bigger stick than necessary.  Turning off the
check means that you won't be warned of cases where the build changes and starts
creating differently named binaries or new files that you actually want to
install.  Using rm will target specific files so it's more future proof.
Comment 47 KaiGai Kohei 2007-08-27 14:49:06 EDT
(In reply to comment #46)
> Rereading the Conflicts Guidelines with your comments in mind I think I see a
> point of confusion.  The "Implicit Conflicts" section highlights the fact that
> implicit conflicts are never acceptable.  It says that all conflicts must be
> explicit (marked with Conflicts: PKG).
I might have a bit misunderstandings.

> This package comes closest to the "Binary Name Conflicts" section.  In that
> section, two alternatives are given: Rename the files (in this case you would
> also have to use a different port) or use alternatives to manage the dual 
install.

If possible, I want to avoid to apply the renaming approach, because it requires
us unnecessary differences from the native PostgreSQL, and the difference may
degrade the quality of package.

However, it seems to me that using alternatives is also overdoing approach,
because SE-PostgreSQL is a software to provide an advanced experimental feature
and has much less users than the native PostgreSQL.

> This package is a prime candidate for alternatives as it creates binaries that
> are commandline compatible with postgresql-server and needs to use the same
> port.  You'll need to talk to Tom Lane (tgl redhat.com; now CC'd), the
> postgresql maintainer about how he feels about doing that with the main 
postgres
> package.  He might also have a different idea on how to make the packages co-
exist.
> If you and tgl decide that Conflicts really is the best way to go, present 
your
> reasoning to the Packaging Committee (fedora-packaging redhat.com) so they can
> consider adding another case where "Conflicts: PKG" is allowed. 

I also want to hear his opinion.

In my opinion, we should add the third case to apply Conflicts: tag.
When the package provides an experimental feature based on existing package,
it can use Conflicts: tag to separate from the native package.

It may correspond with the filename conflicts cases, but applying alternatives
between the experimental package and the native package is like as comparison
between a giant and an ant. It's not a realistic way.

> As a side note: I think that using rm to clean up files that you don't want to
> include in the package is much cleaner than using
>   %define _unpackaged_files_terminate_build 0
> Turning off the check is using a bigger stick than necessary.  Turning off the
> check means that you won't be warned of cases where the build changes and 
starts
> creating differently named binaries or new files that you actually want to
> install.  Using rm will target specific files so it's more future proof.

At the first, I didn't use "_unpackaged_files_terminate_build", but I had to put
massive 'rm' commands.
I can remove it and remove unnecessary files, but I don't know whether it is
simple, or not.

Thanks,
Comment 48 Tom Lane 2007-08-27 15:04:31 EDT
Trying to conflict with just one subpackage of the postgresql group seems like a pretty bad idea.  For 
example, the PL and -test subpackages Require: postgresql-server, which would mean you'd have to 
duplicate those as se-specific versions.  (Which maybe you have to do anyway, for the PLs ... are they 
going to be binary-compatible?  What about postgresql-contrib?)

Using alternatives is a possibility, but I'm not real excited about it because of its invasive effects on the 
regular postgresql package.  I've also been reminded the hard way recently that RPM is not good about 
package upgrades that involve replacing files/directories with symlinks or vice versa; I'm afraid we'd hit 
one of those gotchas while trying to upgrade a postgresql installation into an alternatives-based setup.

I don't see the reason why you can't make it install parallel files with different names (sepostgres etc).
The argument that some error messages include the program name seems a bit silly, and it's been 
awhile since there were any hard dependencies on the executable name.

Rather than Conflicts: postgresql-server, I wonder whether you shouldn't be trying to Require: 
postgresql-server = %{version} so that you can share whichever files are in common, instead of 
shipping duplicates.
Comment 49 KaiGai Kohei 2007-08-27 18:43:58 EDT
(In reply to comment #48)
> For example, the PL and -test subpackages Require: postgresql-server, which
> would mean you'd have to duplicate those as se-specific versions.

Indeed, you are correct. It's a demerit of using Conflict: tag.

> I don't see the reason why you can't make it install parallel files with
> different names (sepostgres etc).
> The argument that some error messages include the program name seems a bit
> silly, and it's been awhile since there were any hard dependencies on the
> executable name.

I don't say it is not possible, but I was anxious about this change may
invoke unexpected problems.

pg_ctl and initdb invoke the hardcoded "postgres", so we have to patch them
in the sepostgresql package at least.

Just I confirmed the /usr/bin/postgres source. Several codes seems invoke
the hardcoded "postgres", but most of them are enclosed by "#ifdef 
EXEC_BACKEND",
so it seems to me the binary name does not give us any significant affect.

OK, I try to rename the binary, and confirm its works.

> Rather than Conflicts: postgresql-server, I wonder whether you shouldn't be
> trying to Require: postgresql-server = %{version} so that you can share
> whichever files are in common, instead of shipping duplicates.

Maybe, we can omit any libraries (like utf8_and_euc_jp.so) and timezone data.

Thanks,
Comment 50 KaiGai Kohei 2007-08-27 23:20:13 EDT
[SpecURL]
http://sepgsql.googlecode.com/files/sepostgresql.spec
[SrpmURL]
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.432.beta.fc8.src.rpm

I updated the sepostgresql package as follows:
- several binary files are renamed
 * /usr/bin/initdb     -> /usr/bin/initdb.sepgsql
 * /usr/bin/pg_ctl     -> /usr/bin/sepg_ctl
 * /usr/bin/postgres   -> /usr/bin/sepostgres
 * /usr/bin/postmaster -> /usr/bin/postmaster
 * /usr/bin/pg_dump    -> /usr/bin/sepg_dump
 * /usr/bin/pg_dumpall -> /usr/bin/sepg_dumpall
   (pg_dump and pg_dumpall also have "se" prefix in older version)
- add Requires: postgresql-server, instead of Conflicts: postgresql-server
- several duplicate files with postgresql-server are removed,
  such as /usr/bin/ipcclean, /usr/lib/sepgsql/*.so and manpages in section 1.
- shared loadable modules are deployed on /usr/lib/pgsql to share them.
- "%define _unpackaged_files_terminate_build 0" is removed

In my simple test, it seems to work fine.

Could you review and check the specfile again?
I modified it a bit drastically.

Thanks,
Comment 51 KaiGai Kohei 2007-08-27 23:23:34 EDT
(In reply to comment #50)
> - several binary files are renamed
>  * /usr/bin/postmaster -> /usr/bin/postmaster
                            ^^^^^^^^^^^^^^^^^^^
                            /usr/bin/sepostmaster
Sorry, it's a typo.
Comment 52 Tom Lane 2007-08-27 23:54:13 EDT
FWIW, you could probably drop sepostmaster altogether --- that symlink is only kept around for 
compatibilty with pre-8.2 startup scripts.  If you're going to teach a launch script to start sepostmaster, 
you might as well teach it to start sepostgres, and not bother with the extra symlink.
Comment 53 Kevin Fenzi 2007-08-28 00:44:26 EDT
I'm going to unset the fedora-cvs flag on here. 
Once everything is hashed out, please reset it for the cvs request. 
Comment 54 Mamoru TASAKA 2007-08-28 01:17:30 EDT
Also I reset fedora review flag to question.
Comment 55 KaiGai Kohei 2007-08-28 02:09:08 EDT
[SpecURL]
http://sepgsql.googlecode.com/files/sepostgresql.spec
[SrpmURL]
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.433.beta.fc8.src.rpm

(In reply to comment #52)
> FWIW, you could probably drop sepostmaster altogether --- that symlink
> is only kept around for compatibilty with pre-8.2 startup scripts.

Your pointed out is fair enough.
I dropped "/usr/bin/sepostgresql" in the updated package.
Comment 56 KaiGai Kohei 2007-08-28 04:29:18 EDT
(In reply to comment #55)
> I dropped "/usr/bin/sepostgresql" in the updated package.

Oops, it was "/usr/bin/sepostmaster", no need to say.
Comment 57 KaiGai Kohei 2007-08-28 18:20:18 EDT
[SpecURL]
http://sepgsql.googlecode.com/files/sepostgresql.spec
[SrpmURL]
http://sepgsql.googlecode.com/files/sepostgresql-8.2.4-0.434.beta.fc8.src.rpm

(In reply to comment #48)
> For example, the PL and -test subpackages Require: postgresql-server,
> which would mean you'd have to duplicate those as se-specific versions.
> (Which maybe you have to do anyway, for the PLs ... are they going to
> be binary-compatible?  What about postgresql-contrib?)

The binary-compatibilities strongly depends on the internal implementation.
Because SE-PostgreSQL modifies several data structure like HeapTupleHeader
to store its security attribute, we cannot share *.so files in binary-
compatible.
Therefore, these are deployed on "/usr/lib/sepgsql" in the updated version,
as the previous one.
This manner follows "Library Name Conflicts" in the Conflicts Guidelines.

As you mentioned, when we use any other PL- or contrib modules, these also
have to be built for SE-PostgreSQL. However, these are not duplicate ones.

I want the latest one to be reviewed and be put on the next phase again.
Thanks,
Comment 58 Tom Lane 2007-08-29 00:49:26 EDT
Hmm ... if you changed HeapTupleHeader then it is pretty much completely unsafe to load *any* standard 
extension module into sepostgres; we have no way to tell which ones depend on that data structure.  But I 
think all the PLs do, and many contrib modules do, so none of those RPMs are compatible and you need to 
supply substitutes.

I wonder if it'd be feasible to hide the sepostgres add-on data into the t_hoff padding, the way OIDs have 
been handled the last few releases?  It's a bit of a long shot, but otherwise we're going to have a real hard 
time with binary dependencies.
Comment 59 KaiGai Kohei 2007-08-29 01:49:35 EDT
(In reply to comment #58)
> I wonder if it'd be feasible to hide the sepostgres add-on data into
> the t_hoff padding, the way OIDs have been handled the last few releases?
> It's a bit of a long shot, but otherwise we're going to have a real hard 
> time with binary dependencies.

In SE-PostgreSQL, all tuples have a its security attribute without any 
exception,
and I made a decision it's not necessary this field with flexible length.
It is the reason why I didn't use t_hoff padding to store security attribtue.

Your suggestion seems to me fine enough. However, I hesitate to apply it onto
the 8.2.x based SE-PostgreSQL now, because this change affects so wide range.
I want this change to be queued for 8.3.x based SE-PostgreSQL.

In the current version, I believe that installing se- version module into
"/usr/lib/sepgsql" is the best way to enhance its functionality.

Thanks,
Comment 60 Devrim GUNDUZ 2007-08-29 05:35:44 EDT
Personally, I'm against pushing this package to Fedora. SEPostgreSQL is not
tested widely yet -- and it is thought as a replacement of original PostgreSQL.
If people, who are already running their databases on PostgreSQL, wants to
switch to SEPostgreSQL and if it is broken somewhere, it will harm the good
reputation of PostgreSQL in terms of stability.

If someone calls for a vote, I strongly object to adding this package to Fedora
/ EPEL.

0.02 cents.

Regards, Devrim
Comment 61 KaiGai Kohei 2007-08-29 06:58:49 EDT
(In reply to comment #60)
I can admit that any software contains bugs more or less.
However, I cannot understand your opinion.
In generally, if people who are already running their database on PostgreSQL,
switch to SE-PostgreSQL and if it is broken somewhere, they will switch back
it to the original PostgreSQL.
No need to say, it will be a reputation of SE-PostgreSQL, not original one.

In addition, getting merged into Fedora encourage widely test of SE-PostgreSQL.
I think it should be merged to resolve your concern also.
Comment 62 Devrim GUNDUZ 2007-08-29 08:14:58 EDT
Hi,

(In reply to comment #61)
> (In reply to comment #60)
> In generally, if people who are already running their database on PostgreSQL,
> switch to SE-PostgreSQL and if it is broken somewhere, they will switch back
> it to the original PostgreSQL.

Ouch! So you don't care about the downtime? :(

> In addition, getting merged into Fedora encourage widely test of 
> SE-PostgreSQL. I think it should be merged to resolve your concern also.

Fedora is *not* for testing packages, IMHO. 

Regards, Devrim

Comment 63 rob 2007-08-29 08:21:40 EDT
(In reply to comment #60)
> Personally, I'm against pushing this package to Fedora. SEPostgreSQL is not
> tested widely yet -- and it is thought as a replacement of original PostgreSQL.

i disagree that SE-PostgreSQL is thought of as a replacement of PostgreSQL. 
furthermore, that concern could be addressed with adding sufficient warning to
SE-PostgreSQL's %description.

> If people, who are already running their databases on PostgreSQL, wants to
> switch to SEPostgreSQL and if it is broken somewhere, it will harm the good
> reputation of PostgreSQL in terms of stability.

i think the reasonable conclusion is that SE-PostgreSQL is broken somewhere and
to switch back to PostgreSQL.

Fedora is on the leading edge of SELinux development, and thus is a perfect
place to test this extension of PostgreSQL.
Comment 64 KaiGai Kohei 2007-08-29 09:04:46 EDT
(In reply to comment #63)
Rob, thanks for your comment.
I also think your opinions are correct.

Comment 65 Yuichi Nakamura 2007-08-29 09:29:11 EDT
(In reply to comment #63)
I agree with rob.

People will think postgreSQL and SE-PostgreSQL is different.
People who want postgreSQL usally installs usual postgreSQL.
People who install SE-PostgreSQL will know SE-PostgreSQL have different feature.

>furthermore, that concern could be addressed with adding sufficient warning to
>SE-PostgreSQL's %description.
I agree this too, to avoid misunderstanding.



Comment 66 Devrim GUNDUZ 2007-08-29 09:44:43 EDT
Hi,

(In reply to comment #63)
> i disagree that SE-PostgreSQL is thought of as a replacement of PostgreSQL. 
> furthermore, that concern could be addressed with adding sufficient warning to
> SE-PostgreSQL's %description.

How many people read the %description parts, guys?

> i think the reasonable conclusion is that SE-PostgreSQL is broken somewhere 
> and to switch back to PostgreSQL.

As I wrote before, this means a downtime , and usually There Is No Time For
Downtime.

> Fedora is on the leading edge of SELinux development, and thus is a perfect
> place to test this extension of PostgreSQL.

Fedora is not the place to test a replacement for PostgreSQL. 

We are talking about a database server guys, not a browser, or text editor, or such.

Regards, Devrim
Comment 67 KaiGai Kohei 2007-08-29 10:18:53 EDT
(In reply to comment #66)
It is not a generic situation to replace a significant working system
by an unknown package, without enough evaluation and verification.
Especially, if it is required to minimize its downtime.

In addition, we are understanding that Fedora project positively fetch
many advanced and experimental features. These experimences are leveraged
in Red Hat Enterprise Linux and feedbacked to the later versions of Fedora.
Comment 68 manuel wolfshant 2007-08-29 10:39:06 EDT
No production server should be using rawhide. Whoever uses rawhide knows that
there is an experimental part over there. Therefore I think that rawhide is a
very food test place for SE-PostgreSQL. But the package should not be pushed to
stable without performing extensive testing first.
Comment 69 KaiGai Kohei 2007-08-29 11:19:26 EDT
I like to return the topic about package reviewing.

At the point of Comment #57, I added Requires: tag with postgresql-server
instead of Conflicts: tag, and several binaries are renamed with "se" prefix
or ".sepgsql" postfix.
"%define _unpackaged_files_terminate_build 0" is removed, and all unnecessary
files became to be removed during %install section.

These fixes are reflecting to the above comments.

Thanks,
Comment 70 Toshio Ernie Kuratomi 2007-08-29 18:39:55 EDT
Looks pretty good.  What about the port?  Is that still the same as postgresql
server?
Comment 71 KaiGai Kohei 2007-08-29 19:44:03 EDT
(In reply to comment #70)
> Looks pretty good.  What about the port?
> Is that still the same as postgresql server?

Yes. We have to stop postgresql server before running sepostgresql,
and vice versa.

I think it should be same in default, because we have to update widespread
database applications to connect sepostgresql if it use an alternative port.
In addition, it can be overwritten with "/etc/sysconfig/sepostgresql", if 
necessary.

Thanks,
Comment 72 Toshio Ernie Kuratomi 2007-08-30 02:23:25 EDT
Well, there's precedent for having two packages with the same port in things
like httpd/lighttpd packages I suppose.  All of the issues I raised have been
addressed.  Thanks!  I'm not running rawhide so I don't have a machine to test
that the packages still function after these changes.

mtasaka, would you like to make sure the packages still run and do the honors of
finishing off the review?
Comment 73 Mamoru TASAKA 2007-08-30 04:31:15 EDT
(In reply to comment #72)
> Well, there's precedent for having two packages with the same port in things
> like httpd/lighttpd packages I suppose.  All of the issues I raised have been
> addressed.  Thanks!  

Okay, thank you, Kuratomi-san.
I will then recheck the recent srpm, mainly for packaging issue (if
any).
Comment 74 Mamoru TASAKA 2007-08-31 08:06:18 EDT
Okay for me.

Again I APPROVE this package.
Comment 75 KaiGai Kohei 2007-08-31 10:08:00 EDT
Thanks for your reviewing again.

New Package CVS Request
=======================
Package Name: sepostgresql
Short Description: Security-Enhanced PostgreSQL
Owners: kaigai
Branches:
InitialCC:
Cvsextras Commits: no
Comment 76 Kevin Fenzi 2007-08-31 22:10:46 EDT
cvs done. Thank you for addressing the Conflicts. I think this is a much nicer
package now. :) 
Comment 77 Mamoru TASAKA 2007-09-01 10:53:42 EDT
Please close this bug as NEXTRELEASE when rebuild is done.

Note You need to log in before you can comment on or make changes to this bug.