読者です 読者をやめる 読者になる 読者になる

The way to fallback on getpeercon()

OSS/Linux

In the case when getpeercon() failed, the current version of SE-PostgreSQL cannot handle the situation well, so it closes the connection immediately.
But RDBMS can be connected from clients without any configuration of labeled networking, like MS-Windows'ed host.
I think some kind of fall back rules are necessary, to handle them. For example, domain transition using a security context of source network address or network interface as an entrypoint.
This idea enables to separate security domain by network addresses which clients belong to. If it will be configurable via SECMARC, it is good for administration.