I think I speak for the average Linux user when I say: What are you talking about? Label? Context? These are not Unix concepts. SELinux has secretly replaced my Unix system with Folger's Crystals. Let's see if anyone notices. You say "You can probably imagine several ways that symlinks can be used to trick postgres into doing something that wasn't intended." Actually, I cannot think of any such thing. Can you perhaps explain to me how an adversarial symlink would have magically appeared in /var/lib/pgsql under the traditional Unix security model? Keep in mind that this directory is owned drwx------ postgres postgres. The question posed in the article was whether SELinux should be enabled by default. If your comment is any indication, SELinux is from another galaxy, and definitely should not be enabled by default for people who were under the impression that they were using Linux. If there are customers who are insisting on this foreign access control system, then they are probably smart enough to turn it on.
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds