Re: Updates of SE-PostgreSQL 8.4devel patches (r1197)

On Tue, 2008-11-18 at 15:02 +0900, KaiGai Kohei wrote:

> If we focus on the CreateTemplateTupleDesc(), 5 of call points give
> possibile "hasoid" argument, and rest of them always give "false".
> I guess it will be same in the security context cases.
> However, we have to change all the call points when the declaration
> is changed.

Looks promising.

> > Another way would be to include a security context in all newly
> created
> > tuples, but remove it during heap_update, heap_insert etc if it is
> > unused by the relation. That seems more straightforward.
>
> It is not a reasonable option.
>
> The length of HeapTupleData is determined during heap_form_tuple(),
> and it is unchanged later. Thus, we have to interpose here, as object
> identifier doing.

Currently yes. Is there a reason not to? Do we rely on the tuple length
staying same after those operations?

Just considering multiple ways of making the context optional.

> >> Some of distributions now provides SELinux option, but not a
> default.
> >> I know Debian, Ubuntu, Gentoo and SuSE are doing.
> >
> > SUSE?
>
> The "u" might be a large-letter.

Sorry, I wasn't correcting your spelling! :-)
I was asking whether Su/USE are definitely supporting SELinux now? I
have not heard that.

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support