| From: | Bruce Momjian <bruce(at)momjian(dot)us> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, pgsql-hackers(at)postgresql(dot)org, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> |
| Subject: | Re: Updates of SE-PostgreSQL 8.4devel patches (r1268) |
| Date: | 2008-12-10 11:13:43 |
| Message-ID: | 200812101113.mBABDht01771@momjian.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> writes:
> > Bruce Momjian wrote:
> >> I assume that could just be always enabled.
>
> > It is not "always" enabled. When we build it with SE-PostgreSQL feature,
> > rest of enhanced security features (includes the row-level ACL) are
> > disabled automatically, as we discussed before.
>
> It seems like a pretty awful idea to have enabling sepostgres take away
> a feature that exists in the default build.
Agreed. The problem is that the security column used for SQL-level row
security is reused to hold the SE-Linux ACL when SE-Linux is enabled. I
suppose the only way to enable them both in an SE-Linux build would be
to use a new optional column for SE-Linux and keep the SQL-level row
security optional column unchanged.
--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2008-12-10 11:35:17 | Re: cvs head initdb hangs on unixware |
| Previous Message | Bruce Momjian | 2008-12-10 11:10:45 | Re: Updates of SE-PostgreSQL 8.4devel patches (r1268) |