From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Simon Riggs <simon(at)2ndQuadrant(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Updates of SE-PostgreSQL 8.4devel patches (r1197) |
Date: | 2008-11-21 01:53:28 |
Message-ID: | 49261498.2070105@ak.jp.nec.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Bruce Momjian wrote:
> Bruce Momjian wrote:
>>> However, the toggle of row-level security feature should be controled
>>> via a GUC option, not a discretionary option.
>>> I'll add a "sepostgresql_row_level" option defined as bool to control
>>> it on start up time.
>> This sounds similar to BSD capability were certain security settings can
>> only be changed in single-user mode.
>
> Actually, an interesting idea would be to allow "sepostgresql_row_level"
> to be turned on, but not off. That means if it was turned on in
> postgresql.conf, it could not be turned off, but if it is off in
> postgresql.conf, it could be turned on via SET or via ALTER
> USER/DATABASE; I think that would be a nice capability.
I think the "sepostgresql_mode" and "sepostgresql_row_level" should not
be toggled frequently.
Please consider SELinux/SE-PostgreSQL requires various kind of objects
(including database objects) to be labeled properly at the initial state.
If it allows clients to turn on row-level security feature, it means many
"unlabeled" tuples appear suddenly. In generally, these have to be labeled
before the system get being available.
> On a related note, KaiGai, you are now starting the long road of getting
> feedback with the ultimate goal of getting your patch into CVS. I will
> warn you that there is often much work during this stage, and it might
> stretch into January as we request adjustments, but ultimately your
> feature and Postgres will be better for it. Thanks for sticking with
> it.
Don't worry, I'm be available for the works, and give a lot for inclusion
of the feature at v8.4.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
From | Date | Subject | |
---|---|---|---|
Next Message | Alvaro Herrera | 2008-11-21 02:40:03 | Re: [HACKERS] [FINALLY] the TODO list has migrated to Wiki |
Previous Message | Ron Mayer | 2008-11-21 01:07:40 | Re: Re: Updated interval patches - ECPG [was, intervalstyle....] |