Re: Adding support for SE-Linux security

Robert Haas wrote:
> On Mon, Dec 7, 2009 at 1:00 PM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
>> As Alvaro mentioned, the original patch used ACE but it added too much
>> code so the community requested its removal from the patch. It could be
>> re-added if we have a need.
>
> Well, there's no point in putting that framework back in unless we can
> make it sufficiently general that it could be used to serve the needs
> of more than one security model. And so far, the signs have not been
> promising. David Quigley suggests downthread that making a truly
> general model isn't really possible, and he may be right, or not. I
> was just mentioning that it's an angle I have been thinking about
> investigating, but it may be a dead end.

I also agree that the common framework just increases complexity of
the patch at the moment.

> The real issue is making the code committable, and then maintaining
> it, as Tom rightly says, forever. We've got to make sure that we're
> willing to take that on before we do it, and I don't think it's a
> small task. It isn't so much whether we want the feature as whether
> the level of effort is proportionate to the benefit.

Needless to say, we can provide development resource to maintain this
feature. If we escape to anywhere just after commit it, it will be removed
as Bruce pointed out. But it shall be incorrect.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>