[PATCH][v8.5] SE-PostgreSQL Patch Updates (r2016) - Mailing list pgsql-hackers

The SE-PostgreSQL patches are updated as follows:

1) http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4beta2-r2016.patch
2) http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4beta2-r2016.patch
3) http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4beta2-r2016.patch
4) http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4beta2-r2016.patch
5) http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4beta2-r2016.patch
6) http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4beta2-r2016.patch
7) http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4beta2-r2016.patch
8) http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4beta2-r2016.patch
9) http://sepgsql.googlecode.com/files/sepgsql-09-extra-8.4beta2-r2016.patch

The SE-PostgreSQL online documentation: http://wiki.postgresql.org/wiki/SEPostgreSQL

List of updates:
* Its base version was updated to the latest CVS HEAD.
* Add a feature to reclaim orphan pg_security entries. - See below.
* Add a new guc parameter: sepostgresql_mcstrans - It turnd on/off mcstrans support when we import/export security
context.
* Some of bugfixes
* Code cleanups
* Documentation updates - Ths wiki article was updated corresponding to the latest design.

A significant change is a feature to reclaim orphan pg_security entries.
The definition of the pg_security was changed, and a 'relid' field was
added to indicate the table refering the entry.
An administrative purpose function: security_reclaim_label() removes
entries within pg_security, which are not refered by the table identified
by pg_security.relid.
We assume the frequency to be reclaimed is less enough, so it is not
automatically as if autovacuume. If necessary, cron script can invoke
a script to reclaim orphan entries once per month or bimonth.
On the DROP TABLE, orphan entries are also reclaimed automatically.

-- Example ------------------------------------------
postgres=# CREATE TABLE t1 (a int, b text);
CREATE TABLE
postgres=# INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
INSERT 0 3
postgres=# UPDATE t1 SET security_label = sepgsql_set_range(security_label, 's0:c' || a);
UPDATE 3
postgres=# UPDATE t1 SET security_label = sepgsql_set_user(security_label, 'system_u');
UPDATE 3
postgres=# SELECT security_label, * FROM t1;            security_label              | a |  b
-----------------------------------------+---+-----system_u:object_r:sepgsql_table_t:s0:c1 | 1 |
aaasystem_u:object_r:sepgsql_table_t:s0:c2| 2 | bbbsystem_u:object_r:sepgsql_table_t:s0:c3 | 3 | ccc
 
(3 rows)

postgres=# SELECT security_reclaim_label('t1');
NOTICE:  secattr="unconfined_u:object_r:sepgsql_table_t:s0", secid=16433 on public.t1 was reclaimed
NOTICE:  secattr="unconfined_u:object_r:sepgsql_table_t:s0:c1", secid=16434 on public.t1 was reclaimed
NOTICE:  secattr="unconfined_u:object_r:sepgsql_table_t:s0:c2", secid=16435 on public.t1 was reclaimed
NOTICE:  secattr="unconfined_u:object_r:sepgsql_table_t:s0:c3", secid=16436 on public.t1 was
reclaimedsecurity_reclaim_label
------------------------                     4
(1 row)

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>