Greg Stark wrote:
> 2009/10/16 KaiGai Kohei <kaigai@ak.jp.nec.com>:
>> . In addition, I already tried to put SE-PG hooks
>> within pg_xxx_aclchecks() in this CF, but it was failed due to the
>> differences in the security models.
>
> I thought the last discussion ended with a pretty strong conclusion
> that we didn't want differences in the security models.
It is not a fact. Because the SE-PG patch is a bit large to review,
I got a suggestion to implement a part of permissions checks which
can be invoked from the pg_xxx_aclcheck() without any breaks for
SELinux's security model, at the first step.
In other word, I tried to implement only union part of the security
models.
> The first step is to add hooks which don't change the security model
> at all, just allow people to control the existing checks from their SE
> configuration. Only as a second step we would look into making
> incremental changes to the postgres security model to add support for
> privileges SE users might expect to find, eventually possibly
> including per-row permissions.
I already did it on the first CF...
However, most of permission checks had gone at the first step.
It was commented it is same as checks nothing.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>
