Skip site navigation (1) Skip section navigation (2)

Re: How to get SE-PostgreSQL acceptable

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
Cc: Peter Eisentraut <peter_e(at)gmx(dot)net>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>,PG Hackers <pgsql-hackers(at)postgresql(dot)org>,Joshua Brindle <method(at)manicmethod(dot)com>
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-28 14:30:55
Message-ID: 20090128143055.GY8123@tamriel.snowman.net (view raw or flat)
Thread:
Lists: pgsql-hackers
* KaiGai Kohei (kaigai(at)kaigai(dot)gr(dot)jp) wrote:
> So, I cannot believe refactoring pg_xxx_aclcheck() is not acceptable.
> If vanilla PostgreSQL become to check ACLs on tables, independent
> from views, do you think it is acceptable?

Well, just to be clear, ACLs are checked on tables under views, but
they're checked using the privileges of the view owner rather than
the privileges of the current user.  I've run into that empirically
because I've gotten 'permission denied' errors when using a view that
I've clearly got full rights on but was owned by someone else (who
didn't have rights on the table underneath).

That being said, I'd think that if we do need different semantics from
that for SE-PostgreSQL, we could implement it using a GUC or similar to
keep the current behavior as well allow the SE-PostgreSQL behavior.

> However, we have to make clear whether the PGACE architecture
> is incorrect, or not, at first.

It really bothers me that it seems like these kinds of reviews of the
larger patches don't happen until it's time to decide about the next
release.  Perhaps these issues were all brought up seperately in prior
threads, or they weren't articulated as requirements or show-stoppers,
and if so then I apologize for not following those more closely.

If the approach Peter outlined is what core wants to see and is willing
to go along with to get SE-PostgreSQL included then let's please decide
that now and agree that unless some serious problem comes up we'll stick
to it and not require the whole thing be rewritten again later.

I'm not sure about KaiGai's feelings on this, but it strikes me that
adding SELinux support for the existing levels of access control in PG
might be straight-forward and small enough to include for 8.4 and would
show some commitment to this approach of "do it for PG, add SELinux
checks for it".  Alternatively, maybe a progression-towards-SE-PostgreSQL
wiki/webpage that outlines the plan, current work, what's been
committed, etc, that everyone reviews and agrees to?

As a side-note, I've gotten some extremely positive feedback about
SE-PostgreSQL from folks in my organization who run systems where it
would be used.  I'm going to be having a more detailed discussion later
today.

	Thanks,

		Stephen

In response to

Responses

pgsql-hackers by date

Next:From: Robert HaasDate: 2009-01-28 14:36:12
Subject: Re: How to get SE-PostgreSQL acceptable
Previous:From: Andrew SullivanDate: 2009-01-28 14:27:29
Subject: Re: 8.4 release planning

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group