Re: Updates of SE-PostgreSQL 8.4devel patches (r1268)

KaiGai Kohei wrote:
> Peter Eisentraut wrote:
>> On Thursday 11 December 2008 18:32:50 Tom Lane wrote:
>>>> How can we stick all of these in the same column at the same time?
>>> Why would we want to?
>>
>> Because we want to use SQL-based row access control and SELinux-based
>> row access control at the same time. Isn't this exactly one of the
>> objections upthread? Both must be available at the same time.
>
> Please make clear the meaning of "use".
> As you said, if your concern is based on packaging/distributing issue,
> I suggested an alternative proposal which allows to compile multiple
> security mechanism and to choose one of them on runtime.

I would like to be able to assign SQL-level ACLs and SELinux labels to
the same row at the same time in the same build, and have the system
enforce both on top of each other.

In my mind, this is completely analogous to being able to assign
SQL-level ACLs and SELinux labels to the same
table/function/tablespace/etc. at the same time, and I think that
behavior is undisputed.

>> We can debate the merits of having, say, SELinux plus Solaris TX at
>> the same time, but if we can have two as per previous paragraph, we
>> should design for several.
>
> What platform is available for both of SELinux and Solaris TX?

Well, Solaris, if you believe various rumours. I agree the case for
this might be weak, though.