From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | Stephen Frost <sfrost(at)snowman(dot)net>, PgSQL-Hackers <pgsql-hackers(at)postgresql(dot)org>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> |
Subject: | Re: modular se-pgsql as proof-of-concept |
Date: | 2010-06-18 00:23:39 |
Message-ID: | 4C1ABC8B.4070402@ak.jp.nec.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
(2010/06/17 21:59), Robert Haas wrote:
> 2010/6/17 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>> I tried to implement a modular se-pgsql as proof-of-concept, using the DML
>> permission check hook which was proposed by Robert Haas.
>>
>> At first, please build and install the latest PostgreSQL with this
>> patch to add a hook on DML permission checks.
>> http://archives.postgresql.org/pgsql-hackers/2010-05/msg01095.php
>>
>> Then, check out the modular se-pgsql, as follows:
>> % svn co http://sepgsql.googlecode.com/svn/trunk/ sepgsql
>
> This is a good start - I think with some cleanup this could be
> committable, though probably it makes sense to wait until after we get
> the security label infrastructure in. I suspect some code cleanup
> will be needed; one thing I noticed off the top of my head was that
> you didn't follow the usual style for installing hook functions in a
> way that can accomodate multiple hooks. See contrib/auto_explain for
> an example.
>
Thanks for your comments. I'll fix it later.
BTW, I have a question which community (PostgreSQL or SELinux) shall
eventually maintain the module, although PostgreSQL provides a set of
interfaces for access control modules?
I thought SELinux side (mainly I and NEC) will maintain the sepgsql
module being suitable for the interfaces.
If we need another proof-of-concept module independent from selinux
for regression test, at least, it is not a tough work.
Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
From | Date | Subject | |
---|---|---|---|
Next Message | David E. Wheeler | 2010-06-18 00:23:40 | Re: hstore ==> and deprecate => |
Previous Message | Tom Lane | 2010-06-17 23:15:10 | Re: hstore ==> and deprecate => |