Quick Links

Re: Updates of SE-PostgreSQL 8.4devel patches (r1710)

From:	Gregory Stark <stark(at)enterprisedb(dot)com>
To:	Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com>
Cc:	KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Stephen Frost <sfrost(at)snowman(dot)net>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Bruce Momjian <bruce(at)momjian(dot)us>, Joshua Brindle <method(at)manicmethod(dot)com>, Robert Haas <robertmhaas(at)gmail(dot)com>, Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>, Jaime Casanova <jcasanov(at)systemguards(dot)com(dot)ec>
Subject:	Re: Updates of SE-PostgreSQL 8.4devel patches (r1710)
Date:	2009-03-11 10:39:19
Message-ID:	87sklk5oo8.fsf@oxford.xeocode.com
Views:	Raw Message \| Whole Thread \| Download mbox \| Resend email
Thread:
Lists:	pgsql-hackers

Heikki Linnakangas <heikki(dot)linnakangas(at)enterprisedb(dot)com> writes:

> KaiGai Kohei wrote:
>> * ACL_SELECT_FOR_UPDATE has same value with ACL_UPDATE, so SE-PostgreSQL
>> checks db_table:{update} permission on SELECT ... FOR SHARE OF,
>> instead of db_table:{lock} permission.
>
> This again falls into the category of trying to have more fine-grained
> permissions than vanilla PostgreSQL has. Just give up on the lock permission,
> and let it check update permission instead. Yes, it can be annoying that you
> need update-permission to do SELECT FOR SHARE, but that's an existing problem
> and not in scope for this patch.

Would it make sense to instead of removing and deferring pieces bit by bit to
instead work the other way around? Extract just the part of the patch that
maps SELinux capabilities to Postgres privileges as a first patch? Then
discuss any other parts individually at a later date?

That might relieve critics of the sneaking suspicion that there may be some
semantic change that hasn't been identified and discussed and snuck through?
Some of them are probably good ideas but if they are they're probably good
ideas even for non-SE semantics too.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's PostGIS support!

In response to

Re: Updates of SE-PostgreSQL 8.4devel patches (r1710) at 2009-03-11 08:44:10 from Heikki Linnakangas

Responses

Re: Updates of SE-PostgreSQL 8.4devel patches (r1710) at 2009-03-11 13:54:13 from Alvaro Herrera

Browse pgsql-hackers by date

	From	Date	Subject
Next Message	Jacky Leng	2009-03-11 11:12:35	Has anybody think about changing BLCKSZ to an option of initdb?
Previous Message	Pavel Stehule	2009-03-11 10:09:55	idea, proposal: only preloadable libraries (conditional load)