Re: sepgsql contrib module

2011/1/5 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
> The attached patch is the modular version of SE-PostgreSQL (take.2).

I'm reading through the documentation and so far it looks pretty
reasonable. But I have some questions and suggested changes, of
course. :-)

1. Why is sepgsql the right name for this module, as opposed to, say,
selinux? We don't call the cube module cubepgsql, or the hstore
module hstorepgsql. Maybe there's a reason why this case is
different, but I'm not sure.

2. The docs contains some references to /usr/local/pgsql/share.. Does
this really mean "whatever sharedir you established when you ran
configure", i.e. the output of pg_config --sharedir? I hope so.

3. The language for the sepgsql.permissive GUC suggests that it's
PGC_POSTMASTER, but I'd think PGC_SIGHUP ought to be sufficient.
Either way, please copy the appropriate language from some existing
GUC of the same type instead of inventing a new way to say it. I also
have no idea what "because it invalidates all the inefficient stuff"
means.

4. Please remove the upcoming features section of the documentation.
This material is appropriate for a page on the wiki, but shouldn't be
part of the official documentation. Instead, you might want to have a
*short* "Limitations" section.

5. I'm not too sure about this one, but I think it might be good to
elaborate on what we mean by respecting the system SE-Linux policy.
What kinds of objects do we support checks on? What sorts of checks?
What kind of access can we allow/deny?

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company