From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PgHacker <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: sepgsql contrib module |
Date: | 2011-01-06 05:28:13 |
Message-ID: | AANLkTinsfHoXOgxSJxb0YHikGMHzvBNRcz+jaz+rJ9AO@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
2011/1/5 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
> The attached patch is the modular version of SE-PostgreSQL (take.2).
I'm reading through the documentation and so far it looks pretty
reasonable. But I have some questions and suggested changes, of
course. :-)
1. Why is sepgsql the right name for this module, as opposed to, say,
selinux? We don't call the cube module cubepgsql, or the hstore
module hstorepgsql. Maybe there's a reason why this case is
different, but I'm not sure.
2. The docs contains some references to /usr/local/pgsql/share.. Does
this really mean "whatever sharedir you established when you ran
configure", i.e. the output of pg_config --sharedir? I hope so.
3. The language for the sepgsql.permissive GUC suggests that it's
PGC_POSTMASTER, but I'd think PGC_SIGHUP ought to be sufficient.
Either way, please copy the appropriate language from some existing
GUC of the same type instead of inventing a new way to say it. I also
have no idea what "because it invalidates all the inefficient stuff"
means.
4. Please remove the upcoming features section of the documentation.
This material is appropriate for a page on the wiki, but shouldn't be
part of the official documentation. Instead, you might want to have a
*short* "Limitations" section.
5. I'm not too sure about this one, but I think it might be good to
elaborate on what we mean by respecting the system SE-Linux policy.
What kinds of objects do we support checks on? What sorts of checks?
What kind of access can we allow/deny?
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
From | Date | Subject | |
---|---|---|---|
Next Message | Noah Misch | 2011-01-06 05:42:02 | Re: Avoiding rewrite in ALTER TABLE ALTER TYPE |
Previous Message | Robert Haas | 2011-01-06 05:24:19 | Re: Avoiding rewrite in ALTER TABLE ALTER TYPE |