| From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
|---|---|
| To: | Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> |
| Cc: | PgHacker <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: [v9.2] Object access hooks with arguments support (v1) |
| Date: | 2011-11-01 17:44:13 |
| Message-ID: | CA+TgmoZAK+RjTJZuZJOoLq1N=Zr+WVmpShSGjuwJ84e4+-GGXw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Tue, Nov 1, 2011 at 1:32 PM, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote:
> I tried to summarize permission checks of DAC/MAC on several object classes
> that are allowed to assign security label right now.
> http://wiki.postgresql.org/index.php?title=SEPostgreSQL/Permissions
>
> In most of checks, required contextual information by SELinux are commonly
> used to DAC also, as listed.
What's up with this:
"a flag to inform whether CASCADE or RESTRICT"
That doesn't seem like it should be needed.
We should consider whether CREATE TABLE should be considered to
consist of creating a table and then n attributes, rather than trying
to shove the attribute information wholesale into the create table
check.
> I guess DROP or some of ALTER code reworking should be done prior to
> deploy object_access_hook around their permission checks, to minimize
> maintain efforts.
+1.
--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2011-11-01 17:53:25 | Re: pg_upgrade if 'postgres' database is dropped |
| Previous Message | Scott Mead | 2011-11-01 17:40:56 | Re: IDLE in transaction introspection |