Skip site navigation (1)
Skip section navigation (2)
Peripheral Links
Re: [sepgsql 2/3] Add db_schema:search permission checks
2013/1/29 Simon Riggs <simon(at)2ndquadrant(dot)com>: > On 29 January 2013 13:30, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp> wrote: > >> It makes unavailable to control execution of >> functions from viewpoint of selinux, and here is no way selinux >> to prevent to execute functions defined by other domains, or >> others being not permitted. >> Also, what we want to do is almost same as existing permission >> checks, except for its criteria to make access control decision. > > Do you have a roadmap of all the things this relates to? > > If selinux has a viewpoint, I'd like to be able to see a list of > capabilities and then which ones are currently missing. I guess I'm > looking for external assurance that someone somewhere needs this and > that it fits into a complete overall plan of what we should do. Just > like we are able to use SQLStandard as a guide as to what we need to > implement, we would like something to refer back to. Does this have a > request id, specification document page number or whatever? > I previously made several wiki pages for reference of permissions to be checked, but it needs maintenance works towards the latest state, such as newly added permissions. http://wiki.postgresql.org/wiki/SEPostgreSQL_References Even though selinuxproject.org hosts permission list, it is more rough than what I described at wiki.postgresql.org. http://www.selinuxproject.org/page/ObjectClassesPerms#Database_Object_Classes Unlike SQL standard, we have less resource to document its spec being validated by third persons. However, it is a reasonable solution to write up which permission shall be checked on which timing. Let me revise the above wikipage to show my overall plan. Thanks, -- KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
In response to
- Re: [sepgsql 2/3] Add db_schema:search permission checks at 2013-01-29 14:10:35 from Simon Riggs
Responses
- Re: [sepgsql 2/3] Add db_schema:search permission checks at 2013-01-29 14:55:25 from Simon Riggs
pgsql-hackers by date
Next: From: Tom Lane Date: 2013-01-29 14:54:04 Subject: Re: BUG #7493: Postmaster messages unreadable in a Windows console Previous: From: Peter Eisentraut Date: 2013-01-29 14:20:34 Subject: Re: enhanced error fields