Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

On Wed, 24 Sep 2008 11:58:58 -0400
Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:

> The objection comes down to this: it's an extremely large, invasive,
> and probably performance-losing patch, which apparently will be of use
> to only a rather small set of people. It's not unreasonable to
> discuss just how large that set might be while we debate whether to
> accept the patch.

I know of no one that really uses SELinux because it is a nightmare. On
the other hand, this type of security is required to get into certain
scary tin foil hat producing institutions.

Do we want want to target those respective types of installs. If so,
then we have no choice but to try and make this patch (or similar)
work. If not, then I believe it is entirely too large of a change to
even bother with.

Now and this I think would be a first for PostgreSQL and something that
may cause more trouble than it is worth but we could do:

./configure --enable-selinux # Experimental

And if we find it doesn't work out, we rip it out. Yes, it is a lot of
work. A great many of our community will not participate on this list
and thus will not speak up to the (perceived) considerable demand for
this type of feature. The fact that the gentlemen who wrote the patch
kept it up to date and improved it over two release cycles suggests
that there is significant interest in this somewhere.

Joshua Drake

--
The PostgreSQL Company since 1997: http://www.commandprompt.com/
PostgreSQL Community Conference: http://www.postgresqlconference.org/
United States PostgreSQL Association: http://www.postgresql.us/