From: | Stephen Frost <sfrost(at)snowman(dot)net> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, Bruce Momjian <bruce(at)momjian(dot)us>, Chad Sellers <csellers(at)tresys(dot)com>, "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov>, Josh Berkus <josh(at)agliodbs(dot)com>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Adding support for SE-Linux security |
Date: | 2009-12-11 15:24:52 |
Message-ID: | 20091211152452.GS17756@tamriel.snowman.net |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
Magnus,
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> On Fri, Dec 11, 2009 at 05:45, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > It's been perfectly clear since day one, and was reiterated as recently
> > as today
> > http://archives.postgresql.org/message-id/4B21757E.7090806@2ndquadrant.com
> > that what the security community wants is row-level security. The
>
> If that is true, then shouldn't we have an implementation of row level
> security *first*, and then an implementation of selinux hooks that
> work with this row level security feature? Rather than first doing
> selinux hooks, then row level security, which will likely need new
> and/or changed hooks...
The proposal we're currently grappling with is to pull all the various
checks which are sprinkled through our code into a single area.
Clearly, if that work is done before we implement row-level security,
then the patch for row-level security will just add it's checks in the
security/ area and it'd be then easily picked up by SELinux, etc.
> I'm not convinced that row level security is actually that necessary
> (though it's a nice feature, with or without selinux), but if it is,
> it seems we are approaching the problem from the wrong direction.
It has to be implemented independent of the security/SELinux/etc changes
in any case, based on what was said previously.. So I don't
particularly understand why it matters a great deal which one happens
first. They're independently useful features, though both are not
nearly as good on their own as when they are combined. Sorry, I just
don't see this as a "cart-before-the-horse" case.
Thanks,
Stephen
From | Date | Subject | |
---|---|---|---|
Next Message | Bruce Momjian | 2009-12-11 15:39:22 | Re: Largeobject Access Controls (r2460) |
Previous Message | Marko Kreen | 2009-12-11 15:20:23 | Re: thread safety on clients |