| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Mike Palmiotto <mike(dot)palmiotto(at)crunchydata(dot)com> |
| Cc: | pgsql-hackers(at)postgresql(dot)org |
| Subject: | Re: partitioned tables and contrib/sepgsql |
| Date: | 2017-03-09 15:05:00 |
| Message-ID: | 20170309150500.GF9812@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Mike,
* Mike Palmiotto (mike(dot)palmiotto(at)crunchydata(dot)com) wrote:
> On Thu, Mar 9, 2017 at 9:47 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > While going over the contrib modules, I noticed that sepgsql was not
> > updated for partitioned tables. What that appears to mean is that it's
> > not possible to define labels on partitioned tables. As I recall,
> > accessing the parent of a table will, similar to the GRANT system, not
> > perform checkes against the child tables, meaning that there's no way to
> > have SELinux checks properly enforced when partitioned tables are being
> > used.
>
> I'll start taking a look at this. Presumably we'd just extend existing
> object_access_hooks to cover partitioned tables?
At least on first blush that seems like the right approach. We'll need
to make sure that the SECURITY LABEL system will properly work with
partitioned tables too, of course, and that the checks are called when a
user queries a partitioned table. Then we'll need regression tests to
make sure we get it all correct and don't screw it up in the future. ;)
> > This is an issue which should be resolved for PG10, so I'll add it to
> > the open items list.
>
> I'll grab it. Thanks.
Excellent, thanks!
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Amit Kapila | 2017-03-09 15:23:28 | Re: Write Ahead Logging for Hash Indexes |
| Previous Message | Joe Conway | 2017-03-09 15:00:47 | Re: CREATE/ALTER ROLE PASSWORD ('value' USING 'method') |