Skip site navigation (1) Skip section navigation (2)

Re: How to get SE-PostgreSQL acceptable

From: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Andrew Dunstan <andrew(at)dunslane(dot)net>, Josh Berkus <josh(at)agliodbs(dot)com>, Joshua Brindle <method(at)manicmethod(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-31 05:09:58
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-hackers
Bruce Momjian wrote:
> KaiGai Kohei wrote:
>>>> Today, I'll debug the modified code...
>>> Wow, that was fast.  Where are you storing the security information for
>>> tables and columns?  Did you add a special column to pg_class, etc?
>> Security information is stored within padding field of HeapTupleHeader
>> as we did. It can be fetched via sepgsql_(table|column|...)_getcon()
>> functions, and can be set via SECURITY_LABEL = 'xxx'.
> Well, we are not using row-level security values so why not store it in
> its own column regular or as part of the existing ACL structure.  I
> think it will be very odd for system tables to have this special column
> but not user rows.

Sorry, my description might easily make confusion.
I read it again myself, indeed, it makes confusion. :(

SECURITY_LABEL = 'xxx' means following sytle:

       a  int,
       b  text SECURITY_LABEL = '...'
   ) SECURITY_LABEL = '...';

I don't provide both of "security_label" and "security_acl"
system columns for system/user tables.
I didn't write it explicitly, it might make you confusing.

User cannot see what security label is assigned to them
due to lack of system column, so new sepgsql_xxx_getcon()
functions are provided an interface to see security label.

In this patch, I don't touch new system columns.

KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to


pgsql-hackers by date

Next:From: Tom LaneDate: 2009-01-31 05:48:55
Subject: Re: parallel restore
Previous:From: Euler Taveira de OliveiraDate: 2009-01-31 04:47:41
Subject: Re: reloptions with a "namespace"

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group