Re: How to get SE-PostgreSQL acceptable

Bruce Momjian wrote:
> KaiGai Kohei wrote:
>>>> Today, I'll debug the modified code...
>>> Wow, that was fast. Where are you storing the security information for
>>> tables and columns? Did you add a special column to pg_class, etc?
>> Security information is stored within padding field of HeapTupleHeader
>> as we did. It can be fetched via sepgsql_(table|column|...)_getcon()
>> functions, and can be set via SECURITY_LABEL = 'xxx'.
>
> Well, we are not using row-level security values so why not store it in
> its own column regular or as part of the existing ACL structure. I
> think it will be very odd for system tables to have this special column
> but not user rows.

Sorry, my description might easily make confusion.
I read it again myself, indeed, it makes confusion. :(

SECURITY_LABEL = 'xxx' means following sytle:

CREATE TABLE t (
a int,
b text SECURITY_LABEL = '...'
) SECURITY_LABEL = '...';

I don't provide both of "security_label" and "security_acl"
system columns for system/user tables.
I didn't write it explicitly, it might make you confusing.

User cannot see what security label is assigned to them
due to lack of system column, so new sepgsql_xxx_getcon()
functions are provided an interface to see security label.

In this patch, I don't touch new system columns.

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>