Re: One question about security label command

From: Kouhei Kaigai <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Joe Conway <mail(at)joeconway(dot)com>, Adam Brightwell <adam(dot)brightwell(at)crunchydatasolutions(dot)com>
Cc: Stephen Frost <sfrost(at)snowman(dot)net>, Alvaro Herrera <alvherre(at)2ndquadrant(dot)com>, Kohei KaiGai <kaigai(at)kaigai(dot)gr(dot)jp>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Robert Haas <robertmhaas(at)gmail(dot)com>, 张元超 <zhangyuanchao(at)highgo(dot)com>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org>, "adam(dot)brightwell(at)crunchydata(dot)com" <adam(dot)brightwell(at)crunchydata(dot)com>
Subject: Re: One question about security label command
Date: 2015-09-13 15:29:00
Views: Raw Message | Whole Thread | Download mbox | Resend email
Lists: pgsql-hackers

Hi Joe,

The attached one is the regression test fixup in v9.2.
As we applied to the v9.3 or later, it replaces unconfined_t domain
by the self defined sepgsql_regtest_superuser_t.

Unfortunately, I found a bug to process SELECT INTO statement.
Because v9.2 didn't have ObjectAccessPostCreate to inform the
context when a relation is newly created, thus, sepgsql had
an ugly alternative at sepgsql_executor_start().
It saves kind of statement prior to executor start, then it is
referenced when sepgsql_relation_post_create() is called.
However, T_CreateTableAsStmt was oversight, thus it is considered
as a harmless internal operation, and no label was assigned on
the new relation.
I'm not certain why we oversight at that time, however, this logic
is removed and replaced in v9.3.

NEC Business Creation Division / PG-Strom Project
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

> -----Original Message-----
> From: Joe Conway [mailto:mail(at)joeconway(dot)com]
> Sent: Tuesday, September 08, 2015 10:15 AM
> To: Kaigai Kouhei(海外 浩平); Adam Brightwell
> Cc: Stephen Frost; Alvaro Herrera; Kohei KaiGai; Tom Lane; Robert Haas; 张元
> 超; pgsql-hackers(at)postgresql(dot)org; adam(dot)brightwell(at)crunchydata(dot)com
> Subject: Re: [HACKERS] One question about security label command
> On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> >>>>> 3.) Rework patch for 9.2 (Kohei)
> >>
> > Could you wait for the next Monday?
> > I'll try to work this in the next weekend.
> Sure, that would be great.
> Joe
> --
> Crunchy Data -
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development

Attachment Content-Type Size
sepgsql-fixup-regtest-policy.v9.2.patch application/octet-stream 62.0 KB

In response to


Browse pgsql-hackers by date

  From Date Subject
Next Message Charles Clavadetscher 2015-09-13 16:35:49 Re: [DOCS] Missing COMMENT ON POLICY
Previous Message Ildus Kurbangaliev 2015-09-13 15:09:02 Re: RFC: replace pg_stat_activity.waiting with something more descriptive