Re: sepgsql and materialized views

Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:

> So, I'd like to review two options.
> 1) we uses db_table object class for materialized-views for
> a while, until selinux-side become ready. Probably, v9.3 will
> use db_table class then switched at v9.4.
> 2) we uses db_materialized_view object class from the
> begining, but its permission checks are ignored because
> installed security policy does not support this class yet.
>
> My preference is 2), even though we cannot apply label
> based permission checks until selinux support it, because
> 1) makes troubles when selinux-side become ready to
> support new db_materialized_view class. Even though
> policy support MV class, working v9.3 will ignore the policy.
>
> Let me ask selinux folks about this topic also.

To make sure I understand, the current patch is consistent with
option 1?  It sounds like I have code from a prior version of the
patch pretty close to what you describe for option 2, so that can
be put back in place if you confirm that as the preferred option.
From what you describe, it sounds like the only thing it doesn't
have is a new hook for REFRESH, but that doesn't sound like it
would take that much to implement.

Thanks for looking at this!

-Kevin