Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

Josh Berkus <josh@agliodbs.com> writes:
> Multilevel frameworks have concepts of data hiding and data substitution 
> based on labels.  That is, if a user doesn't have permissions on data, 
> he's not merely supposed to be denied access to it, he's not even supposed 
> to know that the data exists.  In extreme cases (think military / CIA use) 
> data at a lower security level should be substitited for the higher 
> security level data which the user isn't allowed.  Silently.

Yeah, that's what I keep hearing that the spooks think they want.
I can't imagine how it would play nice with SQL-standard integrity
constraints.  Data that apparently violates a foreign-key constraint,
for example, would give someone a pretty good clue that there's
something there he's not being allowed to see.
        regards, tom lane