Re: Updates of SE-PostgreSQL 8.4devel patches (r1268)

Tom Lane wrote:
> KaiGai Kohei <kaigai@ak.jp.nec.com> writes:
> > Bruce Momjian wrote:
> >> I assume that could just be always enabled.
> 
> > It is not "always" enabled. When we build it with SE-PostgreSQL feature,
> > rest of enhanced security features (includes the row-level ACL) are
> > disabled automatically, as we discussed before.
> 
> It seems like a pretty awful idea to have enabling sepostgres take away
> a feature that exists in the default build.

Agreed.  The problem is that the security column used for SQL-level row
security is reused to hold the SE-Linux ACL when SE-Linux is enabled.  I
suppose the only way to enable them both in an SE-Linux build would be
to use a new optional column for SE-Linux and keep the SQL-level row
security optional column unchanged.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +