Re: How to get SE-PostgreSQL acceptable

Robert Haas wrote:
> >> IANAC, but that's my impression too.  The simplified patch shouldn't
> >> assume that row-level security in its current form is going to end up
> >> getting put back in.  AFAICS, there's no reason why the security ID
> >> for tables can't be a regular attribute in pg_class, or why the
> >> security attribute for columns can't be a regular attribute in
> >> pg_attribute.
> >
> > If it is "identifier", it can be compoundable.
> >
> > I dislike it is held as "text". It fundamentaly breaks SE-PostgreSQL's
> > architecture, and requires to scrap near future.
> 
> I think the column in pg_attribute and pg_class can and should be an
> OID.  The issue is whether it's a regular OID column or a new system
> column.  Stephen and I are saying it should be a regular column.
> pg_security can stick around to map OIDs to text labels.

Why an OID?  We store acl items now without a lookup table;  I think
there will be at most the same number of SE-Linux entries.  Also, by
using text we avoid the problem of cleaning out unreferenced pg_security
rows, improve performance (no lookups), and simplify the code.

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +