Re: Adding support for SE-Linux security
| От | Bruce Momjian |
|---|---|
| Тема | Re: Adding support for SE-Linux security |
| Дата | |
| Msg-id | 200912100343.nBA3hNV05382@momjian.us обсуждение исходный текст |
| Ответ на | Re: Adding support for SE-Linux security (Robert Haas <robertmhaas@gmail.com>) |
| Ответы |
Re: Adding support for SE-Linux security
|
| Список | pgsql-hackers |
Robert Haas wrote: > On Wed, Dec 9, 2009 at 5:38 PM, Bruce Momjian <bruce@momjian.us> wrote: > > If you want to avoid all good reasons for this features and are looking > > for reasons why this patch is a bad idea, I am sure you can find them. > > You seem to be suggesting that our reactions are pure obstructionism, > or that they have an ulterior motive. I am merely stating that this is the same as the Win32 port, and that there are many reasons to believe the SE-PostgreSQL patch will cause all sorts of problems --- this is not a surprise. I am giving a realistic analysis of the patch --- if people want to say that thinking of it as two separate patches that have to be maintained separately is a terrible idea, I have no reply except to say that realistically that is the only possible direction I see for this feature in the short term. Few Postgres people modifying the permissions system are going to understand how to modify SE-Linux support routines to match their changes. I got a similar reaction when I wanted to do the Win32 port, and the reasons not to do it were similar to the ones I am hearing now. Finally the agreement was that I could attempt the Win32 port as long as I didn't destabilize the rest of the code --- not exactly a resounding endorsement. Looking back I think everyone is glad we did the port, but at the time there wasn't much support. I got the same reaction to pg_migrator. I am having trouble figuring out when I should heed community concerns, and when the concerns are merely because the task is hard/messy/difficult. Frankly, we don't analyze hard/messy/difficult tasks very well. Now, I am not saying that the SE-PostgreSQL patch should be pursued, but I am saying that we shouldn't avoid it for these reasons, because sometimes hard/messy/difficult is necessary to accomplish dramatic software advances. -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
В списке pgsql-hackers по дате отправления: