Re: Updates of SE-PostgreSQL 8.4devel patches (r1268)

Peter Eisentraut wrote:
> KaiGai Kohei wrote:
>> Peter Eisentraut wrote:
>>> On Thursday 11 December 2008 18:32:50 Tom Lane wrote:
>>>>> How can we stick all of these in the same column at the same time?
>>>> Why would we want to?
>>>
>>> Because we want to use SQL-based row access control and SELinux-based 
>>> row access control at the same time.  Isn't this exactly one of the 
>>> objections upthread?  Both must be available at the same time.
>>
>> Please make clear the meaning of "use".
>> As you said, if your concern is based on packaging/distributing issue,
>> I suggested an alternative proposal which allows to compile multiple
>> security mechanism and to choose one of them on runtime.
> 
> I would like to be able to assign SQL-level ACLs and SELinux labels to 
> the same row at the same time in the same build, and have the system 
> enforce both on top of each other.

In my opinion, it makes more pains (user-interface, performance, complexity
of implementation and so on) than its benefit which allows to support MAC
and DAC concurrently.


>>> We can debate the merits of having, say, SELinux plus Solaris TX at 
>>> the same time, but if we can have two as per previous paragraph, we 
>>> should design for several.
>>
>> What platform is available for both of SELinux and Solaris TX?
> 
> Well, Solaris, if you believe various rumours.  I agree the case for 
> this might be weak, though.

Are you saying about Solaris FMAC project?
It is a different platform from Trusted Solaris.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>