Re: 8.4 release planning
| От | Joshua Brindle |
|---|---|
| Тема | Re: 8.4 release planning |
| Дата | |
| Msg-id | 497F67E7.908@manicmethod.com обсуждение исходный текст |
| Ответ на | Re: 8.4 release planning (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: 8.4 release planning
|
| Список | pgsql-hackers |
Stephen Frost wrote:
> * Joshua Brindle (method@manicmethod.com) wrote:
>> They are separate. If you look at the patches you'll see a pgace part,
>> this is where the core interfaces to the security backends, and you'll
>> see a rowacl backend and an sepgsql backend.
>
> Right, guess it wasn't clear to me that the PGACE bits for row-level
> access control could be used independently of SELinux (and maybe even on
> systems that don't have SELinux..?).
>
Sure, if you look at pgaceHooks.c you'll see:
bool
pgaceExecScan(Scan *scan, Relation rel, TupleTableSlot *slot)
{ /* Hardwired DAC checks */ if (!rowaclExecScan(scan, rel, slot)) return false;
switch (pgace_feature) {
#ifdef HAVE_SELINUX case PGACE_FEATURE_SELINUX: if (sepgsqlIsEnabled())
returnsepgsqlExecScan(scan, rel, slot); break;
#endif default: break; } return true;
}
Notice the rowacl call outside of the HAVE_SELINUX ifdefs
В списке pgsql-hackers по дате отправления: