Re: 8.4 release planning

Joshua Brindle wrote:
> Stephen Frost wrote:
>> * Joshua Brindle (method@manicmethod.com) wrote:
>>> They are separate. If you look at the patches you'll see a pgace 
>>> part, this is where the core interfaces to the security backends, and 
>>> you'll see a rowacl backend and an sepgsql backend.
>>
>> Right, guess it wasn't clear to me that the PGACE bits for row-level
>> access control could be used independently of SELinux (and maybe even on
>> systems that don't have SELinux..?).
>>
> 
> Sure, if you look at pgaceHooks.c you'll see:

It is basically possible to implement something like "PostgreSQL
Label Security" on PGACE framework.
But I don't want to discuss it now, because it surely burst
SE-PostgreSQL until v8.4 beta.

If desired, I'll queue it my todo list next to SE-PostgreSQL...

> bool
> pgaceExecScan(Scan *scan, Relation rel, TupleTableSlot *slot)
> {
>         /* Hardwired DAC checks */
>         if (!rowaclExecScan(scan, rel, slot))
>                 return false;
> 
>         switch (pgace_feature)
>         {
> #ifdef HAVE_SELINUX
>         case PGACE_FEATURE_SELINUX:
>                 if (sepgsqlIsEnabled())
>                         return sepgsqlExecScan(scan, rel, slot);
>                 break;
> #endif
>         default:
>                 break;
>         }
>         return true;
> }
> 
> Notice the rowacl call outside of the HAVE_SELINUX ifdefs

FYI:
In the earlier version, these are mutually exclusive, so we could
not apply SE-PostgreSQL, when a binary is built with RowAcl feature.

However, Bruce Momjian suggested it is not proper manner in
PostgreSQL, because it intend to wrap all available features
into a single binary due to packaging benefit, and all the
available options should be configured by runtime.

In addition, IIRC, Peter E suggested it is not symmetrical
that we cannot apply both of DAC and MAC on tuples simultaneously,
although SE-PostgreSQL applies MAC on tables/columns which
PostgreSQL has DAC features on.
So, I add a support simultaneous DAC&MAC.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>