Re: How to get SE-PostgreSQL acceptable

Bruce Momjian wrote:
> KaiGai Kohei wrote:
>>> Hasn't a plan for this already been posted? See 
>>> http://archives.postgresql.org/pgsql-hackers/2009-01/msg02407.php
>> FYI:
>>
>> * previous full-functional SE-PostgreSQL/Row-ACLs
>>
>> [kaigai@fedora10 security]$ wc -l *.c */*.c
>>     729 pgaceCommon.c
>>    1547 pgaceHooks.c
>>     721 rowacl/rowacl.c
>>    1200 sepgsql/avc.c
>>     623 sepgsql/core.c
>>    1019 sepgsql/hooks.c
>>     785 sepgsql/permissions.c
>>    1097 sepgsql/proxy.c
>>    7721 total
>>
>> * A lite SE-PostgreSQL without row-level security,
>>    large object support, writable system column
>>
>> [kaigai@fedora10 sepgsql]$ wc -l *.c
>>     904 checker.c
>>    1181 avc.c
>>     360 core.c
>>      55 dummy.c
>>     683 hooks.c
>>     478 label.c
>>     553 perms.c
>>    4214 total
>>
>> Today, I'll debug the modified code...
> 
> Wow, that was fast.  Where are you storing the security information for
> tables and columns?  Did you add a special column to pg_class, etc?

Security information is stored within padding field of HeapTupleHeader
as we did. It can be fetched via sepgsql_(table|column|...)_getcon()
functions, and can be set via SECURITY_LABEL = 'xxx'.

-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>