Re: [PATCH] SE-PgSQL/lite rev.2163
| От | KaiGai Kohei |
|---|---|
| Тема | Re: [PATCH] SE-PgSQL/lite rev.2163 |
| Дата | |
| Msg-id | 4A5EAB4E.8000003@ak.jp.nec.com обсуждение исходный текст |
| Ответ на | Re: [PATCH] SE-PgSQL/lite rev.2163 (Robert Haas <robertmhaas@gmail.com>) |
| Список | pgsql-hackers |
Robert Haas wrote: > On Jul 15, 2009, at 11:41 PM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote: > >> Robert Haas wrote: >>> 2009/7/15 KaiGai Kohei <kaigai@ak.jp.nec.com>: >>>> Robert Haas wrote: >>>>> 2009/7/14 KaiGai Kohei <kaigai@ak.jp.nec.com>: >>>>>> On the other hand, db_schema class was designed as an analogy to >>>>>> directoty in filesystems. SELinux defines several permissions on >>>>>> "dir" object class, such as "add_name", "remove_name" and "search". >>>>> I think that's a bad analogy and you need to make the permission names >>>>> match the way PostgreSQL handles schema permissions generally. >>>>> There's only so many times and ways to says this... >>>> OK... >>>> I can replace "search" by "usage". >>>> >>>> Do you have any alternative ideas for "add_name" and "remove_name"? >>> >>> Aack! Come on! Use whatever names those permissions already have! >>> If there are no corresponding names, then rip them out!!! >> >> OK, I'll rip definitions of unused SELinux's permissions from >> the permission table of SE-PgSQL. >> >> Is it correct for what you say? > > So the point we keep repeating here is that SEPostgreSQL should be doing > the same kinds of permissions checks as regular PostgreSQL using the > same names, code paths, etc. I don't know how to say it any more clearly > than that. Thanks, it makes clear for me. > I will read through your latest version soon. > > ...Robert > -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
В списке pgsql-hackers по дате отправления: