Re: Reworks for Access Control facilities (r2363)
| От | KaiGai Kohei |
|---|---|
| Тема | Re: Reworks for Access Control facilities (r2363) |
| Дата | |
| Msg-id | 4AD94A0E.4010408@kaigai.gr.jp обсуждение исходный текст |
| Ответ на | Re: Reworks for Access Control facilities (r2363) (Greg Stark <gsstark@mit.edu>) |
| Список | pgsql-hackers |
Greg Stark wrote: > 2009/10/16 KaiGai Kohei <kaigai@ak.jp.nec.com>: >> . In addition, I already tried to put SE-PG hooks >> within pg_xxx_aclchecks() in this CF, but it was failed due to the >> differences in the security models. > > I thought the last discussion ended with a pretty strong conclusion > that we didn't want differences in the security models. It is not a fact. Because the SE-PG patch is a bit large to review, I got a suggestion to implement a part of permissions checks which can be invoked from the pg_xxx_aclcheck() without any breaks for SELinux's security model, at the first step. In other word, I tried to implement only union part of the security models. > The first step is to add hooks which don't change the security model > at all, just allow people to control the existing checks from their SE > configuration. Only as a second step we would look into making > incremental changes to the postgres security model to add support for > privileges SE users might expect to find, eventually possibly > including per-row permissions. I already did it on the first CF... However, most of permission checks had gone at the first step. It was commented it is same as checks nothing. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
В списке pgsql-hackers по дате отправления: