Re: Adding support for SE-Linux security

On Wed, Dec 9, 2009 at 1:44 AM, Magnus Hagander <magnus@hagander.net> wrote:
> 2009/12/9 Bruce Momjian <bruce@momjian.us>:
>> I frankly think the patch should be thought of as the SE-Linux-specific
>> directory files, which KaiGai can maintain, and the other parts, which I
>> think I can handle.
>
> I think that's a horribly bad idea.

Me, too.  The ECPG comparison is apt, except that this code is far
more deeply integrated into core.  The idea that the SE-Linux
directory files can be maintained separately from the "other parts"
does not seem realistic to me.  The problems that are going to occur
here are things like: somebody wants to rearrange some part of the
permissions checking for some reason.  So they move a bunch of code
around and break SE-PostgreSQL.  Someone has to review that patch and
understand the danger it causes.  That's going to require
understanding both the SE-PostgreSQL-specific files and the other
parts, and the relationship between the two of them.

...Robert