Re: [0/4] Proposal of SE-PostgreSQL patches
| От | Dawid Kuroczko |
|---|---|
| Тема | Re: [0/4] Proposal of SE-PostgreSQL patches |
| Дата | |
| Msg-id | 758d5e7f0806020309t2028fd90r52826146901813de@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [0/4] Proposal of SE-PostgreSQL patches (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
| Список | pgsql-hackers |
On Wed, May 7, 2008 at 7:52 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote: > Tom, Thanks for your reviewing. >> The patch hasn't got a mode in which SELinux support is compiled in but >> not active. This is a good way to ensure that no one will ever ship >> standard RPMs with the feature compiled in, because they will be entirely >> nonfunctional for people who aren't interested in setting up SELinux. >> I think you need an "enable_sepostgres" GUC, or something like that. >> (Of course, the overhead of the per-row security column would probably >> discourage anyone from wanting to use such a configuration anyway, >> so maybe the point is moot.) > We can turn on/off SELinux globally, not bounded to SE-PostgreSQL. > The reason why I didn't provide a mode bit like "enable_sepostgresql" > is to keep consistency in system configuration. Hmm, I think ACE should be a CREATE DATABASE parameter. If I were to create a SE-database I would wish that disabling it was more difficult than changing a GUC in database. And being able to set it on per-database basis would help get SE/ACE enabled by packagers. Regards, Dawid -- Solving [site load issues] with [more database replication] is a lot like solving your own personal problems with heroin - at first it sorta works, but after a while things just get out of hand.
В списке pgsql-hackers по дате отправления: