Re: [v9.1] sepgsql - userspace access vector cache
| От | Kohei KaiGai |
|---|---|
| Тема | Re: [v9.1] sepgsql - userspace access vector cache |
| Дата | |
| Msg-id | BANLkTimdTpYAZW3-LTPDGtQV9tvA3AhEXQ@mail.gmail.com обсуждение исходный текст |
| Ответ на | Re: [v9.1] sepgsql - userspace access vector cache (Stephen Frost <sfrost@snowman.net>) |
| Ответы |
Re: [v9.1] sepgsql - userspace access vector cache
|
| Список | pgsql-hackers |
2011/6/9 Stephen Frost <sfrost@snowman.net>: > * Kohei KaiGai (kaigai@kaigai.gr.jp) wrote: >> The only modification by this patch to the core routine is a new >> syscache for pg_seclabel system catalog. The SECLABELOID enables to >> reference security label of the object using syscache interface. > > Perhaps I'm missing it, but.. why is this necessary to implement such a > cache? Also, I thought the SELinux userspace libraries provided a cache > solution? This issue is hardly unique to SELinux in PostgreSQL... > I'm concerned about its interface, although it might be suitable for X-Windows... Its avc interface identifies security context using a pointer of malloc()'ed cstring. In our case, we need to look up this security context on the hash managed by libselinux using the result of syscache lookup. It is quite nonsense. In addition, avc of libselinux confirms whether the security policy is reloaded for each avc lookup, unless we launch a system state monitoring thread. But, it is not a suitable design to launch a worker thread for each pgsql backend. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
В списке pgsql-hackers по дате отправления: