Re: [v9.2] Object access hooks with arguments support (v1)

On Tue, Nov 1, 2011 at 1:32 PM, Kohei KaiGai <kaigai@kaigai.gr.jp> wrote:
> I tried to summarize permission checks of DAC/MAC on several object classes
> that are allowed to assign security label right now.
> http://wiki.postgresql.org/index.php?title=SEPostgreSQL/Permissions
>
> In most of checks, required contextual information by SELinux are commonly
> used to DAC also, as listed.

What's up with this:

"a flag to inform whether CASCADE or RESTRICT"

That doesn't seem like it should be needed.

We should consider whether CREATE TABLE should be considered to
consist of creating a table and then n attributes, rather than trying
to shove the attribute information wholesale into the create table
check.

> I guess DROP or some of ALTER code reworking should be done prior to
> deploy object_access_hook around their permission checks, to minimize
> maintain efforts.

+1.

-- 
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise PostgreSQL Company