From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, "pgsql-hackers(at)postgresql(dot)org" <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: [PATCH] SE-PgSQL/lite rev.2163 |
Date: | 2009-07-16 04:15:03 |
Message-ID: | 011DCE38-C149-45CF-91EB-E131C0A875BE@gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Jul 15, 2009, at 11:41 PM, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> wrote:
> Robert Haas wrote:
>> 2009/7/15 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>>> Robert Haas wrote:
>>>> 2009/7/14 KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>>>>> On the other hand, db_schema class was designed as an analogy to
>>>>> directoty in filesystems. SELinux defines several permissions on
>>>>> "dir" object class, such as "add_name", "remove_name" and
>>>>> "search".
>>>> I think that's a bad analogy and you need to make the permission
>>>> names
>>>> match the way PostgreSQL handles schema permissions generally.
>>>> There's only so many times and ways to says this...
>>> OK...
>>> I can replace "search" by "usage".
>>>
>>> Do you have any alternative ideas for "add_name" and "remove_name"?
>>
>> Aack! Come on! Use whatever names those permissions already have!
>> If there are no corresponding names, then rip them out!!!
>
> OK, I'll rip definitions of unused SELinux's permissions from
> the permission table of SE-PgSQL.
>
> Is it correct for what you say?
So the point we keep repeating here is that SEPostgreSQL should be
doing the same kinds of permissions checks as regular PostgreSQL using
the same names, code paths, etc. I don't know how to say it any more
clearly than that.
I will read through your latest version soon.
...Robert
From | Date | Subject | |
---|---|---|---|
Next Message | Tom Lane | 2009-07-16 04:15:12 | Re: [GENERAL] pg_migrator not setting values of sequences? |
Previous Message | Bruce Momjian | 2009-07-16 04:13:14 | Re: [GENERAL] pg_migrator not setting values of sequences? |