Updates of SE-PostgreSQL 8.4devel patches (r1324)

I updated the patch set of SE-PostgreSQL and related ones (r1324).

[1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1324.patch
[2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1324.patch
[3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1324.patch
[4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1324.patch
[5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1324.patch

Draft of the SE-PostgreSQL documentation is here:
http://wiki.postgresql.org/wiki/SEPostgreSQL

List of updates:
- The patches are rebased to the latest CVS HEAD.

- Now the "sepostgresql-sepgsql-8.4devel-3-r1324.patch" contains
PGACE security framework, SE-PostgreSQL and Row-level ACLs.
So, the 6th patch has gone.

- It enables to compile multiple security features within a single binary.
The Row-level ACLs feature is always available, and SE-PostgreSQL is
available when we build it with "--enable-selinux" option.

- Two new system columns ("security_acl" and "security_label") are added.
The first one is for the Row-level ACLs, and the other is for the guest
of PGACE security framework which is chosen by user.

- Some of interfaces are changed:
* initdb got a new option "--pgace-feature" which enables to specify
one or no MAC feature on initialization of $PGDATA.
e.g)
$ initdb --pgace-feature=selinux
* pg_dump got two new options (--security-acl and --security-label)
to dump row-level ACLs and security contexts.
* $PGDATA/postgresql.conf has a new parameter of "pgace_feature".
It enables users to choose an enhanced security mechanism from
candidates. Currently, SE-PostgreSQL is the only candidate.

- Todo item
* Documentation updates.
The "sepostgresql-docs-8.4devel-3-r1324.patch" is not uptodate,
because higher priority should be given to provide the patch
set for reviewers. So, I'll update the src/doc/* from now.

Thanks,

===[ Example ]========================================================
postgres=# CREATE TABLE t1 (a int, b text) WITH (row_level_acl=on);
CREATE TABLE
postgres=# INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
INSERT 0 3
postgres=# SELECT security_label, security_acl, * FROM t1;
security_label | security_acl | a | b
------------------------------------------+----------------+---+-----
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaa
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbb
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 3 | ccc
(3 rows)

postgres=# INSERT INTO t1 (security_acl, a, b) VALUES ('{kaigai=rw/kaigai}', 4, 'ddd');
INSERT 0 1
postgres=# INSERT INTO t1 (security_label, security_acl, a, b)
VALUES ('system_u:object_r:sepgsql_ro_table_t:s0', '{kaigai=rx/kaigai}', 5, 'eee');
INSERT 0 1
postgres=# SELECT security_label, security_acl, * FROM t1;
security_label | security_acl | a | b
------------------------------------------+--------------------+---+-----
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaa
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbb
unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 3 | ccc
unconfined_u:object_r:sepgsql_table_t:s0 | {kaigai=rw/kaigai} | 4 | ddd
system_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=rx/kaigai} | 5 | eee
(5 rows)

postgres=# UPDATE t1 SET security_label = sepgsql_set_user(security_label, 'system_u'), security_acl = '{kaigai=r/kaigai}';
UPDATE 5
postgres=# SELECT security_label, security_acl, * FROM t1;
security_label | security_acl | a | b
-----------------------------------------+-------------------+---+-----
system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 1 | aaa
system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 2 | bbb
system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 3 | ccc
system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 4 | ddd
system_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=r/kaigai} | 5 | eee
(5 rows)

postgres=#

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>