| From: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, pgsql-hackers(at)postgresql(dot)org, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
| Subject: | Re: security label support, part.2 |
| Date: | 2010-08-15 00:34:47 |
| Message-ID: | 4C673627.3090405@kaigai.gr.jp |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
(2010/08/15 9:16), Stephen Frost wrote:
> * KaiGai Kohei (kaigai(at)kaigai(dot)gr(dot)jp) wrote:
>> Yep, rte->requiredPerms of inherited relations are cleared on the
>> expand_inherited_rtentry() since the v9.0, so we cannot know what
>> kind of accesses are required on the individual child relations.
>
> This is really a PG issue and decision, in my view. We're moving more
> and more towards a decision that inherited relations are really just the
> same relation but broken up per tables (ala "true" partitioning). As
> such, PG has chosen to view them as the same wrt permissions checking.
> I don't think we should make a different decision for security labels.
> If you don't want people who have access to the parent to have access to
> the children, then you shouldn't be making them children.
>
No, what I want to do is people have identical access rights on both of
the parent and children. If they have always same label, SE-PgSQL always
makes same access control decision. This behavior is suitable to the
standpoint that inherited relations are really just the same relation
of the parent. For this purpose, I want to enforce a unique label on
a certain inheritance tree.
Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2010-08-15 00:55:24 | Re: security label support, part.2 |
| Previous Message | Stephen Frost | 2010-08-15 00:16:16 | Re: security label support, part.2 |