From: | KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com> |
---|---|
To: | Robert Haas <robertmhaas(at)gmail(dot)com> |
Cc: | KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, PgSQL-Hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: rest of works for security providers in v9.1 |
Date: | 2010-12-14 00:15:45 |
Message-ID: | 4D06B731.3090409@ak.jp.nec.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
(2010/12/14 1:03), Robert Haas wrote:
> On Mon, Dec 13, 2010 at 8:32 AM, KaiGai Kohei<kaigai(at)kaigai(dot)gr(dot)jp> wrote:
>> (2010/12/13 21:53), Robert Haas wrote:
>>> 2010/12/12 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>>>>
>>>> I'd like to see opinions what facilities should be developed
>>>> to the current v9.1 development cycle.
>>>
>>> It seems to me that the next commit after the label-switcher-function
>>> patch ought to be a contrib module that implements a basic form of
>>> SE-Linux driven permissions checking. I'm pretty unexcited about
>>> continuing to add additional facilities that could be used by a
>>> hypothetical module without actually seeing that module, and I think
>>> that the label-switcher-function patch is the last piece of core
>>> infrastructure that is a hard requirement rather than "nice to have".
>>> I'd rather have a complete feature with limited capabilities than
>>> half a feature with really awesome capabilities.
>>>
>> It is a good news for me also, because I didn't imagine SE-PostgreSQL
>> module getting upstreamed, even if contrib module.
>>
>> OK, I'll focus on the works to merge the starter-version of SE-PostgreSQL
>> as a contrib module in the last commit fest.
>>
>> Probably, I need to provide its test cases and minimum documentations
>> in addition to the code itself. Anything else?
>
> Extremely detailed instructions on how to test it.
>
Indeed, it will be necessary.
Two more questions:
How does the contrib module behave when we try to make all the
contrib modules on the platform that doesn't provide libselinux?
One idea is to add a few checks about selinux environment in
the configure script.
I counted number of lines of the sepgsql module that implement
only currently supported hooks. It has 3.2KL of code not.
How about scale of the patch to review?
Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
From | Date | Subject | |
---|---|---|---|
Next Message | Robert Haas | 2010-12-14 00:17:41 | Re: Label switcher function |
Previous Message | Andrew Dunstan | 2010-12-13 23:45:29 | Re: Complier warnings on mingw gcc 4.5.0 |