Re: sepgsql contrib module

(2011/01/20 13:01), Robert Haas wrote:
> 2011/1/19 KaiGai Kohei<kaigai(at)ak(dot)jp(dot)nec(dot)com>:
>>> And how about adding a
>>> ProcessUtility_hook to trap evil non-DML statements that some
>>> nefarious user might issues?
>>>
>> It seems to me reasonable as long as the number of controlled command
>> are limited. For example, LOAD command may be a candidate being
>> controlled without exceptions.
>> However, it will be a tough work, if the plug-in tries to parse and
>> analyze supplied utility commands by itself.
>
> I think the key is to either accept or reject the command based on
> very simple criteria - decide based only on the command type, and
> ignore its parameters.
>
I can understand this idea, however, it is hard to implement this
criteria, because SELinux describes all the rules as a relationship
between a client and object using their label, so we cannot know
what actions (typically represented in command tag) are allowed or
denied without resolving their object names.

>> I uploaded my draft here.
>> http://wiki.postgresql.org/wiki/SEPostgreSQL_Documentation
>>
>> If reasonable, I'll move them into *.sgml style.
>
> I have yet to review that, but will try to get to it before too much
> more time goes by.
>
OK, I try to translate it into *.sgml format.

>> I may want to simplify the step to installation using an installer
>> script.
>
> OK, but let's get this nailed down as soon as possible. Tempus fugit.
>
I like to give my higher priority on the ProcessUtility_hook, rather
than installation script.

Thanks,
--
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>