Re: One question about security label command

Hi Joe,

The attached one is the regression test fixup in v9.2.
As we applied to the v9.3 or later, it replaces unconfined_t domain
by the self defined sepgsql_regtest_superuser_t.

Unfortunately, I found a bug to process SELECT INTO statement.
Because v9.2 didn't have ObjectAccessPostCreate to inform the
context when a relation is newly created, thus, sepgsql had
an ugly alternative at sepgsql_executor_start().
It saves kind of statement prior to executor start, then it is
referenced when sepgsql_relation_post_create() is called.
However, T_CreateTableAsStmt was oversight, thus it is considered
as a harmless internal operation, and no label was assigned on
the new relation.
I'm not certain why we oversight at that time, however, this logic
is removed and replaced in v9.3.

Thanks,
--
NEC Business Creation Division / PG-Strom Project
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

> -----Original Message-----
> From: Joe Conway [mailto:mail(at)joeconway(dot)com]
> Sent: Tuesday, September 08, 2015 10:15 AM
> To: Kaigai Kouhei(海外 浩平); Adam Brightwell
> Cc: Stephen Frost; Alvaro Herrera; Kohei KaiGai; Tom Lane; Robert Haas; 张元
> 超; pgsql-hackers(at)postgresql(dot)org; adam(dot)brightwell(at)crunchydata(dot)com
> Subject: Re: [HACKERS] One question about security label command
>
> On 09/07/2015 04:46 PM, Kouhei Kaigai wrote:
> >>>>> 3.) Rework patch for 9.2 (Kohei)
> >>
> > Could you wait for the next Monday?
> > I'll try to work this in the next weekend.
>
> Sure, that would be great.
>
> Joe
>
> --
> Crunchy Data - http://crunchydata.com
> PostgreSQL Support for Secure Enterprises
> Consulting, Training, & Open Source Development