Re: security label support, part.2

From: Robert Haas <robertmhaas(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Kevin Grittner <Kevin(dot)Grittner(at)wicourts(dot)gov>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: security label support, part.2
Date: 2010-08-17 18:07:18
Message-ID: AANLkTimMzCagPgVZgve7yD1UK_CapSiXjn=pBFbYiGhQ@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

On Tue, Aug 17, 2010 at 1:50 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> No..  and I'm not sure we ever would.  What we *have* done is removed
> all permissions checking on child tables when a parent is being
> queried..

Yeah. I'm not totally sure that is sensible for a MAC environment.
Heck, it's arguably incorrect (though perhaps quite convenient) in a
DAC environment. Anyway, I wonder if it would be sensible to try to
adjust the structure of the DAC permissions checks so enhanced
security providers can make their own decision about how to handle
this case.

--
Robert Haas
EnterpriseDB: http://www.enterprisedb.com
The Enterprise Postgres Company

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Erik Rijkers 2010-08-17 18:08:51 Re: Progress indication prototype
Previous Message Kevin Grittner 2010-08-17 18:01:00 Re: security label support, part.2