Re: Updates of SE-PostgreSQL 8.4devel patches (r1168)

Поиск
Список
Период
Сортировка
От Bruce Momjian
Тема Re: Updates of SE-PostgreSQL 8.4devel patches (r1168)
Дата
Msg-id 200811012239.mA1MdjR21714@momjian.us
обсуждение исходный текст
Ответ на Updates of SE-PostgreSQL 8.4devel patches (r1168)  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Ответы Re: Updates of SE-PostgreSQL 8.4devel patches (r1168)  ("Joshua D. Drake" <jd@commandprompt.com>)
Re: Updates of SE-PostgreSQL 8.4devel patches (r1168)  (KaiGai Kohei <kaigai@kaigai.gr.jp>)
Список pgsql-hackers
Дерево обсуждения 
KaiGai Kohei wrote:
> I've updated my patches, it contains a few bugfixes.
> 
> [1/6] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1168.patch
> [2/6] http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r1168.patch
> [3/6] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1168.patch
> [4/6] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1168.patch
> [5/6] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1168.patch
> [6/6] http://sepgsql.googlecode.com/files/sepostgresql-row_acl-8.4devel-3-r1168.patch
> 
> The comprehensive documentation for SE-PostgreSQL is here:
>    http://wiki.postgresql.org/wiki/SEPostgreSQL (it is now under reworking.)
> 
> List of updates:
> - Patches are rebased to the latest CVS HEAD.
> - bugfix: permission checks are ignored for per statement trigger functions
> - bugfix: per-statement trigger function ignored trusted function configuration
> - bugfix: not a proper permission check on lo_export(xxx, '/dev/null')
> 
> > Request for Comments:
> > - The 4th patch is actually needed? It can be replaced by wiki page.
> > - Do you think anything remained towards the final CommitFest?
> > - Do you have any reviewing comment? Most of patches are unchanged from
> >   the previous vesion. If you can comment anything, I can fix them without
> >   waiting for the final commit fest.

I just looked over the patch.  This new version with row-level SQL
security has certainly reduced the SE-Linux-specific part, which is
good.

It was interesting how you implemented SQL-level column-level
permissions:
CREATE TABLE customer (    cid     integer primary key,    cname   varchar(32),    credit  varchar(32)
SECURITY_CONTEXT= 'system_u:object_r:sepgsql_secret_table_t');
 

I am unclear how that will behave with the column-level permissions
patch someone is working on.  I am wondering if your approach is clearer
than the other patch because it gives a consistent right policy for rows
and columns.

I was wondering why you mention the NSA (U.S. National Security Agency)
in the patch?
+# NSA SELinux support

The size of the patch is still larger but I don't see any way to reduce it:
   1275 sepostgresql-docs-8.4devel-3-r1168.patch    625 sepostgresql-pg_dump-8.4devel-3-r1168.patch    829
sepostgresql-policy-8.4devel-3-r1168.patch  1736 sepostgresql-row_acl-8.4devel-3-r1168.patch  10847
sepostgresql-sepgsql-8.4devel-3-r1168.patch  1567 sepostgresql-tests-8.4devel-3-r1168.patch  16879 total
 

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +

В списке pgsql-hackers по дате отправления:

Предыдущее
От: "Vladimir Sitnikov"
Дата:
Сообщение: Re: contrib/pg_stat_statements v2
Следующее
От: "Joshua Tolley"
Дата:
Сообщение: Re: Proposed Patch to Improve Performance of Multi-Batch Hash Join for Skewed Data Sets