KaiGai Kohei wrote:
> >> If you have anything to comment for the patches, could you disclose it?
> >> It is not necessary to be a comprehensive one. Don't hesitate to submit.
> >
> > I looked over the patch and was wondering why you chose to have a
> > configure option to disable row-level ACLs.
>
> There are no explicit reasons.
> I thought it was natural, as if we can build Linux kernel without any
> enhanced security features (SELinux, SMACK and so on).
>
> I don't oppose to elimination of "--disable-row-acl" options, however,
> it is not clear for me whether it should be unavoidable selection in
> the future, or not.
Look at the existing configure options; we don't remove features via
configure unless it is for some platform-specific reason. Please remove
the configure option and make it always enabled. The way it should work
is that the feature is always enabled, and some SQL-level commands
should throw an appropriate error if SE-Linux is enabled in the build.
> > I assume that could just be always enabled.
>
> It is not "always" enabled. When we build it with SE-PostgreSQL feature,
> rest of enhanced security features (includes the row-level ACL) are
> disabled automatically, as we discussed before.
Oh. Is that because we use SE-Linux row-level security when
SE-PostgreSQL is enabled? I guess that makes sense.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +