On Mon, Jul 20, 2009 at 10:52:44AM -0400, Joshua Brindle wrote:
>>> Specifically, creating SELinux permissions for CREATE LANGUAGE seems
>>> particularly useless since that's not a data protection issue. The same
>>> with aggregates, operator classes, etc. ISTM the goal of SELinux is not
>>> primarily to restrict DDL but mostly to protect the data.
>
> The reason for comprehensively protecting objects isn't necessarily about
> protecting the data in the database but for limiting information flow
> between clients of differing security levels. Eg., if someone top secret
> can create language and use that to pass information down to someone
> unclassified then postgres could be used as an information downgrader
> illegitimately.
Consider the pl/pgsql language. The creation of the language must be
protected, because it involves loading shared libraries and thus could
be used to bypass the system. However, once loaded the language only
uses the internal SQL interface and thus is subject to the restrictions
imposed by the caller (except for setuid functions ofcourse).
Would you agree if the language is transparent with respect to
permissions that *usage* of the laguage doesn't need to be restricted.
I'm asking because from my position it looks like KaiGai is being
simultaneously told "you patch is too big, make it smaller" and "your
patch is not complete (with respect to some metric), make it bigger"
and we need to define a middle ground if we want to avoid the
appearence of moving goalposts.
Have a nice day,
--
Martijn van Oosterhout <kleptog@svana.org> http://svana.org/kleptog/
> Please line up in a tree and maintain the heap invariant while
> boarding. Thank you for flying nlogn airlines.