On Sat, Jul 25, 2009 at 11:06:37AM -0400, Tom Lane wrote:
> There had better still be superusers. Or do you want the correctness
> of your backups to depend on whether your SELinux policy is correct?
I thought the whole point of MAC was that superusers don't exist any
more--at least not with the power they currently do. Organizations may
well not trust specific parts of their database to certain types of
backups, SE-PG should allow this to be controlled somewhat.
> The first time somebody loses critical data because SELinux suppressed
> it from their pg_dump output, they're going to be on the warpath.
That should be solved by different methods; as "A.M" said pg_dump can
complain if it doesn't see everything it expected to (which should
handle the naive user case) and backdoors can be put in the scheme
that will (by default?) initially allow a "backup" subject unfettered
read-only access to each object. I'm expecting that this access can be
revoked as needed from sensitive tables.
-- Sam http://samason.me.uk/