Ron Mayer <rm_pg@cheapcomplexdevices.com> writes:
> Tom Lane wrote:
>> This seems to me to be exactly parallel to deciding that SELinux should
>> control only table/column permissions within SQL; an approach that would
>> be enormously less controversial, less expensive, and more reliable than
>> what SEPostgres tries to do.
> With the table/column approach, could users who needed some row-level
> capabilities work around this easily by setting table-level access
> control on partitions?
Yeah, the same thing had just occurred to me. We currently throw an
error if a user doesn't have permissions on every partition (child
table), but perhaps that behavior could be adjusted. Ignoring
unreadable children would provide behavior pretty similar to that
proposed by SEPostgres.
To some extent that just postpones the semantic pain until the day when
we try to do unique and FK constraints that span partitions. However,
I think (after only minimal thought) that that will only re-introduce
the covert-channel issue, which Joshua has already stated to be
acceptable.
regards, tom lane