On 9/6/19 11:26 AM, Yuli Khodorkovskiy wrote:
> On Fri, Sep 6, 2019 at 10:40 AM Stephen Frost <sfrost@snowman.net> wrote:
>> There are actual reasons why the 'DELETE' privilege is *not* the same as
>> 'TRUNCATE' in PostgreSQL and I'm really not convinced that we should
>> just be tossing that distinction out the window for users of SELinux. A
>> pretty obvious one is that DELETE triggers don't get fired for a
>> TRUNCATE command, but TRUNCATE also doesn't follow the same MVCC rules
>> that the rest of the system does.
>
> I do agree with you there should be a distinction between TRUNCATE and
> DELETE in the SELinux perms. I'll wait a few days for more discussion
> and send an updated patch.
+1 - I don't think there is any question about it.
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development