Simon Riggs wrote:
>>> Another way would be to include a security context in all newly
>> created
>>> tuples, but remove it during heap_update, heap_insert etc if it is
>>> unused by the relation. That seems more straightforward.
>> It is not a reasonable option.
>>
>> The length of HeapTupleData is determined during heap_form_tuple(),
>> and it is unchanged later. Thus, we have to interpose here, as object
>> identifier doing.
>
> Currently yes. Is there a reason not to? Do we rely on the tuple length
> staying same after those operations?
>
> Just considering multiple ways of making the context optional.
Indeed, we can consider several options.
However, I don't want to change existing semantics in the core implementation
as far as possible. If we have to choose one of them, I prefer to add TupleDesc
a bool variable to show necessity of security field, because it requires many
points to be updated, but most of them are obvious.
Anyway, I've started to work with the prior approach.
Now we have less than two weeks remained in the CommitFest:Nov, so we have
no time to be spent uselessly.
>>> SUSE?
>> The "u" might be a large-letter.
>
> Sorry, I wasn't correcting your spelling! :-)
> I was asking whether Su/USE are definitely supporting SELinux now? I
> have not heard that.
It is a recent news.
http://news.opensuse.org/2008/08/20/opensuse-to-add-selinux-basic-enablement-in-111/
The openSUSE pressed they start to support SELinux, not only AppArmor.
However, I don't have enough information for the roadmap of SUSE Enterprise Server
which is a production version of Novell.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>