Stephen Frost wrote:
> * Joshua Brindle (method@manicmethod.com) wrote:
>> They are separate. If you look at the patches you'll see a pgace part,
>> this is where the core interfaces to the security backends, and you'll
>> see a rowacl backend and an sepgsql backend.
>
> Right, guess it wasn't clear to me that the PGACE bits for row-level
> access control could be used independently of SELinux (and maybe even on
> systems that don't have SELinux..?).
>
Sure, if you look at pgaceHooks.c you'll see:
bool
pgaceExecScan(Scan *scan, Relation rel, TupleTableSlot *slot)
{ /* Hardwired DAC checks */ if (!rowaclExecScan(scan, rel, slot)) return false;
switch (pgace_feature) {
#ifdef HAVE_SELINUX case PGACE_FEATURE_SELINUX: if (sepgsqlIsEnabled())
returnsepgsqlExecScan(scan, rel, slot); break;
#endif default: break; } return true;
}
Notice the rowacl call outside of the HAVE_SELINUX ifdefs