(2010/08/15 9:16), Stephen Frost wrote:
> * KaiGai Kohei (kaigai@kaigai.gr.jp) wrote:
>> Yep, rte->requiredPerms of inherited relations are cleared on the
>> expand_inherited_rtentry() since the v9.0, so we cannot know what
>> kind of accesses are required on the individual child relations.
>
> This is really a PG issue and decision, in my view. We're moving more
> and more towards a decision that inherited relations are really just the
> same relation but broken up per tables (ala "true" partitioning). As
> such, PG has chosen to view them as the same wrt permissions checking.
> I don't think we should make a different decision for security labels.
> If you don't want people who have access to the parent to have access to
> the children, then you shouldn't be making them children.
>
No, what I want to do is people have identical access rights on both of
the parent and children. If they have always same label, SE-PgSQL always
makes same access control decision. This behavior is suitable to the
standpoint that inherited relations are really just the same relation
of the parent. For this purpose, I want to enforce a unique label on
a certain inheritance tree.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>