Re: add a MAC check for TRUNCATE

Поиск
Список
Период
Сортировка
От Kohei KaiGai
Тема Re: add a MAC check for TRUNCATE
Дата
Msg-id CAOP8fzbfhrbfv-7+N8YvPxEsvKF1oxg8QNaJCmPg=g1NQ6uJTA@mail.gmail.com
обсуждение исходный текст
Ответ на add a MAC check for TRUNCATE  (Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>)
Ответы Re: add a MAC check for TRUNCATE  (Stephen Frost <sfrost@snowman.net>)
Re: add a MAC check for TRUNCATE  (Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>)
Список pgsql-hackers
Дерево обсуждения 
Hello Yuli,

2019年7月25日(木) 3:52 Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>:
> Since all DAC checks should have corresponding MAC, this patch adds a
> hook to allow extensions to implement a MAC check on TRUNCATE. I have
> also implemented this access check in the sepgsql extension.
>
> One important thing to note is that refpolicy [1] and Redhat based
> distributions do not have the SELinux permission for db_table {truncate}
> implemented.
>
How db_table:{delete} permission is different from truncate?
From the standpoint of data access, TRUNCATE is equivalent to DELETE
without WHERE, isn't it?
Of course, there are some differences between them. TRUNCATE takes
exclusive locks and eliminates underlying data blocks, on the other hands,
DELETE removes rows under MVCC manner. However, both of them
eventually removes data from the target table.

I like to recommend to reuse "db_table:{delete}" permission for TRUNCATE.
How about your opinions?

Best regards,
--
HeteroDB, Inc / The PG-Strom Project
KaiGai Kohei <kaigai@heterodb.com>

В списке pgsql-hackers по дате отправления:

Предыдущее
От: Tom Lane
Дата:
Сообщение: Re: pg_dump --exclude-* options documentation
Следующее
От: Etsuro Fujita
Дата:
Сообщение: Re: Problem while updating a foreign table pointing to a partitionedtable on foreign server