Adding support for SE-Linux security
in [PgSql]
|
From: Ron Mayer on 11 Dec 2009 20:54 Bruce Momjian wrote: > Well, the bottom line is that this effort should grow the development > and user community of Postgres --- it if doesn't, it is a failure. Really? Even if it only allows existing Postgres users and companies to expand their use into higher security applications IMHO it's a success. If a main goal were increasing users, implementing MySQL-isms and MSFTSqlServer-isms would seem the biggest bang for the buck. -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Stephen Frost on 12 Dec 2009 12:10 * Robert Haas (robertmhaas(a)gmail.com) wrote: > > Allow me to assist- y is never in a structure once you're out of the > > parser: > > Well this is why you're writing the patch and not me. :-) Sure, just trying to explain why your suggestion isn't quite the direction that probably makes the most sense.. At least for args which come from the parser. > What exactly do you mean by a SubOID? I'm not really following that part. Sorry, it's basically things like attnum, check the dependency code for example usage. It's "this is something we need to track due to dependencies but it's at a level below OID", or perhaps "a component of an object which has an OID"- specifically: a column of a table. The table has an OID, but the column does not. To uniquely identify the column you need both the OID and the 'SubOID'/attnum. Thanks, Stephen
From: Stephen Frost on 12 Dec 2009 12:12 * Tom Lane (tgl(a)sss.pgh.pa.us) wrote: > Robert Haas <robertmhaas(a)gmail.com> writes: > > What exactly do you mean by a SubOID? I'm not really following that part. > > I assume he's talking about the object reference representation used in > pg_depend, which is actually class OID + object OID + sub-object ID. > The only object type that has sub-objects at the moment is tables, > wherein the sub-objects are columns and the sub-object IDs are column > numbers. The sub-object ID is zero for all other cases. You're right, of course, but for some reason I thought that there was another usage of it besides just the table/column case. Thanks, Stephen
From: Stephen Frost on 12 Dec 2009 14:30 * Stephen Frost (sfrost(a)snowman.net) wrote: > * Tom Lane (tgl(a)sss.pgh.pa.us) wrote: > > I assume he's talking about the object reference representation used in > > pg_depend, which is actually class OID + object OID + sub-object ID. > > The only object type that has sub-objects at the moment is tables, > > wherein the sub-objects are columns and the sub-object IDs are column > > numbers. The sub-object ID is zero for all other cases. > > You're right, of course, but for some reason I thought that there was > another usage of it besides just the table/column case. Ah, I realize what I was thinking about now.. The dependency system has two flavors (pg_depend and pg_shdepend). We had SubIDs for columns in pg_depend but not pg_shdepend- until column-level privs were added which meant we could have roles depend on columns (due to privileges on that column). To clarify- pg_depend is for database dependencies while pg_shdepend is for cluster dependencies. Thanks, Stephen
From: Stephen Frost on 13 Dec 2009 08:32
* Bruce Momjian (bruce(a)momjian.us) wrote: > I am not replying to many of these emails so I don't appear to be > brow-beating (forcing) the community into accepting this features. I > might be brow-beating the community, but I don't want to _appear_ to be > brow-beating. ;-) My apologies if I come across this way- I don't intend to... But I'm also very enthusiastic about this. Also, it's become a much more personal issue for me due to this: http://csrc.nist.gov/news_events/documents/omb/draft-omb-fy2010-security-metrics.pdf OMB is now looking to include label-based security in their metrics. This directly impacts some of the PG-based systems I run. Thanks, Stephen |