Prev: ANNOUNCE list (was Re: [HACKERS] New PGXNExtension site)
Next: Debug message in RemoveOldXlogFiles
From: Robert Haas on 17 Jun 2010 08:59 2010/6/17 KaiGai Kohei <kaigai(a)ak.jp.nec.com>: > I tried to implement a modular se-pgsql as proof-of-concept, using the DML > permission check hook which was proposed by Robert Haas. > > At first, please build and install the latest PostgreSQL with this > patch to add a hook on DML permission checks. > �http://archives.postgresql.org/pgsql-hackers/2010-05/msg01095.php > > Then, check out the modular se-pgsql, as follows: > �% svn co http://sepgsql.googlecode.com/svn/trunk/ sepgsql This is a good start - I think with some cleanup this could be committable, though probably it makes sense to wait until after we get the security label infrastructure in. I suspect some code cleanup will be needed; one thing I noticed off the top of my head was that you didn't follow the usual style for installing hook functions in a way that can accomodate multiple hooks. See contrib/auto_explain for an example. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: KaiGai Kohei on 17 Jun 2010 20:23 (2010/06/17 21:59), Robert Haas wrote: > 2010/6/17 KaiGai Kohei<kaigai(a)ak.jp.nec.com>: >> I tried to implement a modular se-pgsql as proof-of-concept, using the DML >> permission check hook which was proposed by Robert Haas. >> >> At first, please build and install the latest PostgreSQL with this >> patch to add a hook on DML permission checks. >> http://archives.postgresql.org/pgsql-hackers/2010-05/msg01095.php >> >> Then, check out the modular se-pgsql, as follows: >> % svn co http://sepgsql.googlecode.com/svn/trunk/ sepgsql > > This is a good start - I think with some cleanup this could be > committable, though probably it makes sense to wait until after we get > the security label infrastructure in. I suspect some code cleanup > will be needed; one thing I noticed off the top of my head was that > you didn't follow the usual style for installing hook functions in a > way that can accomodate multiple hooks. See contrib/auto_explain for > an example. > Thanks for your comments. I'll fix it later. BTW, I have a question which community (PostgreSQL or SELinux) shall eventually maintain the module, although PostgreSQL provides a set of interfaces for access control modules? I thought SELinux side (mainly I and NEC) will maintain the sepgsql module being suitable for the interfaces. If we need another proof-of-concept module independent from selinux for regression test, at least, it is not a tough work. Thanks, -- KaiGai Kohei <kaigai(a)ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 17 Jun 2010 23:09 2010/6/17 KaiGai Kohei <kaigai(a)ak.jp.nec.com>: > (2010/06/17 21:59), Robert Haas wrote: >> 2010/6/17 KaiGai Kohei<kaigai(a)ak.jp.nec.com>: >>> I tried to implement a modular se-pgsql as proof-of-concept, using the DML >>> permission check hook which was proposed by Robert Haas. >>> >>> At first, please build and install the latest PostgreSQL with this >>> patch to add a hook on DML permission checks. >>> � http://archives.postgresql.org/pgsql-hackers/2010-05/msg01095.php >>> >>> Then, check out the modular se-pgsql, as follows: >>> � % svn co http://sepgsql.googlecode.com/svn/trunk/ sepgsql >> >> This is a good start - I think with some cleanup this could be >> committable, though probably it makes sense to wait until after we get >> the security label infrastructure in. �I suspect some code cleanup >> will be needed; one thing I noticed off the top of my head was that >> you didn't follow the usual style for installing hook functions in a >> way that can accomodate multiple hooks. �See contrib/auto_explain for >> an example. >> > Thanks for your comments. I'll fix it later. > > BTW, I have a question which community (PostgreSQL or SELinux) shall > eventually maintain the module, although PostgreSQL provides a set of > interfaces for access control modules? > I thought SELinux side (mainly I and NEC) will maintain the sepgsql > module being suitable for the interfaces. > > If we need another proof-of-concept module independent from selinux > for regression test, at least, it is not a tough work. I had thought perhaps it would end up as a contrib module, but there are other options. -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise Postgres Company -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
|
Pages: 1 Prev: ANNOUNCE list (was Re: [HACKERS] New PGXNExtension site) Next: Debug message in RemoveOldXlogFiles |