I updated the patch set of SE-PostgreSQL and related stuff (r1348) [1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1348.patch [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1348.patch [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1348.patch [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1348.patch [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1348.patch
Draft of the SE-PostgreSQL documentation is here: http://wiki.postgresql.org/wiki/SEPostgreSQL (It also should be updated for the recent changes...) List of updates: - The patches are rebased to the latest CVS HEAD. Currently, previous ones (r1324) are not suitable for this. - It put a copied relkind value on pg_attribute.attkind. This change enables to reduce per tuple lookups for RELOID, and improve robustness of security model. - bugfix: heap_getsysattr() could return NULL, when enhanced security feature is disabled. It is fixed to return an alternative label/default acl. - errcode_for_file_access() is applied on filesystem related errors, instead of ERRCODE_SELINUX_ERROR. - Reloptions related code for Row-level ACLs feature is flattened. Now it invokes rowaclXXX() without PGACE hooks, because there is an active effort to support variable kind of reloptions now. - The "default_row_acl" got stored as text represenation due to incorrect table dump. (We should not put it as security id.) - bugfix: Makefile in src/test/sepgsql Request for comments: The current heap_reloptions() requires reloption-parser not to raise an error when validate = false. However, it makes a matter when we store "default_row_acl" as a entry of reloptions. The input handler of AclItem[] can raise an error if given input string has invalid format or users. What solutions can be considered? - Implement its own AclItem[] parser which does not raise an error on validate = false. - Set dependencies on users which appears in default Row-ACLs. - Remove default Row-level ACLs feature. - Any other idea? And, I have a question. Is the new reloption framework designed to store strings? The latest one support Bool, Int and Real, doen't it? Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers