BTW, what is the current status of this patch?
The status of contrib/sepgsql part is unclear for me, although we agreed that
syscache is suitable mechanism for security labels.


2011/7/22 Kohei KaiGai <>:
> 2011/7/22 Yeb Havinga <>:
>> On 2011-07-22 11:55, Kohei Kaigai wrote:
>>>> 2) Also I thought if it could work to not remember tcontext is valid, but
>>>> instead remember the consequence,
>>>> which is that it is replaced by "unlabeled". It makes the avc_cache
>>>> struct shorter and the code somewhat
>>>> simpler.
>>> Here is a reason why we hold tcontext, even if it is not valid.
>>> The hash key of avc_cache is combination of scontext, tcontext and tclass.
>>> Thus, if we replaced an invalid
>>> tcontext by unlabeled context, it would always make cache mishit and
>>> performance loss.
>> I see that now, thanks.
>> I have no further comments, and I think that the patch in it's current
>> status is ready for committer.
> Thanks for your reviewing.
> The attached patch is a revised one according to your suggestion to
> include fallback for 'unlabeled' label within sepgsql_avc_lookup().
> And I found a noise in regression test results, so eliminated it from v5.
> --
> KaiGai Kohei <>
KaiGai Kohei <>

Sent via pgsql-hackers mailing list (
To make changes to your subscription:

Reply via email to