Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-17 Thread Robert Haas
On Fri, Apr 12, 2013 at 2:44 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: Yes, of course. The attached one replaces the getObjectDescription in sepgsql/proc.c, and relative changes in regression test. Thanks. Committed. I also committed the first two hunks of your cleanup patch but omitted the

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-12 Thread Robert Haas
On Mon, Apr 8, 2013 at 12:28 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: Thanks. I could find two obvious wording stuffs here, please see smaller one of the attached patches. I didn't fixup manner to use XXX in source code comments. Committed. Also, the attached function-execute-permission

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-12 Thread Alvaro Herrera
Robert Haas escribió: On Mon, Apr 8, 2013 at 12:28 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: Also, the attached function-execute-permission patch is a rebased version. I rethought its event name should be OAT_FUNCTION_EXECUTE, rather than OAT_FUNCTION_EXEC according to the manner without

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-12 Thread Robert Haas
On Fri, Apr 12, 2013 at 10:42 AM, Alvaro Herrera alvhe...@2ndquadrant.com wrote: Robert Haas escribió: On Mon, Apr 8, 2013 at 12:28 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: Also, the attached function-execute-permission patch is a rebased version. I rethought its event name should be

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-12 Thread Kohei KaiGai
2013/4/12 Robert Haas robertmh...@gmail.com: On Fri, Apr 12, 2013 at 10:42 AM, Alvaro Herrera alvhe...@2ndquadrant.com wrote: Robert Haas escribió: On Mon, Apr 8, 2013 at 12:28 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: Also, the attached function-execute-permission patch is a rebased

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-12 Thread Kohei KaiGai
A problem regarding to validation of sepgsql-regtest policy module is originated by semodule commands that takes root privilege to list up installed policy modules. So, I avoided to use this command in the test_sepgsql script. However, I have an idea that does not raise script fail even if

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-08 Thread Kohei KaiGai
2013/4/5 Robert Haas robertmh...@gmail.com: On Thu, Apr 4, 2013 at 8:26 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote: OK, I follow the manner of the terminology as we usually call it. The attached patch just replaced things you suggested. Thanks, I have committed this, after making some changes

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-05 Thread Robert Haas
On Thu, Apr 4, 2013 at 8:26 AM, Kohei KaiGai kai...@kaigai.gr.jp wrote: OK, I follow the manner of the terminology as we usually call it. The attached patch just replaced things you suggested. Thanks, I have committed this, after making some changes to the comments and documentation. Please

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-03 Thread Robert Haas
On Tue, Apr 2, 2013 at 2:22 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: OK, please check the attached ones. Thanks. I reviewed the schema-search patch and I think it looks reasonable, but shouldn't we be calling the event OAT_NAMESPACE_SEARCH rather than OAT_SCHEMA_SEARCH? And, similarly,

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-04-01 Thread Robert Haas
On Tue, Jan 15, 2013 at 3:28 PM, Kohei KaiGai kai...@kaigai.gr.jp wrote: This patch adds sepgsql support for permission checks equivalent to the existing SCHEMA USE privilege. This feature is constructed on new OAT_SCHEMA_SEARCH event type being invoked around pg_namespace_aclcheck(). So,

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-02-13 Thread Kohei KaiGai
Sorry for my late updates. I tried to update list of permissions that sepgsql expects, even though the description might be still a bit rough... https://wiki.postgresql.org/wiki/SEPostgreSQL_Permissions Set of permissions are defined for each object class that represents a particular

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Simon Riggs
On 15 January 2013 20:28, Kohei KaiGai kai...@kaigai.gr.jp wrote: This patch adds sepgsql support for permission checks equivalent to the existing SCHEMA USE privilege. This feature is constructed on new OAT_SCHEMA_SEARCH event type being invoked around pg_namespace_aclcheck(). Can you

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Kohei KaiGai
2013/1/29 Simon Riggs si...@2ndquadrant.com: On 15 January 2013 20:28, Kohei KaiGai kai...@kaigai.gr.jp wrote: This patch adds sepgsql support for permission checks equivalent to the existing SCHEMA USE privilege. This feature is constructed on new OAT_SCHEMA_SEARCH event type being invoked

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Simon Riggs
On 29 January 2013 13:30, Kohei KaiGai kai...@kaigai.gr.jp wrote: It makes unavailable to control execution of functions from viewpoint of selinux, and here is no way selinux to prevent to execute functions defined by other domains, or others being not permitted. Also, what we want to do is

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Kohei KaiGai
2013/1/29 Simon Riggs si...@2ndquadrant.com: On 29 January 2013 13:30, Kohei KaiGai kai...@kaigai.gr.jp wrote: It makes unavailable to control execution of functions from viewpoint of selinux, and here is no way selinux to prevent to execute functions defined by other domains, or others

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Simon Riggs
On 29 January 2013 14:39, Kohei KaiGai kai...@kaigai.gr.jp wrote: 2013/1/29 Simon Riggs si...@2ndquadrant.com: On 29 January 2013 13:30, Kohei KaiGai kai...@kaigai.gr.jp wrote: It makes unavailable to control execution of functions from viewpoint of selinux, and here is no way selinux to

Re: [HACKERS] [sepgsql 2/3] Add db_schema:search permission checks

2013-01-29 Thread Craig Ringer
On 01/29/2013 10:10 PM, Simon Riggs wrote: On 29 January 2013 13:30, Kohei KaiGai kai...@kaigai.gr.jp wrote: It makes unavailable to control execution of functions from viewpoint of selinux, and here is no way selinux to prevent to execute functions defined by other domains, or others being