On Tue, 2008-11-18 at 15:02 +0900, KaiGai Kohei wrote:
> If we focus on the CreateTemplateTupleDesc(), 5 of call points give
> possibile "hasoid" argument, and rest of them always give "false".
> I guess it will be same in the security context cases.
> However, we have to change all the call points when the declaration
> is changed.
Looks promising.
> > Another way would be to include a security context in all newly
> created
> > tuples, but remove it during heap_update, heap_insert etc if it is
> > unused by the relation. That seems more straightforward.
>
> It is not a reasonable option.
>
> The length of HeapTupleData is determined during heap_form_tuple(),
> and it is unchanged later. Thus, we have to interpose here, as object
> identifier doing.
Currently yes. Is there a reason not to? Do we rely on the tuple length
staying same after those operations?
Just considering multiple ways of making the context optional.
> >> Some of distributions now provides SELinux option, but not a
> default.
> >> I know Debian, Ubuntu, Gentoo and SuSE are doing.
> >
> > SUSE?
>
> The "u" might be a large-letter.
Sorry, I wasn't correcting your spelling! :-)
I was asking whether Su/USE are definitely supporting SELinux now? I
have not heard that.
-- Simon Riggs www.2ndQuadrant.comPostgreSQL Training, Services and Support
