Josh Berkus wrote:
> Bruce,
>
> > I think the community's priorities are to add security at the SQL
> > level, and then we can see clearly what SE-PostgreSQL requires. This
> > has been discussed before so it should not come as a surprise.
>
> Well, I'm not that clear on exactly the SE implementation, but I spent a
> fair amount of time with Trusted Solaris and I can tell you that a
> multilevel security implementation would work in a different way from SQL
> row-level permissions.
>
> Multilevel frameworks have concepts of data hiding and data substitution
> based on labels. That is, if a user doesn't have permissions on data,
> he's not merely supposed to be denied access to it, he's not even supposed
> to know that the data exists. In extreme cases (think military / CIA use)
> data at a lower security level should be substitited for the higher
> security level data which the user isn't allowed. Silently.
>
> So it's quite possible that the SE and/or multilevel framework could remain
> parallel-but-different from SQL-level permissions, which would not include
> data hiding or data substitution.
True, but think we would like to have all the SQL-level stuff done
first, or at least decide we don't want it at the SQL level, before
moving forward with adding fine-grained controls.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
