Simon Riggs wrote:
>
> On Tue, 2008-12-09 at 03:33 +0900, KaiGai Kohei wrote:
> > Tom Lane wrote:
> > > KaiGai Kohei <kaigai@ak.jp.nec.com> writes:
> > >> Bruce Momjian wrote:
> > >>> I assume that could just be always enabled.
> > >
> > >> It is not "always" enabled. When we build it with SE-PostgreSQL feature,
> > >> rest of enhanced security features (includes the row-level ACL) are
> > >> disabled automatically, as we discussed before.
> > >
> > > It seems like a pretty awful idea to have enabling sepostgres take away
> > > a feature that exists in the default build.
> >
> > Why?
> >
> > The PGACE security framework allows one or no enhanced security
> > mechanism at most. It is quite natural that the default selection
> > is overrided when an alternative option is chosen explicitly.
>
> I'm finding these discussions very confusing to follow, sorry about
> that.
It isn't you; it _is_ hard to follow. ;-) No one is at fault; the
topic is just complex.
> We now have a parameter option that allows you to have row level
> security in non-mandatory mode, which is good. But in order to get that
> we need to build the server with a special configure option.
No, that was removed at my request so it is always available.
> My previous objective was to remove the need for a configure option, so
> we can enable row-level security in the default distribution of
> Postgres. Are we going to enable that option in all normal distros? If
> yes, why is it a configure option (at all)?
Option is gone in the most recent patch and it is always enabled. We
still have a configure option to enable SE-Linux features.
-- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB
http://enterprisedb.com
+ If your life is a hard drive, Christ can be your backup. +
