On Thursday 11 December 2008 18:32:50 Tom Lane wrote:
> > How can we stick all of these in the same column at the same time?
>
> Why would we want to?
Because we want to use SQL-based row access control and SELinux-based row
access control at the same time. Isn't this exactly one of the objections
upthread? Both must be available at the same time.
We can debate the merits of having, say, SELinux plus Solaris TX at the same
time, but if we can have two as per previous paragraph, we should design for
several.
> I think one column that can hold any of these
> ought to be sufficient. I certainly don't care for the idea that we
> might invent still a third column for Solaris TX at some future time.
Yes, it is certainly more appealing to have one column describing all access
rights.
In fact, if we extend the ACL storage structure to store external access
control information, we might also consider using that for system object
access. So instead of adding a column to pg_class for SELinux-controlled
access to tables, we just reused relacl.
