Robert Haas <robertmhaas@gmail.com> writes:
> One of the major and fundamental stumbling blocks we've run into is
> that every solution we've looked at so far seems to involve adding
> SE-Linux-specific checks in many places in the code. It would be nice
> if it were possible to use the exist permissions-checking functions
> and have them check a few more things while they're at it, but it's
> looking like that won't be feasible, or at least no one's come up with
> a plausible design yet.
I don't think that it's about SELinux. The real issue here is that
KaiGai-san is about a mile out in front of the PG hackers community
in terms of his ambitions for the scope of what can be controlled by
security policy. If the patch were only doing what the community has
actually agreed to, there would be little need for it to touch anything
but the aclcheck functions.
Now I recognize that a large part of the potential attraction in this
for the security community is exactly the idea of having fine-grain
security control. But if you ever want anything significantly different
from SQL-standard permission mechanisms, there's going to have to be a
whole lot more work done. Basically, nobody in the PG community has got
any confidence either in the overall design or the implementation
details for locking things down that aren't already controlled by SQL
permission mechanisms.
regards, tom lane
