Stephen Frost wrote:
> * Gregory Stark (stark@enterprisedb.com) wrote:
>> It does seem weird to simply omit records rather than throw an error and
>> require the user to use a where clause, even if it's something like WHERE
>> pg_accessible(tab).
The idea is for the level of informations security we're talking about,
someone with limited permissions not only isn't allowed to know certain
data, they're not allowed to know certain data *exists*. Within the
SELinux framework, this is accomplished by hiding files you don't have
permission to see, not merely denying access to them.
The presumption is that if you know the data exists but can't access it
directly, you'll use indirect methods to derive what it is. But if you
don't even know it exists, then you won't look for it.
There's a level above that which I don't think SEPostgres implements,
which is data substitution, in which you see different data according to
what security level you are. While this may seem insane for a business
application, for military-support applications it makes some sense.
--Josh
