Re: 8.4 release planning - Mailing list pgsql-hackers

From Joshua Brindle
Subject Re: 8.4 release planning
Date
Msg-id 497F578D.3060503@manicmethod.com
Whole thread Raw
In response to Re: 8.4 release planning  (Tom Lane <tgl@sss.pgh.pa.us>)
Responses Re: 8.4 release planning
List pgsql-hackers
Tom Lane wrote:
> Josh Berkus <josh@agliodbs.com> writes:
>> Stephen Frost wrote:
>> It does seem weird to simply omit records rather than throw an error
> 
>> The presumption is that if you know the data exists but can't access it 
>> directly, you'll use indirect methods to derive what it is.  But if you 
>> don't even know it exists, then you won't look for it.
> 
> Right, which is why it's bad for something like a foreign key constraint
> to expose the fact that the row does exist after all.
> 

Once again, this is not an issue for us. We would much rather have a database 
that allows you to hide data from unauthorized clients using a mandatory policy 
than one that does nothing because you couldn't close some covert channels.

I'll repeat what I said in an earlier email, SELinux doesn't (and can't) address 
all covert channels in Linux, and that is fine as long as it is understood and 
documented (which is part of the evaluation process).


>> There's a level above that which I don't think SEPostgres implements, 
>> which is data substitution, in which you see different data according to 
>> what security level you are.  While this may seem insane for a business 
>> application, for military-support applications it makes some sense.
> 
> I think it might be possible to build such a thing using views, but I
> agree that the patch doesn't give it to you for free.
> 


pgsql-hackers by date:

Previous
From: Joshua Brindle
Date:
Subject: Re: 8.4 release planning
Next
From: Josh Berkus
Date:
Subject: Re: Commitfest infrastructure (was Re: 8.4 release planning)