On Fri, Jan 23, 2009 at 12:30 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:
> The patch set of SE-PostgreSQL and related stuff were updated (r1460).
>
> [1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1460.patch
> [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1460.patch
> [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1460.patch
> [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1460.patch
> [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1460.patch
KaiGai -
I read through your docs patch tonight and did some copy editing.
Please see the attached patches, which I hope you will find helpful.
I have attached my suggested changes both as a patch against v1460
(sepostgresql-docs-rmh-vs-1460.gz) and also as patch against CVS HEAD
(sepostgresql-docs-rmh-vs-cvs-head), since I am not sure which is
easier for you. I have a couple of general comments about the
documentation:
1. The docs as written are very Red Hat-centric, even to the point of
making reference to specific versions of Red Hat RPMs. I think that
the community will find this unacceptable, as Red Hat is certainly not
the only SELinux-enabled distribution and I presume that we want to
support all of them to an equal degree.
2. Some of the information that is documented here properly belongs in
other sections of the documentation. For example, the information
about GUCs clearly belongs somewhere in the section on server
configuration where all of the other GUCs are documented, not in a
separate sections about SE-PostgreSQL. I suspect that all of the
information about row-level ACLs should be ripped out of security.sgml
and inserted into an appropriate portion of the "Database Roles and
Privileges" chapter, leaving this file to talk just about
SE-PostgreSQL.
3. It seems to me that the analogy between SQL DAC and Unix user/group
DAC is mentioned far too many times, and there are other cases where
information is repeated as well. I think it might help to reorganize
the document a bit so that you introduce concepts in the right order.
For example, the section that defines MAC and DAC is a ways down in
the document, but you use those terms a whole bunch of times before
defining them. I'm not 100% sure that we even want to be defining MAC
and DAC in our documentation, since those are general industry terms
that are not PostgreSQL-specific. But if we are going to define them
then we should try to do so in the clearest way possible.
Overall, I would say there is a fair amount of work left to be done to
get this documentation up to par, but it's a good start and I hope
that the attached patches and suggestions will be helpful.
...Robert