Re: SE-PostgreSQL Updated Revision (r1460) - Mailing list pgsql-hackers

From Robert Haas
Subject Re: SE-PostgreSQL Updated Revision (r1460)
Date
Msg-id 603c8f070901241741s42e94ed2l5023951345870ca1@mail.gmail.com
Whole thread Raw
In response to SE-PostgreSQL Updated Revision (r1460)  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Responses Re: SE-PostgreSQL Updated Revision (r1460)
List pgsql-hackers
On Fri, Jan 23, 2009 at 12:30 AM, KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:
> The patch set of SE-PostgreSQL and related stuff were updated (r1460).
>
> [1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1460.patch
> [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1460.patch
> [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1460.patch
> [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1460.patch
> [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1460.patch

KaiGai -

I read through your docs patch tonight and did some copy editing.
Please see the attached patches, which I hope you will find helpful.
I have attached my suggested changes both as a patch against v1460
(sepostgresql-docs-rmh-vs-1460.gz) and also as patch against CVS HEAD
(sepostgresql-docs-rmh-vs-cvs-head), since I am not sure which is
easier for you.  I have a couple of general comments about the
documentation:

1. The docs as written are very Red Hat-centric, even to the point of
making reference to specific versions of Red Hat RPMs.  I think that
the community will find this unacceptable, as Red Hat is certainly not
the only SELinux-enabled distribution and I presume that we want to
support all of them to an equal degree.

2. Some of the information that is documented here properly belongs in
other sections of the documentation.  For example, the information
about GUCs clearly belongs somewhere in the section on server
configuration where all of the other GUCs are documented, not in a
separate sections about SE-PostgreSQL.  I suspect that all of the
information about row-level ACLs should be ripped out of security.sgml
and inserted into an appropriate portion of the "Database Roles and
Privileges" chapter, leaving this file to talk just about
SE-PostgreSQL.

3. It seems to me that the analogy between SQL DAC and Unix user/group
DAC is mentioned far too many times, and there are other cases where
information is repeated as well.  I think it might help to reorganize
the document a bit so that you introduce concepts in the right order.
For example, the section that defines MAC and DAC is a ways down in
the document, but you use those terms a whole bunch of times before
defining them.  I'm not 100% sure that we even want to be defining MAC
and DAC in our documentation, since those are general industry terms
that are not PostgreSQL-specific.  But if we are going to define them
then we should try to do so in the clearest way possible.

Overall, I would say there is a fair amount of work left to be done to
get this documentation up to par, but it's a good start and I hope
that the attached patches and suggestions will be helpful.

...Robert

Attachment

pgsql-hackers by date:

Previous
From: Andrew Dunstan
Date:
Subject: mingw check hung
Next
From: Tom Lane
Date:
Subject: Re: [COMMITTERS] pgsql: Automatic view update rules Bernd Helmle