Re: Adding support for SE-Linux security - Mailing list pgsql-hackers
| From | Robert Haas |
|---|---|
| Subject | Re: Adding support for SE-Linux security |
| Date | |
| Msg-id | 603c8f070912050347i64eb5aacpd24b5f0dbb832443@mail.gmail.com Whole thread Raw |
| In response to | Re: Adding support for SE-Linux security (Bruce Momjian <bruce@momjian.us>) |
| Responses |
Re: Adding support for SE-Linux security
(Bruce Momjian <bruce@momjian.us>)
|
| List | pgsql-hackers |
On Sat, Dec 5, 2009 at 12:14 AM, Bruce Momjian <bruce@momjian.us> wrote: > Robert Haas wrote: >> Actually, we tried that already, in a previous iteration of this >> discussion. Someone actually materialized and commented on a few >> things. The problem, as I remember it, was that they didn't know much >> about PostgreSQL, so we didn't get very far with it. Unfortunately, I >> can't find the relevant email thread at the moment. >> >> In fact, we've tried about everything with these patches. Tom >> reviewed them, Bruce reviewed them, Peter reviewed them, I reviewed >> them, Stephen Frost reviewed them, Heikki took at least a brief look >> at them, and I think there were a few other people, too. The first >> person who I can recall being relatively happy with any version of >> this patch was Stephen Frost, commenting on the access control >> framework that we suggested KaiGai try to separate from the main body >> of the patch to break it into more managable chunks. That patch was >> summarily rejected by Tom for what I believe were valid reasons. In >> other words, in 18 months of trying we've yet to see something that is >> close to being committable. Contrast that with Hot Standby, which >> Heikki made a real shot at committing during the first CommitFest to >> which it was submitted. >> >> I think David Fetter summarized it pretty well here - the rest of the >> thread is worth reading, too. >> >> http://archives.postgresql.org/pgsql-hackers/2009-07/msg01159.php >> >> I think the only chance of this ever getting committed is if a >> committer volunteers to take ownership of it, similar to what Heikki >> has done for Hot Standby and Streaming Replication. Right now, we >> don't have any volunteers, and even if Tom or Heikki were interested, >> I suspect it would occupy their entire attention for several >> CommitFests just as HS and SR have done for Heikki. I suspect the >> amount of work for SE-PostgreSQL might even be larger than for HS. If >> we DON'T have a committer who is willing to own this, then I don't >> think there's a choice other than giving up. > > I offered to review it. I was going to mostly review the parts that > impacted our existing code, and I wasn't going to be able to do a > thorough job of the SE-Linux-specific files. Review it and commit it, after making whatever modifications are necessary? Or review it in part, leaving the final review and commit to someone else? I just read through the latest version of this patch and it does appear to be in significantly better shape than the versions I read back in July. So it might not require a Herculean feat of strength to get this in, but I still think it's going to be a big job. There's a lot of code here that needs to be verified and in some cases probably cleaned up or restructured. If you're prepared to take it on, I'm not going to speak against that, other than to say that I think you have your work cut out for you. ...Robert
pgsql-hackers by date: