Re: security label support, part.2

Tom Lane <tgl@sss.pgh.pa.us>

From: Tom Lane <tgl@sss.pgh.pa.us>
To: Robert Haas <robertmhaas@gmail.com>
Cc: Stephen Frost <sfrost@snowman.net>, Kevin Grittner <Kevin.Grittner@wicourts.gov>, KaiGai Kohei <kaigai@kaigai.gr.jp>, pgsql-hackers@postgresql.org
Date: 2010-08-17T18:32:14Z
Lists: pgsql-hackers
Robert Haas <robertmhaas@gmail.com> writes:
> On Tue, Aug 17, 2010 at 1:50 PM, Stephen Frost <sfrost@snowman.net> wrote:
>> No.. and I'm not sure we ever would. What we *have* done is removed
>> all permissions checking on child tables when a parent is being
>> queried..

> Yeah.  I'm not totally sure that is sensible for a MAC environment.
> Heck, it's arguably incorrect (though perhaps quite convenient) in a
> DAC environment.

IIRC, the reason we did it was that we decided the SQL spec requires it.
So there's not a lot of point in debating the issue, unless you can
convince us we misread the spec.

			regards, tom lane