Re: security label support, part.2
Kohei KaiGai <kaigai@kaigai.gr.jp>
From: KaiGai Kohei <kaigai@kaigai.gr.jp>
To: Stephen Frost <sfrost@snowman.net>
Cc: Robert Haas <robertmhaas@gmail.com>, pgsql-hackers@postgresql.org, KaiGai Kohei <kaigai@ak.jp.nec.com>
Date: 2010-08-15T00:34:47Z
Lists: pgsql-hackers
(2010/08/15 9:16), Stephen Frost wrote: > * KaiGai Kohei (kaigai@kaigai.gr.jp) wrote: >> Yep, rte->requiredPerms of inherited relations are cleared on the >> expand_inherited_rtentry() since the v9.0, so we cannot know what >> kind of accesses are required on the individual child relations. > > This is really a PG issue and decision, in my view. We're moving more > and more towards a decision that inherited relations are really just the > same relation but broken up per tables (ala "true" partitioning). As > such, PG has chosen to view them as the same wrt permissions checking. > I don't think we should make a different decision for security labels. > If you don't want people who have access to the parent to have access to > the children, then you shouldn't be making them children. > No, what I want to do is people have identical access rights on both of the parent and children. If they have always same label, SE-PgSQL always makes same access control decision. This behavior is suitable to the standpoint that inherited relations are really just the same relation of the parent. For this purpose, I want to enforce a unique label on a certain inheritance tree. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>