Re: add a MAC check for TRUNCATE
Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
From: Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Alvaro Herrera <alvherre@2ndquadrant.com>,
Joe Conway <mail@joeconway.com>, Stephen Frost <sfrost@snowman.net>, Kohei KaiGai <kaigai@heterodb.com>, pgsql-hackers@lists.postgresql.org, Joshua Brindle <joshua.brindle@crunchydata.com>,
Mike P <mike.palmiotto@crunchydata.com>
Date: 2019-09-26T13:45:03Z
Lists: pgsql-hackers
On Wed, Sep 25, 2019 at 5:57 PM Tom Lane <tgl@sss.pgh.pa.us> wrote: <snip> > I don't see how the addition of a new permissions check could sanely > be back-patched unless it were to default to "allow", which seems like > an odd choice. > > regards, tom lane That makes sense. Alternatively, we could back patch just the hook to at least allow the option for an integrator to implement MAC using an extension. Then the sepgsql changes could be back patched once the SELinux policy has been merged into Fedora. Thank you
Commits
-
Update sepgsql to add mandatory access control for TRUNCATE
- 4f66c93f6143 13.0 landed
-
Add object TRUNCATE hook
- f7a2002e82cf 13.0 landed
-
postgres_fdw: Fix error message for PREPARE TRANSACTION.
- 879c11761571 13.0 cited