KaiGai Kohei wrote: > Aidan Van Dyk wrote: >> * Robert Haas <[EMAIL PROTECTED]> [080924 00:15]: >> >>> But I do think >>> it's worthwhile to ask whether it makes sense to introduce a bunch of >>> features that are only usable to people running SELinux. >> Actually, I'ld go one stroke farther, and ask: >> Does it make sense to introduce a bunch of features that are only >> usable to people *able to write proper SELinux policy sets* (or whatever >> they are called). > > It is incorrect. > > In the recent years, SELinux comunity aspires to becoming that end users > can setup it without editing security policy. The default security policy > contains many pre-defined object types and booleans, end user can select > them, if needed. > > For example, the default security policy of SE-PostgreSQL provides several > pre-defined object types, like sepgsql_table_t, sepgsql_secret_table_t, > sepgsql_ro_table_t and sepgsql_fixed_table_t for table/column/tuple. > >>> it's very easy to imagine >>> people wanting that feature, but NOT being willing to run SELinux to >>> get it. >> Or, being more generous even, able to *run* SELinux, but not able to >> create a proper coherent set of SELinux policies... SELinux is >> "standard" now on most RHEL installs (and FC, and now debian, etc), but >> how many admins have actually "made" (or even just altered) a SELinux >> policy, and how many have just disabled it because it prevented what >> they thought should be a valid operation? > > Can you think the security policy is something like a pattern file of > anti-virus software running on windows desktop? I allows end-users to
Sorry, s/I allows/It allows/g > custamize some of options, but I have never seen a man who tries to > make its pattern file by myself. > > Anyway, I don't think we can get a fruitful discussion like "how many > users enables SELinux" here. Here is pgsql-hackers list. > > Thanks, -- KaiGai Kohei <[EMAIL PROTECTED]> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
