Robert Haas wrote: > On Jul 15, 2009, at 11:41 PM, KaiGai Kohei <kai...@ak.jp.nec.com> wrote: > >> Robert Haas wrote: >>> 2009/7/15 KaiGai Kohei <kai...@ak.jp.nec.com>: >>>> Robert Haas wrote: >>>>> 2009/7/14 KaiGai Kohei <kai...@ak.jp.nec.com>: >>>>>> On the other hand, db_schema class was designed as an analogy to >>>>>> directoty in filesystems. SELinux defines several permissions on >>>>>> "dir" object class, such as "add_name", "remove_name" and "search". >>>>> I think that's a bad analogy and you need to make the permission names >>>>> match the way PostgreSQL handles schema permissions generally. >>>>> There's only so many times and ways to says this... >>>> OK... >>>> I can replace "search" by "usage". >>>> >>>> Do you have any alternative ideas for "add_name" and "remove_name"? >>> >>> Aack! Come on! Use whatever names those permissions already have! >>> If there are no corresponding names, then rip them out!!! >> >> OK, I'll rip definitions of unused SELinux's permissions from >> the permission table of SE-PgSQL. >> >> Is it correct for what you say? > > So the point we keep repeating here is that SEPostgreSQL should be doing > the same kinds of permissions checks as regular PostgreSQL using the > same names, code paths, etc. I don't know how to say it any more clearly > than that.
Thanks, it makes clear for me. > I will read through your latest version soon. > > ...Robert > -- OSS Platform Development Division, NEC KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
