On Thu, Jun 9, 2011 at 12:54 PM, Kohei KaiGai <kai...@kaigai.gr.jp> wrote: > 2011/6/9 Stephen Frost <sfr...@snowman.net>: >> * Kohei KaiGai (kai...@kaigai.gr.jp) wrote: >>> The only modification by this patch to the core routine is a new >>> syscache for pg_seclabel system catalog. The SECLABELOID enables to >>> reference security label of the object using syscache interface. >> >> Perhaps I'm missing it, but.. why is this necessary to implement such a >> cache? Also, I thought the SELinux userspace libraries provided a cache >> solution? This issue is hardly unique to SELinux in PostgreSQL... >> > I'm concerned about its interface, although it might be suitable for > X-Windows... > > Its avc interface identifies security context using a pointer of > malloc()'ed cstring. > In our case, we need to look up this security context on the hash managed by > libselinux using the result of syscache lookup. It is quite nonsense.
So you're going to depend on the syscache not to move the pointers around? Yikes. > In addition, avc of libselinux confirms whether the security policy is > reloaded > for each avc lookup, unless we launch a system state monitoring thread. > But, it is not a suitable design to launch a worker thread for each > pgsql backend. I thought there was something you could mmap() into each backend...? -- Robert Haas EnterpriseDB: http://www.enterprisedb.com The Enterprise PostgreSQL Company -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
