Stephen Frost wrote:
* Joshua Brindle (met...@manicmethod.com) wrote:
They are separate. If you look at the patches you'll see a pgace part,
this is where the core interfaces to the security backends, and you'll
see a rowacl backend and an sepgsql backend.
Right, guess it wasn't clear to me that the PGACE bits for row-level
access control could be used independently of SELinux (and maybe even on
systems that don't have SELinux..?).
Sure, if you look at pgaceHooks.c you'll see:
bool
pgaceExecScan(Scan *scan, Relation rel, TupleTableSlot *slot)
{
/* Hardwired DAC checks */
if (!rowaclExecScan(scan, rel, slot))
return false;
switch (pgace_feature)
{
#ifdef HAVE_SELINUX
case PGACE_FEATURE_SELINUX:
if (sepgsqlIsEnabled())
return sepgsqlExecScan(scan, rel, slot);
break;
#endif
default:
break;
}
return true;
}
Notice the rowacl call outside of the HAVE_SELINUX ifdefs
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers