Ron Mayer <rm...@cheapcomplexdevices.com> writes: > Tom Lane wrote: >> This seems to me to be exactly parallel to deciding that SELinux should >> control only table/column permissions within SQL; an approach that would >> be enormously less controversial, less expensive, and more reliable than >> what SEPostgres tries to do.
> With the table/column approach, could users who needed some row-level > capabilities work around this easily by setting table-level access > control on partitions? Yeah, the same thing had just occurred to me. We currently throw an error if a user doesn't have permissions on every partition (child table), but perhaps that behavior could be adjusted. Ignoring unreadable children would provide behavior pretty similar to that proposed by SEPostgres. To some extent that just postpones the semantic pain until the day when we try to do unique and FK constraints that span partitions. However, I think (after only minimal thought) that that will only re-introduce the covert-channel issue, which Joshua has already stated to be acceptable. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers