Hello, Recent PostgreSQL development newly adds a new feature; materialized view. However, we have no relevant object class in selinux side, so I'd like to add a new db_materialized_view object class to support this object type. Materialized-view allows to construct its result-set to be returned on references by user's query preliminarily, to improve performance to scan multiple tables being combined with complicated joins. In contradiction to its name, its behavior is almost identical with regular tables rather than traditional views. Line SELECT ... INTO command, it saves a snapshot when a particular user (with security label, of course) references the underlying tables onto a regular tables in behalf of MV. In perspective of SELinux, nothings are different from an operation that writes data being read from another tables to a regular table; it should check permission to write on the destination table and to read from the source tables, but materialized-view calls this operation as "refresh". The attached patch adds db_materialized_view object class with select, insert, update, delete, lock, refresh and common database permissions. These permissions shall be checked on relevant accesses in manner of what regular table doing, and "refresh" shall be also checked when MV is refreshed. I didn't define new types for materialized-views, because its behavior is almost same as regular tables, thus I though it is a reasonable solution to utilize existing types for tables. Thanks, -- KaiGai Kohei <kaigai@xxxxxxxxxxxx>
Attachment:
refpolicy-sepgsql-materialized-view-support.v1.patch
Description: Binary data
