Re: Adding support for SE-Linux security

From: Bruce Momjian <bruce(at)momjian(dot)us>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>
Cc: Robert Haas <robertmhaas(at)gmail(dot)com>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov>, Josh Berkus <josh(at)agliodbs(dot)com>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Adding support for SE-Linux security
Date: 2009-12-12 01:41:57
Message-ID: 200912120141.nBC1fvM17486@momjian.us
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Tom Lane wrote:
> Robert Haas <robertmhaas(at)gmail(dot)com> writes:
> > Unlike Tom (I think), I do believe that there is demand (possibly only
> > from a limited number of people, but demand all the same) for this
> > feature.
>
> Please note that I do not think there is *zero* demand for the feature.
> There is obviously some. What I find highly dubious is whether there is
> enough demand to justify the amount of effort, both short- and long-term,
> that the community would have to put into it.

Well, the bottom line is that this effort should grow the development
and user community of Postgres --- it if doesn't, it is a failure.

> > And I also believe that most people in our community are
> > generally supportive of the idea, but only a minority are willing to
> > put in time to make it happen. So I have no problem saying to the
> > people who want the feature - none of our committers feel like working
> > on this. Sorry. On the other hand, I also have no problem telling
> > them - good news, Bruce Momjian thinks this is a great feature and
> > wants to help you get it done. I *do* have a problem with saying - we
> > don't really know whether anyone will ever want to work on this with
> > you or not.
>
> If I thought that Bruce could go off in a corner and make this happen
> and it would create no demands on anybody but him and KaiGai-san, I
> would say "fine, if that's where you want to spend your time, go for
> it". But even to state that implied claim is to see how false it is.
> Bruce is pointing to the Windows port, but he didn't make it happen
> by himself, or any close approximation of that. Everybody who works
> on this project has been affected by that, and we're *still* putting
> significant amounts of time into Windows compatibility, over five years
> later.

The Windows port was primiarly done by Magnus, Claudio Natoli, and
Andrew Dunstan. The good thing about that group is that their
involvement in Win32 did not take them away from existing Postgres work
--- in fact I think it increased Magnus's and Andrew's involvement. As
I stated above, I expect the SE-Postgres work to be done mostly by new
people and to expand our development team. KaiGai is certainly a new
addition, and I think there is already an indication that new people are
getting involved.

Of course, our existing people will have to help too, but as I stated a
few days ago, I expect security-specific stuff to be maintained mostly
by new people, and our existing folks are going to have to help with
hooks, plus adding things like mandatory access control and row-level
security to base Postgres. (I do think it is inevitable that those will
be added some day. I agree the security folks will be accelerating
that. Hopefully we will get more good out of this than the
inconvenience of this accelerated security stuff.)

> My guess is that a credible SEPostgres offering will require a long-term
> amount of work at least equal to, and very possibly a good deal more
> than, what it took to make a native Windows port. If SEPostgres could
> bring us even 10% as many new users as the Windows port did, it'd
> probably be a worthwhile use of our resources. But again, that's an
> assumption that's difficult to type without bursting into laughter.

Odds are SEPostgres will add perhaps 1% new users compared to Win32, but
perhaps very important, energetic, and visible users. As stated
earlier, the base Postgres security additions like row-level security
are going to be inconvenient, but I do think we will eventually need
them anyway, so I don't see them as SE-Postgres burdens.

I am not replying to many of these emails so I don't appear to be
brow-beating (forcing) the community into accepting this features. I
might be brow-beating the community, but I don't want to _appear_ to be
brow-beating. ;-)

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Robert Haas 2009-12-12 01:47:20 Re: [PATCH] dtrace probes for memory manager
Previous Message Robert Haas 2009-12-12 01:41:38 Re: LDAP where DN does not include UID attribute