Re: How to get SE-PostgreSQL acceptable

From: Joshua Brindle <method(at)manicmethod(dot)com>
To: Bruce Momjian <bruce(at)momjian(dot)us>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Gregory Stark <stark(at)enterprisedb(dot)com>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, Stephen Frost <sfrost(at)snowman(dot)net>, Peter Eisentraut <peter_e(at)gmx(dot)net>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, PG Hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: How to get SE-PostgreSQL acceptable
Date: 2009-01-29 14:14:29
Message-ID: 4981B9C5.7020005@manicmethod.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Bruce Momjian wrote:
> Tom Lane wrote:
>> Gregory Stark <stark(at)enterprisedb(dot)com> writes:
>>> I don't think partitioning is really the same thing as row-level
>>> security.
>> Of course not, but it seems to me that it can be used to accomplish most
>> of the same practical use-cases. The main gripe about doing it via
>> partitioning is that the user's nose gets rubbed in the fact that there
>> can't be an enormous number of different security classifications in the
>> same table (since he has to explicitly make a partition for each one).
>> But the proposed implementation of row-level security would poop out
>> pretty darn quick for such a case, too, and frankly I'm not seeing an
>> application that would demand it.
>
> OK, putting on my crazy idea hat, if we split the primary and foreign
> keys by partition, it would give us polyinstantiation:
>
> http://en.wikipedia.org/wiki/Polyinstantiation
>
> because our unique indexes do not apply across partitions.
> Polyinstantiation is a desirable security feature and one that would be
> tough to implement without partitions.
>

Polyinstantiation in this manner won't do it I don't think (if I'm understanding
you correctly). As KaiGai already said, SELinux policy is flexible so we'll have
more than just BLP policy to worry about.

Also a top secret user will need to see all rows when he selects, and they
should still have unique keys. He won't be able to write to secret or unclass
rows but he'll be able to see them.

Further, a secret user may be able to see top secret rows, but not some of the
columns, going back to my coordinates example. He'd have to use a trusted stored
procedure that can do the necessary operations to fuzz the data.

A flexible policy is really the crux of this. We aren't trying to reproduce what
other DBMS's have done, we are trying to integrate with a completely flexible
policy from the ground up.

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Heikki Linnakangas 2009-01-29 14:33:55 Re: Hot standby, recovery infra
Previous Message Simon Riggs 2009-01-29 14:10:51 Re: Hot standby, recovery infra