Re: SE-PgSQL patch review

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Josh Berkus <josh(at)agliodbs(dot)com>
Cc: David Fetter <david(at)fetter(dot)org>, Bruce Momjian <bruce(at)momjian(dot)us>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SE-PgSQL patch review
Date: 2009-12-02 01:52:20
Message-ID: 4B15C854.6040305@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Josh Berkus wrote:
>> This is totally separate from the really important question of whether
>> SE-Linux has a future, and another about whether, if SE-Linux has a
>> future, PostgreSQL needs to go there.
>
> If the hooks are generic enough that the could potentially be adapted to
> other security frameworks, yes. The need to have cohesive centralized
> systems permissions management hasn't gone away, whatever anyone thinks
> of the SE-linux implementation.

In history, most of MAC feature have a common origin that was a research
in US military, so they have similar comcepts (such as security label,
a centralized security policy, ...) commonly.

It was the reason why I proposed PGACE framework for generic MAC features
at the earlier suggestion in v8.4 development cycle.
(Note that it had gone to separate unnecessary complexity now.)
As long as user can select his option, basically, I think it is preferable
to support multiple security models, not only SELinux.

As Linux (and also X-window) allows to host multiple MAC feature on a set
of common hooks, it is not an incorrect approach.
(Note that DAC has different origin from MAC, so we shall need a great
efforts to integrate them. My trial in CF#2 shows this failure.)

> That's why I was hoping to have the TrustedSolaris folks working on
> this, but we've pretty much lost access to them.

We can understand the current circumstance at Sun...

Thank,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Browse pgsql-hackers by date

  From Date Subject
Next Message KaiGai Kohei 2009-12-02 01:53:14 Re: SE-PgSQL patch review
Previous Message Stephen Frost 2009-12-02 01:45:56 Re: Fwd: psql+krb5