Re: Adding support for SE-Linux security

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Robert Haas <robertmhaas(at)gmail(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Stephen Frost <sfrost(at)snowman(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov>, Josh Berkus <josh(at)agliodbs(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org>
Subject: Re: Adding support for SE-Linux security
Date: 2009-12-11 05:50:29
Message-ID: 4B21DDA5.80002@ak.jp.nec.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-hackers

Robert Haas wrote:
> On Thu, Dec 10, 2009 at 11:45 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> If you're not prepared to assume that we're going to do row level
>> security, it's not apparent why we should be embarking on this course
>> at all. And if you do assume that, I strongly believe that my effort
>> estimate above is on the optimistic side.
>
> Row-level security is going to be a very difficult project, no
> question about it.

Yes, I also agree it is a reasonable decision to separate row-level
from the initial proposition.

> However, if we implement a general facility rather
> than something SE-Linux specific, I think we will have a killer
> feature. I realize it's not for everyone, but for those who need it,
> it's kick-ass.
>
> But we have a while before we get to the point where we can even start
> worrying about that pain. Stephen Frost's statements about the way
> our access controls are scattered throughout our code are, I think, on
> target. And cleaning that up seems to me to have value independently
> of SE-PostgreSQL. I'm feeling (right now, anyway) like it would make
> sense to pursue further the patch that KaiGai submitted for the last
> CF and you rejected. It needed work, but I don't think it was
> hopeless, or valueless.

Here is a few issues to salvage the access control reworks patch.

It tried to provide a set of common entry points both of the default PG
security model and SELinux (and upcoming ones).
However, the default PG model does not have same origin with label-based
mandatory access controls, such as SELinux, from a historical angle.
So, this reworks needed many of unobvious changes to the core routines.
("core routines" means code except for enhanced security features.)

It tried to provide a set of comprehensive entry points to replace existing
PG checks at once.
However, the SE-PgSQL/Lite patch covers accesses on only database, schema,
tables and columns. Is it necessary to be comprehensive from the beginning?
It might be too aggressive changes at once.

Frankly, I hesitate to salvage the patch once rejected, as is.

If we implement a set of security hooks, It seems to me the following approach
is reasonable:

* It does not touch the existing PG default checks.
The purpose of security hooks are to host "enhanced" security features.

* It does not deploy hooks on which no security provider is now proposed.
It is important to reduce unnecessary changeset.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Takahiro Itagaki 2009-12-11 05:54:47 Re: Largeobject Access Controls (r2460)
Previous Message Robert Haas 2009-12-11 05:28:38 Re: SE-PostgreSQL/Lite Review