From: | Robert Haas <robertmhaas(at)gmail(dot)com> |
---|---|
To: | Bruce Momjian <bruce(at)momjian(dot)us> |
Cc: | Josh Berkus <josh(at)agliodbs(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, jd(at)commandprompt(dot)com, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org |
Subject: | Re: Adding support for SE-Linux security |
Date: | 2009-12-07 15:12:54 |
Message-ID: | 603c8f070912070712y7ab584eaxe3272fc6bf4bde30@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(at)momjian(dot)us> wrote:
> Robert Haas wrote:
>> > This is no harder than many of the other seemingly crazy things I have
>> > done, e.g. Win32 port, client library threading. ?If this is a feature
>> > we should have, I will get it done or get others to help me complete the
>> > task.
>>
>> Well, I have always thought that it would be sort of a feather in our
>> cap to support this, which is why I've done a couple of reviews of it
>> in the past. I tend to agree with Tom that only a small fraction of
>> our users will probably want it, but then again someone's been paying
>> KaiGai to put a pretty hefty amount of work into this over the last
>> year-plus, so obviously someone not only wants the feature but wants
>> it merged. Within our community, I think that there have been a lot
>> of people who have liked the concept of this feature but very few who
>> have liked the patch, so there's somewhat of a disconnect between our
>> aspirations and our better technical judgment. Tom is a notable
>> exception who I believe likes neither the concept nor the patch, which
>> is something we may need to resolve before getting too serious about
>> this.
>
> Agreed. SE-Linux support might expand our user base and give us
> additional credibility, or it might be a feature that few people use ---
> and I don't think anyone knows the outcome.
>
> I wonder if we should rephrase this as, "How hard will this feature be
> to add, and how hard will it be to remove in a few years if we decide we
> don't want it?" SE-Linux support would certainly put Postgres in a
> unique security category, and it builds on our existing good security
> reputation.
Yes, I think that's the right way to think about it. At a guess, it's
two man-months of work to get it in, and ripping it out is likely
technically fairly simple but will probably be politically impossible.
> Personally, I think AppArmor is a saner security system:
>
> http://www.novell.com/linux/security/apparmor/selinux_comparison.html
> (Novell-hosted URL)
Agreed.
> but I am not advocating AppArmor support. I think the whole issue is
> whether support for external integrated security systems is appropriate
> for Postgres.
It's not something I've run into a need for in my own work, but I
think there are definitely people out there who do need it, and I'd
like to see us be able to support it. One of the things that I think
would be worth looking into is whether there is a way to make this
pluggable, so that selinux and apparmor and trusted solaris and so on
could make use of the same framework, but that requires understanding
all of them well enough to design a framework that can meet all of
those needs. Every framework effort we've seen from KaiGai so far has
seemed extremely SE-Linux-specific and therefore pointless. But
really doing this right is a big development project, and not
something I can do in my free time.
...Robert
From | Date | Subject | |
---|---|---|---|
Next Message | David Fetter | 2009-12-07 15:16:43 | Re: cvs chapters in our docs |
Previous Message | Magnus Hagander | 2009-12-07 15:08:28 | Re: cvs chapters in our docs |