Re: Proposal of SE-PostgreSQL patches [try#2]

Am Donnerstag, 26. Juni 2008 schrieb KaiGai Kohei:
> The following patch set (r926) are updated one toward the latest CVS head,
> and contains some fixes in security policy and documentation.

OK, I have quickly read through these patches. They look very nice, so I am
optimistic we can get through this.

First of all, now would be a good time if someone out there really wants to
object to this feature in general. It will probably always be a niche
feature. But all the code is hidden behind ifdefs or other constructs that a
compiler can easily hide away (or we can make it so, at least).

Here is a presentation from PGCon on SE-PostgreSQL:
http://www.pgcon.org/2008/schedule/events/77.en.html

Are there any comments yet from the (Trusted)Solaris people that wanted to
evaluate this approach for compatibility with their approach?

In general, are we OK with the syntax CONTEXT = '...'? I would rather see
something like SECURITY CONTEXT '...'. There are a lot of contexts, after
all.

This will also add a system column called security_context. I think that is
OK.

In the pg_dump patch:

spelling mistake "tuen on/off"

Evil coding style: if (strcmp(SELINUX_SYSATTR_NAME, security_sysattr_name)) --
compare the result with 0 please.

The above code appears to assume that security_sysattr_name never changes, but
then why do we need a GUC parameter to show it?

Might want to change the option name --enable-selinux to something
like --security-context.

In general, we might want to not name things selinux_* but instead
sepostgresql_* or security_* or security_context_*. Or maybe PGACE?

On the default policy:

Should this really be a contrib module? Considering that it would be a core
feature that is not really usable without a policy.

Please change all the sepgsql_* things to sepostgresql_*, considering that you
are using both already, so we shouldn't have both forms of names.

Documentation:

Looks good for a start, but we will probably want to write more later.