Re: Adding support for SE-Linux security

Andrew Dunstan wrote:
> I think you have been remarkably good about our caution in accepting
> this. You certainly have my admiration for your patience.

Agreed.

> What would probably help us a lot would be to know some names of large
> users who want and will support this. NEC's name is a good start, but if
> a few other enterprise users spoke up it would help to make the decision
> a lot easier.

I think the open questions we have now are:

o Is SE-Linux appropriate technology for Postgres?
o Does SE-Linux have a sufficient user base or potential
user base to justify the additional code?
o Can the code be maintained?

And we have some partial answers. SE-Linux seems like the most popular
of the security frameworks. There are a number of identified potential
users, though we are looking to hear about more of them. Third, KaiGai
is being paid by NEC to do this work and has shown to be extraordinarily
dedicated to this feature. He has also offered to get other SE-Linux
people involved in any patch review.

I think the PostGIS example mentioned earlier is a good one. We did
make some minor adjustments years ago to make things easier for them,
but we had the luxury of having PostGIS be able to be developed outside
of our main tree. I think with the current posted patch we have some of
that benefit in that most of the code is in SE-Linux-specific
directories, but the code outside those directories does have to be
maintained.

--
Bruce Momjian <bruce(at)momjian(dot)us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +