Re: Proposal of SE-PostgreSQL patches (for CommitFest:Sep)

Greg Smith wrote:
> On Wed, 17 Sep 2008, Peter Eisentraut wrote:
>
>> System-wide consistency in access controls could be nice to have in
>> some cases. But is it really achievable? In the typical three-tier
>> web application scenario, do you really have system-wide consistency?
>> Can you configure your application server using SELinux?
>
> Each of the tiers end up with mapping layer similar to the one
> implemented here to map the SELinux permissions -> PostgreSQL. Java for
> example has a whole JVM security manager component that makes it
> straighforward to do such a mapping.
> http://articles.techrepublic.com.com/5100-10878_11-6178805.html is a
> good quick intro that shows how the call structure is similar to what
> the SE-PostgreSQL code does.

I guess these security architectures have same origin.

The reference monitor concept requres all accesses to data objects to be
checked by a tamperproof, always-invoked module based on its policy.
http://en.wikipedia.org/wiki/Reference_monitor

SE-PostgreSQL uses in-kernel SELinux as a reference monitor to check
all accesses to database object via SQL.

>> And is SELinux really the desirable interface for a system-wide access
>> control facility? Why not port chmod or POSIX ACLs to PostgreSQL, or
>> port SQL roles back to the operating system, or something else that
>> captures what more people are actually using in practice.
>
> The main feature of SELinux that this crowd likes is how it manages
> privledge escalation risk. I'm not sure if POSIX ACLs for example are
> as effective at limiting the damage an exploitable suid binary can
> cause. As for what people are actually using, as someone who lives near
> the US capital I can tell you that installs using SELinux are quite
> plentiful around here--there really is no other UNIX-based technology
> for this purpose that's gotten traction inside this government like
> SELinux has.
>
> Anyway, even though I think picking SELinux as the primary security
> mechanism to integrate with is a sensible choice and I'm confident that
> the rest of the software stack isn't a problem, I do share your concern
> that implementing row and column-level security would make more sense in
> a general way first.

Thanks for your explanation.

The PGACE security framework can mount a OS independent fine
grained access control feature, like Oracle Label Security.
However, one concern is we have only one CommitFest remained.

As I mentioned at the previous message, I think it is not
a strange behavior that different security subsystems make
different decisions on individual gulanualities.

>> Ultimately, I see this patch as an interesting proof of concept -- it
>> got us on the NSA site anyway -- but I can't see more than three
>> people actually making use of it
>
> I take it you've never seen how big the NSA fort^H^H^H^Hfacility is?
> I'm not sure exactly how many orders of magnitude your estimate is off
> by, but I know it's at least 2 just based on conversations I've been
> involved in with companies around here. A lot of the US defense and
> homeland security related companies are adopting open-source software
> stacks because they can audit every level of the software, and there's a
> big void in that stack waiting for a database with the right security
> model to fill. You are right that getting code contributions back again
> is a challenge though.

I don't have statistically reliable information. :)
However, I believe there is potentially strong demand for secure database
due to responses from audiences when I had presentations about SE-PostgreSQL
in various opportunities.

IIRC, Josh also said similar things.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>