Skip site navigation (1) Skip section navigation (2)

Updates of SE-PostgreSQL 8.4devel patches (r1324)

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: pgsql-hackers(at)postgresql(dot)org
Cc: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, bruce(at)momjian(dot)us, tgl(at)sss(dot)pgh(dot)pa(dot)us, simon(at)2ndQuadrant(dot)com
Subject: Updates of SE-PostgreSQL 8.4devel patches (r1324)
Date: 2008-12-17 08:22:21
Message-ID: 4948B6BD.1050402@ak.jp.nec.com (view raw or flat)
Thread:
Lists: pgsql-hackers 
I updated the patch set of SE-PostgreSQL and related ones (r1324).

[1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1324.patch
[2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1324.patch
[3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1324.patch
[4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1324.patch
[5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1324.patch

Draft of the SE-PostgreSQL documentation is here:
  http://wiki.postgresql.org/wiki/SEPostgreSQL

List of updates:
- The patches are rebased to the latest CVS HEAD.

- Now the "sepostgresql-sepgsql-8.4devel-3-r1324.patch" contains
  PGACE security framework, SE-PostgreSQL and Row-level ACLs.
  So, the 6th patch has gone.

- It enables to compile multiple security features within a single binary.
  The Row-level ACLs feature is always available, and SE-PostgreSQL is
  available when we build it with "--enable-selinux" option.

- Two new system columns ("security_acl" and "security_label") are added.
  The first one is for the Row-level ACLs, and the other is for the guest
  of PGACE security framework which is chosen by user.

- Some of interfaces are changed:
  * initdb got a new option "--pgace-feature" which enables to specify
    one or no MAC feature on initialization of $PGDATA.
    e.g)
      $ initdb --pgace-feature=selinux
  * pg_dump got two new options (--security-acl and --security-label)
    to dump row-level ACLs and security contexts.
  * $PGDATA/postgresql.conf has a new parameter of "pgace_feature".
    It enables users to choose an enhanced security mechanism from
    candidates. Currently, SE-PostgreSQL is the only candidate.

- Todo item
  * Documentation updates.
    The "sepostgresql-docs-8.4devel-3-r1324.patch" is not uptodate,
    because higher priority should be given to provide the patch
    set for reviewers. So, I'll update the src/doc/* from now.

Thanks,

===[ Example ]========================================================
postgres=# CREATE TABLE t1 (a int, b text) WITH (row_level_acl=on);
CREATE TABLE
postgres=# INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc');
INSERT 0 3
postgres=# SELECT security_label, security_acl, * FROM t1;
              security_label              |  security_acl  | a |  b
------------------------------------------+----------------+---+-----
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaa
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbb
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 3 | ccc
(3 rows)

postgres=# INSERT INTO t1 (security_acl, a, b) VALUES ('{kaigai=rw/kaigai}', 4, 'ddd');
INSERT 0 1
postgres=# INSERT INTO t1 (security_label, security_acl, a, b)
        VALUES ('system_u:object_r:sepgsql_ro_table_t:s0', '{kaigai=rx/kaigai}', 5, 'eee');
INSERT 0 1
postgres=# SELECT security_label, security_acl, * FROM t1;
              security_label              |    security_acl    | a |  b
------------------------------------------+--------------------+---+-----
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai}     | 1 | aaa
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai}     | 2 | bbb
 unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai}     | 3 | ccc
 unconfined_u:object_r:sepgsql_table_t:s0 | {kaigai=rw/kaigai} | 4 | ddd
 system_u:object_r:sepgsql_ro_table_t:s0  | {kaigai=rx/kaigai} | 5 | eee
(5 rows)

postgres=# UPDATE t1 SET security_label = sepgsql_set_user(security_label, 'system_u'), security_acl = '{kaigai=r/kaigai}';
UPDATE 5
postgres=# SELECT security_label, security_acl, * FROM t1;
             security_label              |   security_acl    | a |  b
-----------------------------------------+-------------------+---+-----
 system_u:object_r:sepgsql_table_t:s0    | {kaigai=r/kaigai} | 1 | aaa
 system_u:object_r:sepgsql_table_t:s0    | {kaigai=r/kaigai} | 2 | bbb
 system_u:object_r:sepgsql_table_t:s0    | {kaigai=r/kaigai} | 3 | ccc
 system_u:object_r:sepgsql_table_t:s0    | {kaigai=r/kaigai} | 4 | ddd
 system_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=r/kaigai} | 5 | eee
(5 rows)

postgres=#

-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

Responses

pgsql-hackers by date

Next:From: ITAGAKI TakahiroDate: 2008-12-17 08:57:59
Subject: Re: parallel restore vs. windows
Previous:From: Heikki LinnakangasDate: 2008-12-17 07:54:46
Subject: Re: WIP: pre-upgrade page reservation

Privacy Policy | About PostgreSQL
Copyright © 1996-2013 The PostgreSQL Global Development Group