Skip site navigation (1) Skip section navigation (2)

Re: SE-PostgreSQL Specifications

From: KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>
To: Sam Mason <sam(at)samason(dot)me(dot)uk>
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: SE-PostgreSQL Specifications
Date: 2009-07-26 13:43:22
Message-ID: 4A6C5D7A.2070704@kaigai.gr.jp (view raw or flat)
Thread:
Lists: pgsql-hackers
Sam Mason wrote:
> On Sun, Jul 26, 2009 at 12:27:12PM +0900, KaiGai Kohei wrote:
>> Indeed, the draft used the term of "security context" with minimum
>> introductions, but not enough friendliness for database folks.
>>
>> The purpose of security context is an identifier of any subject and
>> object to describe them in the security policy. Because the security
>> policy is common for operating system, databases, x-window and others,
>> any managed database objects needs its security context.
>>
>> Anyway, I need to introduce them in the security model section.
> 
> I'm coming to the conclusion that you really need to link to external
> material here; there must be good (and canonical) definitions of these
> things outside and because SE-PG isn't self contained I really think you
> need to link to them.
> 
> This will be somewhat of a break from normal PG documentation because
> so far everything has been self contained, it's chosen its own
> interpretation of the SQL standard and it needs to document that.  SE-PG
> will be interacting with much more code from outside and showing which
> parts of these are PG specific vs. which parts are common to all SELinux
> seems important.
> 
> If you try to document *everything* you're going to be writing for years
> and give the impression that everything is implemented in SE-PG.  A
> dividing line needs to be drawn between what is PG specific and what is
> SELinux (why not SEL?).

It also seems to me reasonable suggestion.

However, a reasonable amount (which should be adjusted under discussions)
of description should be self-contained.
For example, "security context is a formatted short string" is not enough
to understand why it is necessary and what is the purpose.

As Robert suggested, a few example and definition of technical terms
will help database folks to understand what it is, even if self-contained
explanation is not comprehensive from viewpoint of security folks.

Thanks,
-- 
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>

In response to

Responses

pgsql-hackers by date

Next:From: KaiGai KoheiDate: 2009-07-26 13:57:43
Subject: Re: SE-PostgreSQL Specifications
Previous:From: Pavel StehuleDate: 2009-07-26 13:33:07
Subject: Re: Patch for 8.5, transformationHook

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group