Re: SE-PostgreSQL Specifications

Stephen Frost wrote:
>> I think what I should do on the next is ...
>> - To check up whether it is really possible to implement SELinux's model.
>> - To describe the list of the security functions in the new abstraction layer.
>> - To discuss the list of permission at:
>> http://wiki.postgresql.org/wiki/SEPostgreSQL_Development#Mandatory_access_controls
>
> That sounds like a good approach. As we define the security functions
> to go into the abstraction layer, I would also say we should identify
> the exact pieces of existing code which are going to move.

I began to describe the list of abstraction layer functions (but not completed yet):
http://wiki.postgresql.org/wiki/SEPostgreSQL_Abstraction

In my current impression, it indeed requires a few kilo lines of changes,
but it is not impossible scale.

I now plans to submit two patches for the next commit fest.
The one is implementation of the abstraction layer.
The other is basic implementation of the SE-PostgreSQL.

So, I would like to fix external specification at least.

The specifications for developer notes definitions of permissions:
http://wiki.postgresql.org/wiki/SEPostgreSQL_Development

As Robert suggested before, I plans to support access controls on the
following database objects and permissions at the first stage.
* databases
* schemas
* tables
* columns
* sequences
* functions
* tablespaces

Do you have any comment for the directions?

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>