Skip site navigation (1) Skip section navigation (2)

Re: SE-PgSQL patch review

From: KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>
To: Josh Berkus <josh(at)agliodbs(dot)com>
Cc: David Fetter <david(at)fetter(dot)org>, Bruce Momjian <bruce(at)momjian(dot)us>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers(at)postgresql(dot)org
Subject: Re: SE-PgSQL patch review
Date: 2009-12-02 01:52:20
Message-ID: 4B15C854.6040305@ak.jp.nec.com (view raw or flat)
Thread:
Lists: pgsql-hackers
Josh Berkus wrote:
>> This is totally separate from the really important question of whether
>> SE-Linux has a future, and another about whether, if SE-Linux has a
>> future, PostgreSQL needs to go there.
> 
> If the hooks are generic enough that the could potentially be adapted to
> other security frameworks, yes.  The need to have cohesive centralized
> systems permissions management hasn't gone away, whatever anyone thinks
> of the SE-linux implementation.

In history, most of MAC feature have a common origin that was a research
in US military, so they have similar comcepts (such as security label,
a centralized security policy, ...) commonly.

It was the reason why I proposed PGACE framework for generic MAC features
at the earlier suggestion in v8.4 development cycle.
(Note that it had gone to separate unnecessary complexity now.)
As long as user can select his option, basically, I think it is preferable
to support multiple security models, not only SELinux.

As Linux (and also X-window) allows to host multiple MAC feature on a set
of common hooks, it is not an incorrect approach.
(Note that DAC has different origin from MAC, so we shall need a great
efforts to integrate them. My trial in CF#2 shows this failure.)

> That's why I was hoping to have the TrustedSolaris folks working on
> this, but we've pretty much lost access to them.

We can understand the current circumstance at Sun...

Thank,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>

In response to

pgsql-hackers by date

Next:From: KaiGai KoheiDate: 2009-12-02 01:53:14
Subject: Re: SE-PgSQL patch review
Previous:From: Stephen FrostDate: 2009-12-02 01:45:56
Subject: Re: Fwd: psql+krb5

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group