Re: Updates of SE-PostgreSQL 8.4devel patches (r1155)

On Wed, 2008-10-29 at 17:42 +0900, KaiGai Kohei wrote:

> I've updated my patches, these are ready for CommitFest:Nov.
>
> [1/6] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1155.patch
> [2/6] http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r1155.patch
> [3/6] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1155.patch
> [4/6] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1155.patch
> [5/6] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1155.patch
> [6/6] http://sepgsql.googlecode.com/files/sepostgresql-row_acl-8.4devel-3-r1155.patch
>
> The comprehensive documentation for SE-PostgreSQL is here:
> http://wiki.postgresql.org/wiki/SEPostgreSQL (it is now under reworking.)
>
> List of updates:
> - Patches are rebased to the latest CVS HEAD.
> - bugfix: TRUNCATE checks assumed SECCLASS_DB_TUPLE object class
> - bugfix: sepgsqlCopyFile assumed SECCLASS_FILE object class, but it has to be
> adjusted by st_mode.
>
> Request for Comments:
> - The 4th patch is actually needed? It can be replaced by wiki page.
> - Do you think anything remained towards the final CommitFest?
> - Do you have any reviewing comment? Most of patches are unchanged from
> the previous vesion. If you can comment anything, I can fix them without
> waiting for the final commit fest.
>

I'm copying some general comments from my contact here, verbatim. Other
comments have been requested and may be forthcoming:

By way of background "Common Criteria" (ISO Standard 15408) are in
effect pre-defined security requirements that have been agreed between
multiple friendly governments so that they can share the results from
independent lab work in each country and avoid the costs and duplication
of effort. The published lab work results in two outputs:
- a "Target of Evaluation" (TOE) i.e. tight definition of the software
version, configuration and environment (hardware, external controls)
which was the subject of the evaluation
- an "Evaluation Report" which, in the "happy case" has assigns an
"Evaluation Assurance Level" (EAL) number to the product (which needless
to say is only valid if the product is used in its TOE

If you're interested in reading more about formal Government security
evaluation schemes, these are some good sites:

General
http://www.commoncriteriaportal.org/

UK
http://www.cesg.gov.uk/

Australia
Defence Signals Directorate www.dsd.gov.au/infosec/

Canada
Communications Security Establishment www.cse.dnd.ca

France
Direction Centrale de la Sécurité des Systèmes d'Information
www.ssi.gouv.fr/en/

Germany
Bundesamt fur Sicherheit in der Informationstechnik www.bsi.bund.de

Japan
Japan Information Technology Security Evaluation and Certification
Scheme (JISEC) www.ipa.go.jp/security/jisec/jisec_e/index.html

USA
National Institute of Standards and Technology www.nist.gov
National Information Assurance Partnership (NIAP)
www.nsa.gov/ia/industry/niap.cfm

--
Simon Riggs www.2ndQuadrant.com
PostgreSQL Training, Services and Support