| From: | "David P(dot) Quigley" <dpquigl(at)tycho(dot)nsa(dot)gov> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Robert Haas <robertmhaas(at)gmail(dot)com>, KaiGai Kohhookei <kaigai(at)ak(dot)jp(dot)nec(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Bruce Momjian <bruce(at)momjian(dot)us>, Magnus Hagander <magnus(at)hagander(dot)net>, Chad Sellers <csellers(at)tresys(dot)com>, Josh Berkus <josh(at)agliodbs(dot)com>, jd <jd(at)commandprompt(dot)com>, David Fetter <david(at)fetter(dot)org>, Itagaki Takahiro <itagaki(dot)takahiro(at)oss(dot)ntt(dot)co(dot)jp>, KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Adding support for SE-Linux security |
| Date: | 2009-12-11 17:06:49 |
| Message-ID: | 1260551209.15974.44.camel@moss-terrapins.epoch.ncsc.mil |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
On Fri, 2009-12-11 at 11:28 -0500, Stephen Frost wrote:
[snip...]
> > The main concern I hear is that people are worried that this is an
> > SELinux specific design. I heard at the meeting on Wednesday that the
> > Trusted Extensions people looked at the framework and said it meets
> > their needs as well. If thats the case where does the concept that the
> > design is SELinux specific stem from? We've asked Casey Schaufler the
> > developer of another label based MAC system for Linux to look at the
> > hooks as well and make a statement about their usability.
>
> Hope I didn't steal your thunder wrt Casey! Thanks again.
So we contacted Casey about another MAC model for PG using PG-ACE and he
got back to us with these reponses.
Josh Brindle (JB): So my question is, does smack have a facility
for userspace object managers?
Casey Schaufler (cs): Yes. The smack-util package includes a
small library which supports a user space version of the kernel
smackaccess() function. You pass it the subject label, object
label, and desired access and it returns a yes/no answer based
on what it reads from /smack/load.
So this answers our questions on whether or not SMACK has the faculties
to act as the security decision engine for PG.
JB: If so, I want to make the argument that doing a smack
integration using the pgace abstraction layer would not only
work but be fairly easy.
CS: Looking at some of the documentation I think that you can
safely make that argument. The security_label column would just
be the Smack label. The rules can be enforced by the user space
smackaccess(). "System" rows, whatever that might be, could get
the floor ("_") label.
Casey mentions the row level access control in here but its safe to say
we've broken row based access control into a followup
discussion/project.
JB: All the sepgsql docs and code are up at
<http://code.google.com/p/sepgsql/> and I'd like to get your
feedback before I start making claims...
CS: I can't see how it would take more than about a day if pgace
does what it looks like it should.
This seems to be a favorable assesment of the pgace framework's ability
to be used by something other than SELinux. So Casey's Smack module plus
the Sun guys saying it is usable by their legacy TSOL or TX code would
lend credence to the idea that pgace is bringing to the table. It may be
possible that you're not happy with certain aspects of the
implementation but the objects and permissions listed in pgace are
definitely ones that are worth mediating.
Dave
Dave
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Robert Haas | 2009-12-11 17:10:58 | Re: Adding support for SE-Linux security |
| Previous Message | Bruce Momjian | 2009-12-11 16:42:20 | Re: Largeobject Access Controls (r2460) |