Re: SE-PostgreSQL Specifications

On Sat, Jul 25, 2009 at 04:39:29PM -0400, Robert Haas wrote:
> On Sat, Jul 25, 2009 at 4:27 PM, Sam Mason<sam(at)samason(dot)me(dot)uk> wrote:
> > I thought the whole point of MAC was that superusers don't exist any
> > more--at least not with the power they currently do.
>
> It's been billed that way, but it's not really accurate. A more
> accurate statement would be that it's possible to create a system in
> which there is no unconfined role.

Yes, that sounds more precise!

I'm still unsure of terminology; what's a "unconfined role"? I guess
the layman's description is similar to a "superuser", but I'm sure
there's a more refined definition somewhere. Hum, I've just found
Fedora's guide, is the following considered a reasonable picture:

http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Targeted_Policy.html

> > Organizations may
> > well not trust specific parts of their database to certain types of
> > backups, SE-PG should allow this to be controlled somewhat.
>
> I imagine it would be possible to run pg_dump on a database where you
> couldn't see all of the objects, and get a dump of just those, but
> that's only tangentially related to whether such things as superusers
> exist.

I'm not sure what point you're trying to make; in my understanding
superusers can see and do anything--hence they can make a backup.

> If superusers DON'T exist, that would be making the opposite
> statement, namely, that there isn't ANY WAY to get a backup that you
> can be sure DOES contain all of the objects.

The traditional approach would be to maintain multiple physically
separate databases; in this setup it's obvious that when you perform a
backup of one of these databases you're only seeing a subset of "all of
the objects". Isn't SE-PG just allowing you to do this within a single
PG database?

> And while I believe
> SE-Linux/SE-PostgreSQL would allow you to configure such a system, you
> might want to think carefully before you decide to do so, and the
> system certainly shouldn't (and can't) force you to set it up that
> way.

I agree that this would seem to make the resulting system easier to
manage, however I can also imagine scenarios where the converse would
be true. This is a fuzzy engineering decision of the sort that I don't
like making without a use case---and it would be nice to have several
here.

> > pg_dump can complain if it doesn't see everything it expected to
>
> If pg_dump can tell that there is information missing, the system
> hasn't done a very good job of hiding its existence, which is surely
> the whole point here.

Hum, good point--scratch that idea then!

--
Sam http://samason.me.uk/