Re: Updates of SE-PostgreSQL 8.4devel patches (r1155)

Simon Riggs wrote:
> On Wed, 2008-10-29 at 17:42 +0900, KaiGai Kohei wrote:
>
>> I've updated my patches, these are ready for CommitFest:Nov.
>>
>> [1/6] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1155.patch
>> [2/6] http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r1155.patch
>> [3/6] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1155.patch
>> [4/6] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1155.patch
>> [5/6] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1155.patch
>> [6/6] http://sepgsql.googlecode.com/files/sepostgresql-row_acl-8.4devel-3-r1155.patch
>>
>> The comprehensive documentation for SE-PostgreSQL is here:
>> http://wiki.postgresql.org/wiki/SEPostgreSQL (it is now under reworking.)
>>
>> List of updates:
>> - Patches are rebased to the latest CVS HEAD.
>> - bugfix: TRUNCATE checks assumed SECCLASS_DB_TUPLE object class
>> - bugfix: sepgsqlCopyFile assumed SECCLASS_FILE object class, but it has to be
>> adjusted by st_mode.
>>
>> Request for Comments:
>> - The 4th patch is actually needed? It can be replaced by wiki page.
>> - Do you think anything remained towards the final CommitFest?
>> - Do you have any reviewing comment? Most of patches are unchanged from
>> the previous vesion. If you can comment anything, I can fix them without
>> waiting for the final commit fest.
>>
>
> I'm copying some general comments from my contact here, verbatim. Other
> comments have been requested and may be forthcoming:
>
> By way of background "Common Criteria" (ISO Standard 15408) are in
> effect pre-defined security requirements that have been agreed between
> multiple friendly governments so that they can share the results from
> independent lab work in each country and avoid the costs and duplication
> of effort. The published lab work results in two outputs:
> - a "Target of Evaluation" (TOE) i.e. tight definition of the software
> version, configuration and environment (hardware, external controls)
> which was the subject of the evaluation
> - an "Evaluation Report" which, in the "happy case" has assigns an
> "Evaluation Assurance Level" (EAL) number to the product (which needless
> to say is only valid if the product is used in its TOE
>
> If you're interested in reading more about formal Government security
> evaluation schemes, these are some good sites:

Thanks for your information.
However, I've also followed the Common Criteria for a few years, and
some of facilities came from its requirements. The "security_context"
system column reflects the requirement of labeled import/export, for
example. Don't worry.

Let's move our discussion into its implementation in the upcoming
CommitFest. It's a good time now.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>