Re: SE-PostgreSQL Specifications

Sam Mason wrote:
> On Sat, Jul 25, 2009 at 09:50:08PM +0900, KaiGai Kohei wrote:
>> Sorry for using the undefined terminology.
>
> I think this is the largest missing part of the docs at the moment;
> there is a whole new world of definitions that need to be understood
> before the SE-PG stuff is understandable/usable by anyone and none of it
> is explained in a way I can understand. External links are fine at the
> moment (I think) but descriptions will need to exist.
>
> For example you currently define a "security context" as "a formatted
> short string"---how does that tell me why I would want one or what it
> does! As an example, PG currently has the following to describe what a
> "role" is:
>
> http://www.postgresql.org/docs/current/static/database-roles.html

Indeed, the draft used the term of "security context" with minimum
introductions, but not enough friendliness for database folks.

The purpose of security context is an identifier of any subject and
object to describe them in the security policy. Because the security
policy is common for operating system, databases, x-window and others,
any managed database objects needs its security context.

Anyway, I need to introduce them in the security model section.

> I'd expect a similar definition for each of the major terms in SE-PG;
> at the moment these seem to be "security label", "security context",
> "security policy" and others? What do others think?

The "security label" is an identical one with "security context".
Due to the historical reason, I uses a term of "SECURITY_LABEL" for
interfaces, but it might be more easy understandable to use
"SECURITY_CONTEXT" instead.

For the security policy, I introduce it at the security model section:

| Access control is conceptually to decide a set of allowed (or denied)
| actions between a certain subject (such as a database client) and an
| object (such as a table), and to apply the decision on user's requests.
| At the database privilege system, ACL stored in database objects itself
| holds a list of allowed actions to certain database roles, and it is
| applied on the user's request.
| SELinux also holds massive sets of allowed actions between a certain
| subject and a certain object, we call them security policy.

Is it obscure?

In addition, I also think it needs to define some other terms explicitly.
For example, what the term of "labeled" means.

> Hope that helps explain my confusion! If you point me at some docs I'll
> be happy to write/edit things to make them more relevant to PG.

At this point, the SELinux user's guide in Fedora is the most comprehensive
documentation. It is described from the viewpoint of SELinux users, not
experts or developers.

http://docs.fedoraproject.org/selinux-user-guide/

Thanks,
--
KaiGai Kohei <kaigai(at)kaigai(dot)gr(dot)jp>