Re: Adding support for SE-Linux security

Robert Haas wrote:
> On Tue, Dec 8, 2009 at 10:07 AM, David P. Quigley <dpquigl(at)tycho(dot)nsa(dot)gov> wrote:
>> I'd be willing to take a look at the framework and see if it really is
>> SELinux centric. If it is we can figure out if there is a way to
>> accomodate something like SMACK and FMAC. I'd like to hear from someone
>> with more extensive experience with Solaris Trusted Extensions about how
>> TX would make use of this. I have a feeling it would be similar to the
>> way it deals with NFS which is by having the process exist in the global
>> zone as a privileged process and then multi-plexes it to the remaining
>> zones. That way their getpeercon would get a label derived from the
>> zone.
>
> Well, the old patches should still be available in the mailing list
> archives. Maybe going back and looking at that code would be a good
> place to start. The non-ripped-out code has been cleaned up a lot
> since then, but at least it's a place to start.

We can see old branches here:

http://code.google.com/p/sepgsql/source/browse/branches/pgsql-8.3.x/sepgsql/src/backend/security/pgaceHooks.c

But I don't provide this framework for the 8.4.x/8.5.x, because this
idea was rejected in the earlier discussion.
Please consider it represent just a concept.

Thanks.
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai(at)ak(dot)jp(dot)nec(dot)com>