selinux January 2011 archive
Main Archive Page > Month Archives  > selinux archives
selinux: RE: Tiny version of SE-PostgreSQL got merged

RE: Tiny version of SE-PostgreSQL got merged

From: Ger Lawlor (gelawlor) <gelawlor_at_nospam>
Date: Mon Jan 31 2011 - 10:09:00 GMT
To: "KaiGai Kohei" <kaigai@ak.jp.nec.com>, <selinux@tycho.nsa.gov>

I'm only new to SeLinux, but will have requirements around PostgreSQL.
Can you give me some background and info on why
This SE-PostgresQL exists? Is it specific to this database, or are there
similar projects for other database types?
Was it not possible to label files within a default installation? Was
this insufficient for Postgres security?

Thanks,
Ger.

-----Original Message-----
From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov]
On Behalf Of KaiGai Kohei
Sent: Monday, January 31, 2011 8:14 AM
To: selinux@tycho.nsa.gov
Subject: Tiny version of SE-PostgreSQL got merged

A few days ago, a tiny initial version of SE-PostgreSQL got merged
in the v9.1 development cycle at this commit: http://bit.ly/gF2QPQ

Although it omits various features which I planned at first, it
seems to me an ambitious first step.
PostgreSQL has shifted to provide a set of facilities to implement
label based mandatory access control, such as security label support
on database objects or security hooks being available for plug-in
modules.

The current version of SE-PostgreSQL is implemented as a plugin
module that utilizes these hooks (but only a limited places are
covered), then it asks SELinux in kernel whether the required
access shall be allowed, or not.

In the next development, I'd like to expand its access control coverage
using more fine grained security hooks. Right now, DDL permissions are
restrictions. Also, row-level security is in-progress feature.

I have much things to do for the v9.2 or v9.3, however, I'd like to
appreciate people who have given me many feedbacks since 2006

Thanks,
-- KaiGai Kohei <kaigai@ak.jp.nec.com> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.