Greg Smith wrote:
On Wed, 17 Sep 2008, Peter Eisentraut wrote:
System-wide consistency in access controls could be nice to have in
some cases. But is it really achievable? In the typical three-tier
web application scenario, do you really have system-wide consistency?
Can you configure your application server using SELinux?
Each of the tiers end up with mapping layer similar to the one
implemented here to map the SELinux permissions -> PostgreSQL. Java for
example has a whole JVM security manager component that makes it
straighforward to do such a mapping.
http://articles.techrepublic.com.com/5100-10878_11-6178805.html is a
good quick intro that shows how the call structure is similar to what
the SE-PostgreSQL code does.
I guess these security architectures have same origin.
The reference monitor concept requres all accesses to data objects to be
checked by a tamperproof, always-invoked module based on its policy.
http://en.wikipedia.org/wiki/Reference_monitor
SE-PostgreSQL uses in-kernel SELinux as a reference monitor to check
all accesses to database object via SQL.
And is SELinux really the desirable interface for a system-wide access
control facility? Why not port chmod or POSIX ACLs to PostgreSQL, or
port SQL roles back to the operating system, or something else that
captures what more people are actually using in practice.
The main feature of SELinux that this crowd likes is how it manages
privledge escalation risk. I'm not sure if POSIX ACLs for example are
as effective at limiting the damage an exploitable suid binary can
cause. As for what people are actually using, as someone who lives near
the US capital I can tell you that installs using SELinux are quite
plentiful around here--there really is no other UNIX-based technology
for this purpose that's gotten traction inside this government like
SELinux has.
Anyway, even though I think picking SELinux as the primary security
mechanism to integrate with is a sensible choice and I'm confident that
the rest of the software stack isn't a problem, I do share your concern
that implementing row and column-level security would make more sense in
a general way first.
Thanks for your explanation.
The PGACE security framework can mount a OS independent fine
grained access control feature, like Oracle Label Security.
However, one concern is we have only one CommitFest remained.
As I mentioned at the previous message, I think it is not
a strange behavior that different security subsystems make
different decisions on individual gulanualities.
Ultimately, I see this patch as an interesting proof of concept -- it
got us on the NSA site anyway -- but I can't see more than three
people actually making use of it
I take it you've never seen how big the NSA fort^H^H^H^Hfacility is?
I'm not sure exactly how many orders of magnitude your estimate is off
by, but I know it's at least 2 just based on conversations I've been
involved in with companies around here. A lot of the US defense and
homeland security related companies are adopting open-source software
stacks because they can audit every level of the software, and there's a
big void in that stack waiting for a database with the right security
model to fill. You are right that getting code contributions back again
is a challenge though.
I don't have statistically reliable information. :)
However, I believe there is potentially strong demand for secure database
due to responses from audiences when I had presentations about SE-PostgreSQL
in various opportunities.
IIRC, Josh also said similar things.
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <[EMAIL PROTECTED]>
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
