The following list of patches are the initial revision of SE-PostgreSQL on the v8.5 development cycle. These are separated into several functional components to help review and commit in earlier phase. Every patches (except for the core) have abour 1KL scales. It is far smaller than them in a year ago. :-)
http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4devel-r1769.patch http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4devel-r1769.patch Needless to say, it is now designed on 8.4devel tree, so anyone who want to build/install SE-PostgreSQL can apply these patches by hand. I'll also update and fix them with the progress of v8.4 development. Before you apply them, please confirm whether they are the latest, or not. Bruice, | KaiGai-san, the only option I can offer is perhaps to list a URL for | your SE-PostgreSQL patch to be applied by people who want to use SE-PG. Does it mean I need to submit a patch to add an introduction under doc/ ? If so, I'll submit it as soon as possible. Thanks, 01) Security system attribute support scale: 38 files changed, 853 insertions(+), 1 deletion(-), 113 modifications(!) This patch adds a new system catalog "pg_security" and enables to store security identifier associated to a text representation within padding area of HeapTupleHeader, as object identifier doing. It is a foundation of any other facilities. 02) Core facilities of SE-PostgreSQL scale: 55 files changed, 3588 insertions(+), 10 deletions(-), 736 modifications(!) This patch adds a mandatory access control feature collaborating with SELinux in table, column, procedure level granurality. Most of this patch is same as I proposed in the v8.4 development cycle, except for it is designed on the basis of security system attribute support. 03) Writable system column support scale: 7 files changed, 298 insertions(+), 199 modifications(!) This patch enables users to update/insert on system columns ("security_label" and "security_acl") with explicit values. This feature is necessary to provide a user interface for row-level access controls. 04) Row-level access controls support scale: 31 files changed, 1101 insertions(+), 231 modifications(!) This patch enables to apply mandatory/discretionary access control in row-level granularity also. 05) Advanced permission checks support scale: 18 files changed, 858 insertions(+), 3 deletions(-), 43 modifications(!) This patch add some of advanced permission checks: - file:{read write} on server side filesystem accesses - db_procedure:{install} on user defined functions as system internal ones - db_database:{load_module install_module} on binary shared library files In the v8.4 development, these are suggested to separate from the core. 06) Security options in utilities scale: 4 files changed, 95 insertions(+), 116 modifications(!) This patch adds options on utilities - "--enable-selinux" option for initdb - "--security-label" option for pg_dump and pg_dumpall 07) Testcases of SE-PostgreSQL scale: 18 files changed, 1819 insertions(+), 2 modifications(!) This patch adds testcases for SE-PostgreSQL. 08) Documentation of SE-PostgreSQL scale: 16 files changed, 1595 insertions(+), 42 modifications(!) This patch adds documentations for SE-PostgreSQL 0X) Upcoming patches The following patches are upcoming now. * Reclaim of unused entries in pg_security I have a plan to implement it based on the idea from Robert Haas in: http://archives.postgresql.org/message-id/603c8f070901281818u3e1fa70brd28e1bfac7adf...@mail.gmail.com * System audit integration with SE-PostgreSQL Linux has system audit stuff which is used by in-kernel SELinux and its userspace facilities can output audit messages here. Now SE-PostgreSQL writes out audit messages into PostgreSQL logs, but it is more desirable to write it on system audit. -- OSS Platform Development Division, NEC KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
