On Fri, Oct 10, 2008 at 01:44:49PM +0900, KaiGai Kohei wrote:
> Andrew Sullivan wrote:
>> I want to focus on this description, because you appear to be limiting
>> the problem scope tremendously here. We've moved from "general
>> security policy for database system" to "security policy for database
>> system as part of a web-application stack".
>
> The "general security policy for database system" is an incorrect term.
> SELinux does not cover database system only. It covers operating sytem
> and application managing objects (like database object, X window, ...).
> Thus, it should be talked as "general security policy for operating
> system, database system and so on".
Ok, then let's use the broader case, which is "general security policy
for entire computing system including a RDBM subsystem" (call this
"GSPECS+DB", say). This shows up even more the issue that considering
primarily the application stack does not actually cover all the cases.
I'm not suggesting, even a little bit, that securing an application
stack as you propose is a waste of time. It could be, actually, that
this more modest goal is the more appropriate one, and that
SE-PostgreSQL would be a killer feature in this space (because it
would, if it worked, solve a lot of problems that other systems have,
as you have pointed out). But it is not GSPECS+DB, because of all the
corner case problems whose behaviour still needs working out. Since I
don't have to do any of the work to maintain the system in future in
the face of the proposed new code, I can be indifferent as to whether
the achievement of the goal is worth the cost. But plainly, others
who need to look after the code will want to know what the exact goal
is before committing themselves to future maintenance.
A
--
Andrew Sullivan
ajs@commandprompt.com
+1 503 667 4564 x104
http://www.commandprompt.com/