Re: [PATCH] SE-PostgreSQL for v8.5 development (r1819)

Kohei-san, what URL do you want me to list in the 8.4 release notes for
the SE-Linux patches?

---------------------------------------------------------------------------

KaiGai Kohei wrote:
> The following list of patches are the latest SE-PostgreSQL (r1819).
> 
> http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4beta1-r1819.patch
> http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4beta1-r1819.patch
> 
> List of updates:
> * The base version was updated to the latest CVS HEAD.
> * The code to receice notifications from the kernelspace via netlink
>   socket was simplified using the new avc_netlink_xxx() APIs.
> * It enables to handle permissive domain on the upcoming linux-2.6.31.
> * It enables to handle undefined permissions in the policy correctly.
> 
> The purpose of every patches are not changed.
> 
> Thanks,
> 
> KaiGai Kohei wrote:
> > The following list of patches are the initial revision of SE-PostgreSQL
> > on the v8.5 development cycle.
> > These are separated into several functional components to help review
> > and commit in earlier phase. Every patches (except for the core) have
> > abour 1KL scales. It is far smaller than them in a year ago. :-)
> > 
> >   http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4devel-r1769.patch
> >   http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4devel-r1769.patch
> > 
> > Needless to say, it is now designed on 8.4devel tree, so anyone who want
> > to build/install SE-PostgreSQL can apply these patches by hand.
> > I'll also update and fix them with the progress of v8.4 development.
> > Before you apply them, please confirm whether they are the latest, or not.
> > 
> > Bruice,
> > | KaiGai-san, the only option I can offer is perhaps to list a URL for
> > | your SE-PostgreSQL patch to be applied by people who want to use SE-PG.
> > 
> > Does it mean I need to submit a patch to add an introduction under doc/ ?
> > If so, I'll submit it as soon as possible.
> > 
> > Thanks,
> > 
> > 
> > 01) Security system attribute support
> >     scale: 38 files changed, 853 insertions(+), 1 deletion(-), 113 modifications(!)
> >   This patch adds a new system catalog "pg_security" and enables to store
> >   security identifier associated to a text representation within padding
> >   area of HeapTupleHeader, as object identifier doing.
> >   It is a foundation of any other facilities.
> > 
> > 02) Core facilities of SE-PostgreSQL
> >     scale: 55 files changed, 3588 insertions(+), 10 deletions(-), 736 modifications(!)
> >   This patch adds a mandatory access control feature collaborating with
> >   SELinux in table, column, procedure level granurality. Most of this
> >   patch is same as I proposed in the v8.4 development cycle, except for
> >   it is designed on the basis of security system attribute support.
> > 
> > 03) Writable system column support
> >     scale: 7 files changed, 298 insertions(+), 199 modifications(!)
> >   This patch enables users to update/insert on system columns ("security_label"
> >   and "security_acl") with explicit values. This feature is necessary to provide
> >   a user interface for row-level access controls.
> > 
> > 04) Row-level access controls support
> >     scale: 31 files changed, 1101 insertions(+), 231 modifications(!)
> >   This patch enables to apply mandatory/discretionary access control in row-level
> >   granularity also.
> > 
> > 05) Advanced permission checks support
> >     scale: 18 files changed, 858 insertions(+), 3 deletions(-), 43 modifications(!)
> >   This patch add some of advanced permission checks:
> >    - file:{read write} on server side filesystem accesses
> >    - db_procedure:{install} on user defined functions as system internal ones
> >    - db_database:{load_module install_module} on binary shared library files
> >   In the v8.4 development, these are suggested to separate from the core.
> > 
> > 06) Security options in utilities
> >     scale: 4 files changed, 95 insertions(+), 116 modifications(!)
> >   This patch adds options on utilities
> >    - "--enable-selinux" option for initdb
> >    - "--security-label" option for pg_dump and pg_dumpall
> > 
> > 07) Testcases of SE-PostgreSQL
> >     scale: 18 files changed, 1819 insertions(+), 2 modifications(!)
> >   This patch adds testcases for SE-PostgreSQL.
> > 
> > 08) Documentation of SE-PostgreSQL
> >     scale: 16 files changed, 1595 insertions(+), 42 modifications(!)
> >   This patch adds documentations for SE-PostgreSQL
> > 
> > 0X) Upcoming patches
> >   The following patches are upcoming now.
> >   * Reclaim of unused entries in pg_security
> >     I have a plan to implement it based on the idea from Robert Haas in:
> >       http://archives.postgresql.org/message-id/603c8f070901281818u3e1fa70brd28e1bfac7adfea9@mail.gmail.com
> > 
> >   * System audit integration with SE-PostgreSQL
> >     Linux has system audit stuff which is used by in-kernel SELinux and
> >     its userspace facilities can output audit messages here.
> >     Now SE-PostgreSQL writes out audit messages into PostgreSQL logs,
> >     but it is more desirable to write it on system audit.
> > 
> 
> 
> -- 
> OSS Platform Development Division, NEC
> KaiGai Kohei <kaigai@ak.jp.nec.com>
> 
> -- 
> Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-hackers

--  Bruce Momjian  <bruce@momjian.us>        http://momjian.us EnterpriseDB
http://enterprisedb.com
 + If your life is a hard drive, Christ can be your backup. +