Re: [PATCH] SE-PostgreSQL for v8.5 development (r1819)
От | Bruce Momjian |
---|---|
Тема | Re: [PATCH] SE-PostgreSQL for v8.5 development (r1819) |
Дата | |
Msg-id | 200904171022.n3HAM6Q05242@momjian.us обсуждение исходный текст |
Ответ на | [PATCH] SE-PostgreSQL for v8.5 development (r1819) (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
Ответы |
Re: [PATCH] SE-PostgreSQL for v8.5 development (r1819)
(Tom Lane <tgl@sss.pgh.pa.us>)
|
Список | pgsql-hackers |
Kohei-san, what URL do you want me to list in the 8.4 release notes for the SE-Linux patches? --------------------------------------------------------------------------- KaiGai Kohei wrote: > The following list of patches are the latest SE-PostgreSQL (r1819). > > http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4beta1-r1819.patch > http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4beta1-r1819.patch > > List of updates: > * The base version was updated to the latest CVS HEAD. > * The code to receice notifications from the kernelspace via netlink > socket was simplified using the new avc_netlink_xxx() APIs. > * It enables to handle permissive domain on the upcoming linux-2.6.31. > * It enables to handle undefined permissions in the policy correctly. > > The purpose of every patches are not changed. > > Thanks, > > KaiGai Kohei wrote: > > The following list of patches are the initial revision of SE-PostgreSQL > > on the v8.5 development cycle. > > These are separated into several functional components to help review > > and commit in earlier phase. Every patches (except for the core) have > > abour 1KL scales. It is far smaller than them in a year ago. :-) > > > > http://sepgsql.googlecode.com/files/sepgsql-01-sysatt-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-02-core-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-03-writable-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-04-rowlevel-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-05-perms-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-06-utils-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-07-tests-8.4devel-r1769.patch > > http://sepgsql.googlecode.com/files/sepgsql-08-docs-8.4devel-r1769.patch > > > > Needless to say, it is now designed on 8.4devel tree, so anyone who want > > to build/install SE-PostgreSQL can apply these patches by hand. > > I'll also update and fix them with the progress of v8.4 development. > > Before you apply them, please confirm whether they are the latest, or not. > > > > Bruice, > > | KaiGai-san, the only option I can offer is perhaps to list a URL for > > | your SE-PostgreSQL patch to be applied by people who want to use SE-PG. > > > > Does it mean I need to submit a patch to add an introduction under doc/ ? > > If so, I'll submit it as soon as possible. > > > > Thanks, > > > > > > 01) Security system attribute support > > scale: 38 files changed, 853 insertions(+), 1 deletion(-), 113 modifications(!) > > This patch adds a new system catalog "pg_security" and enables to store > > security identifier associated to a text representation within padding > > area of HeapTupleHeader, as object identifier doing. > > It is a foundation of any other facilities. > > > > 02) Core facilities of SE-PostgreSQL > > scale: 55 files changed, 3588 insertions(+), 10 deletions(-), 736 modifications(!) > > This patch adds a mandatory access control feature collaborating with > > SELinux in table, column, procedure level granurality. Most of this > > patch is same as I proposed in the v8.4 development cycle, except for > > it is designed on the basis of security system attribute support. > > > > 03) Writable system column support > > scale: 7 files changed, 298 insertions(+), 199 modifications(!) > > This patch enables users to update/insert on system columns ("security_label" > > and "security_acl") with explicit values. This feature is necessary to provide > > a user interface for row-level access controls. > > > > 04) Row-level access controls support > > scale: 31 files changed, 1101 insertions(+), 231 modifications(!) > > This patch enables to apply mandatory/discretionary access control in row-level > > granularity also. > > > > 05) Advanced permission checks support > > scale: 18 files changed, 858 insertions(+), 3 deletions(-), 43 modifications(!) > > This patch add some of advanced permission checks: > > - file:{read write} on server side filesystem accesses > > - db_procedure:{install} on user defined functions as system internal ones > > - db_database:{load_module install_module} on binary shared library files > > In the v8.4 development, these are suggested to separate from the core. > > > > 06) Security options in utilities > > scale: 4 files changed, 95 insertions(+), 116 modifications(!) > > This patch adds options on utilities > > - "--enable-selinux" option for initdb > > - "--security-label" option for pg_dump and pg_dumpall > > > > 07) Testcases of SE-PostgreSQL > > scale: 18 files changed, 1819 insertions(+), 2 modifications(!) > > This patch adds testcases for SE-PostgreSQL. > > > > 08) Documentation of SE-PostgreSQL > > scale: 16 files changed, 1595 insertions(+), 42 modifications(!) > > This patch adds documentations for SE-PostgreSQL > > > > 0X) Upcoming patches > > The following patches are upcoming now. > > * Reclaim of unused entries in pg_security > > I have a plan to implement it based on the idea from Robert Haas in: > > http://archives.postgresql.org/message-id/603c8f070901281818u3e1fa70brd28e1bfac7adfea9@mail.gmail.com > > > > * System audit integration with SE-PostgreSQL > > Linux has system audit stuff which is used by in-kernel SELinux and > > its userspace facilities can output audit messages here. > > Now SE-PostgreSQL writes out audit messages into PostgreSQL logs, > > but it is more desirable to write it on system audit. > > > > > -- > OSS Platform Development Division, NEC > KaiGai Kohei <kaigai@ak.jp.nec.com> > > -- > Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-hackers -- Bruce Momjian <bruce@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
В списке pgsql-hackers по дате отправления: