Simon Riggs wrote:
> On Sat, 2008-11-08 at 18:58 +0900, KaiGai Kohei wrote:
>
>> This document gives us some of hints to be considered when we
>> apply mandatory access control facilities on database systems.
>>
>> However, it is not a specification of SE-PostgreSQL.
>> The series of documents assumes traditional multi-level-security
>> system, so it does not care about flexible policy, type-enforcement
>> rules and collaborating with operating system.
>
> I'm sorry, but I don't understand your answer.
What I wanted to say is that the security design of SELinux is combination
of TE(type enforcement), RBAC(role based access controls) and MLS(multi
level security) so we cannot apply specification of the document as-is.
In addition, its security policy is not hard-wired. These differences
gives us some more technical hurdles.
> The wiki seemed to indicate, to me, that the FK situation was a problem,
> so I was trying to provide a solution. Personally, I could live with it
> either way. But the important thing is: will this aspect prevent
> SEPostgreSQL from achieving Common Criteria certification, or not?
Please note that I've learned the common criteria for a few years but
not a authority, and the answer may depends on certification agency.
In my understanding, it depends on assurance level of the certification
and what functional components are required by the its environment to
be used and threats to be considered here.
If we don't consider who can be a sponsor of the certification, it has
enough functionalities to pass the certification expect for extreme
requirements which well over enterprise class systems.
The covert channel analysis is contained at the FDP_IFF section in the
Common Criteria part 2, and it defines several classes of requirements
in information flow controls.
It defines six components and FDP_IFF.3, 4, 5 mentions the handling of
covert channels, but the 3 and 4 does not require there is no covert
channels.
FYI, some of certified database products also don't mention them.
For example, the certified Oracle Label Security 10g is evaluated as
EAL4+ class, but it mentions only FDP_IFF.2, not 3, 4 and 5.
The FDP_IFF.2 is label based mandatory access controls as SE-PostgreSQL
provides.
> Please could you update the Wiki docs to explain the agreed
> resolution, its reasons and references? The design choices we make will
> be questioned again in the future, so it will be good to have them
> clear. Thanks.
OK, I'll add it to the wiki document.
Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>