Stephen Frost wrote:
>> I think what I should do on the next is ...
>> - To check up whether it is really possible to implement SELinux's model.
>> - To describe the list of the security functions in the new abstraction layer.
>> - To discuss the list of permission at:
>> http://wiki.postgresql.org/wiki/SEPostgreSQL_Development#Mandatory_access_controls
>
> That sounds like a good approach. As we define the security functions
> to go into the abstraction layer, I would also say we should identify
> the exact pieces of existing code which are going to move.
I began to describe the list of abstraction layer functions (but not completed yet):
http://wiki.postgresql.org/wiki/SEPostgreSQL_Abstraction
In my current impression, it indeed requires a few kilo lines of changes,
but it is not impossible scale.
I now plans to submit two patches for the next commit fest.
The one is implementation of the abstraction layer.
The other is basic implementation of the SE-PostgreSQL.
So, I would like to fix external specification at least.
The specifications for developer notes definitions of permissions:
http://wiki.postgresql.org/wiki/SEPostgreSQL_Development
As Robert suggested before, I plans to support access controls on the
following database objects and permissions at the first stage.* databases* schemas* tables* columns* sequences*
functions*tablespaces
Do you have any comment for the directions?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>