On Fri, 2009-12-11 at 11:28 -0500, Stephen Frost wrote:
[snip...]
> > The main concern I hear is that people are worried that this is an
> > SELinux specific design. I heard at the meeting on Wednesday that the
> > Trusted Extensions people looked at the framework and said it meets
> > their needs as well. If thats the case where does the concept that the
> > design is SELinux specific stem from? We've asked Casey Schaufler the
> > developer of another label based MAC system for Linux to look at the
> > hooks as well and make a statement about their usability.
>
> Hope I didn't steal your thunder wrt Casey! Thanks again.
So we contacted Casey about another MAC model for PG using PG-ACE and he
got back to us with these reponses.
Josh Brindle (JB): So my question is, does smack have a facility for userspace object managers?
Casey Schaufler (cs): Yes. The smack-util package includes a small library which supports a user space version
ofthe kernel smackaccess() function. You pass it the subject label, object label, and desired access and it
returnsa yes/no answer based on what it reads from /smack/load.
So this answers our questions on whether or not SMACK has the faculties
to act as the security decision engine for PG.
JB: If so, I want to make the argument that doing a smack integration using the pgace abstraction layer
wouldnot only work but be fairly easy. CS: Looking at some of the documentation I think that you can
safely make that argument. The security_label column would just be the Smack label. The rules can be
enforcedby the user space smackaccess(). "System" rows, whatever that might be, could get the floor ("_")
label.
Casey mentions the row level access control in here but its safe to say
we've broken row based access control into a followup
discussion/project.
JB: All the sepgsql docs and code are up at <http://code.google.com/p/sepgsql/> and I'd like to get your
feedback before I start making claims... CS: I can't see how it would take more than about a day if
pgace does what it looks like it should.
This seems to be a favorable assesment of the pgace framework's ability
to be used by something other than SELinux. So Casey's Smack module plus
the Sun guys saying it is usable by their legacy TSOL or TX code would
lend credence to the idea that pgace is bringing to the table. It may be
possible that you're not happy with certain aspects of the
implementation but the objects and permissions listed in pgace are
definitely ones that are worth mediating.
Dave
Dave