Adding support for SE-Linux security
in [PgSql]
|
From: Bruce Momjian on 9 Dec 2009 22:43 Robert Haas wrote: > On Wed, Dec 9, 2009 at 5:38 PM, Bruce Momjian <bruce(a)momjian.us> wrote: > > If you want to avoid all good reasons for this features and are looking > > for reasons why this patch is a bad idea, I am sure you can find them. > > You seem to be suggesting that our reactions are pure obstructionism, > or that they have an ulterior motive. I am merely stating that this is the same as the Win32 port, and that there are many reasons to believe the SE-PostgreSQL patch will cause all sorts of problems --- this is not a surprise. I am giving a realistic analysis of the patch --- if people want to say that thinking of it as two separate patches that have to be maintained separately is a terrible idea, I have no reply except to say that realistically that is the only possible direction I see for this feature in the short term. Few Postgres people modifying the permissions system are going to understand how to modify SE-Linux support routines to match their changes. I got a similar reaction when I wanted to do the Win32 port, and the reasons not to do it were similar to the ones I am hearing now. Finally the agreement was that I could attempt the Win32 port as long as I didn't destabilize the rest of the code --- not exactly a resounding endorsement. Looking back I think everyone is glad we did the port, but at the time there wasn't much support. I got the same reaction to pg_migrator. I am having trouble figuring out when I should heed community concerns, and when the concerns are merely because the task is hard/messy/difficult. Frankly, we don't analyze hard/messy/difficult tasks very well. Now, I am not saying that the SE-PostgreSQL patch should be pursued, but I am saying that we shouldn't avoid it for these reasons, because sometimes hard/messy/difficult is necessary to accomplish dramatic software advances. -- Bruce Momjian <bruce(a)momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 10 Dec 2009 16:26 On Wed, Dec 9, 2009 at 10:43 PM, Bruce Momjian <bruce(a)momjian.us> wrote: > Robert Haas wrote: >> On Wed, Dec 9, 2009 at 5:38 PM, Bruce Momjian <bruce(a)momjian.us> wrote: >> > If you want to avoid all good reasons for this features and are looking >> > for reasons why this patch is a bad idea, I am sure you can find them. >> >> You seem to be suggesting that our reactions are pure obstructionism, >> or that they have an ulterior motive. > > I am merely stating that this is the same as the Win32 port, and that > there are many reasons to believe the SE-PostgreSQL patch will cause all > sorts of problems --- this is not a surprise. I am giving a realistic > analysis of the patch --- if people want to say that thinking of it as > two separate patches that have to be maintained separately is a terrible > idea, I have no reply except to say that realistically that is the only > possible direction I see for this feature in the short term. Few > Postgres people modifying the permissions system are going to understand > how to modify SE-Linux support routines to match their changes. > > I got a similar reaction when I wanted to do the Win32 port, and the > reasons not to do it were similar to the ones I am hearing now. Finally > the agreement was that I could attempt the Win32 port as long as I > didn't destabilize the rest of the code --- not exactly a resounding > endorsement. Looking back I think everyone is glad we did the port, but > at the time there wasn't much support. I got the same reaction to > pg_migrator. > > I am having trouble figuring out when I should heed community concerns, > and when the concerns are merely because the task is > hard/messy/difficult. Frankly, we don't analyze hard/messy/difficult > tasks very well. Now, I am not saying that the SE-PostgreSQL patch > should be pursued, but I am saying that we shouldn't avoid it for these > reasons, because sometimes hard/messy/difficult is necessary to > accomplish dramatic software advances. I don't have any easy answers here. I'm actually trying not to make a value judgment about the feature and focus on the technical problems with the patch. If those problems are fixed, which as you say probably doable, then I don't mind seeing it committed. I think that the reason we don't analyze hard/messy/difficult problems very well is because on the one hand you have people saying "this feature would be great". On the other hand you have people saying "this feature will be a lot of work". But those things are not opposites. Unlike Tom (I think), I do believe that there is demand (possibly only from a limited number of people, but demand all the same) for this feature. And I also believe that most people in our community are generally supportive of the idea, but only a minority are willing to put in time to make it happen. So I have no problem saying to the people who want the feature - none of our committers feel like working on this. Sorry. On the other hand, I also have no problem telling them - good news, Bruce Momjian thinks this is a great feature and wants to help you get it done. I *do* have a problem with saying - we don't really know whether anyone will ever want to work on this with you or not. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 10 Dec 2009 17:08 Robert Haas <robertmhaas(a)gmail.com> writes: > Unlike Tom (I think), I do believe that there is demand (possibly only > from a limited number of people, but demand all the same) for this > feature. Please note that I do not think there is *zero* demand for the feature. There is obviously some. What I find highly dubious is whether there is enough demand to justify the amount of effort, both short- and long-term, that the community would have to put into it. > And I also believe that most people in our community are > generally supportive of the idea, but only a minority are willing to > put in time to make it happen. So I have no problem saying to the > people who want the feature - none of our committers feel like working > on this. Sorry. On the other hand, I also have no problem telling > them - good news, Bruce Momjian thinks this is a great feature and > wants to help you get it done. I *do* have a problem with saying - we > don't really know whether anyone will ever want to work on this with > you or not. If I thought that Bruce could go off in a corner and make this happen and it would create no demands on anybody but him and KaiGai-san, I would say "fine, if that's where you want to spend your time, go for it". But even to state that implied claim is to see how false it is. Bruce is pointing to the Windows port, but he didn't make it happen by himself, or any close approximation of that. Everybody who works on this project has been affected by that, and we're *still* putting significant amounts of time into Windows compatibility, over five years later. My guess is that a credible SEPostgres offering will require a long-term amount of work at least equal to, and very possibly a good deal more than, what it took to make a native Windows port. If SEPostgres could bring us even 10% as many new users as the Windows port did, it'd probably be a worthwhile use of our resources. But again, that's an assumption that's difficult to type without bursting into laughter. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: "David P. Quigley" on 10 Dec 2009 17:13 On Thu, 2009-12-10 at 17:08 -0500, Tom Lane wrote: > Robert Haas <robertmhaas(a)gmail.com> writes: > > Unlike Tom (I think), I do believe that there is demand (possibly only > > from a limited number of people, but demand all the same) for this > > feature. > > Please note that I do not think there is *zero* demand for the feature. > There is obviously some. What I find highly dubious is whether there is > enough demand to justify the amount of effort, both short- and long-term, > that the community would have to put into it. > > > And I also believe that most people in our community are > > generally supportive of the idea, but only a minority are willing to > > put in time to make it happen. So I have no problem saying to the > > people who want the feature - none of our committers feel like working > > on this. Sorry. On the other hand, I also have no problem telling > > them - good news, Bruce Momjian thinks this is a great feature and > > wants to help you get it done. I *do* have a problem with saying - we > > don't really know whether anyone will ever want to work on this with > > you or not. > > If I thought that Bruce could go off in a corner and make this happen > and it would create no demands on anybody but him and KaiGai-san, I > would say "fine, if that's where you want to spend your time, go for > it". But even to state that implied claim is to see how false it is. > Bruce is pointing to the Windows port, but he didn't make it happen > by himself, or any close approximation of that. Everybody who works > on this project has been affected by that, and we're *still* putting > significant amounts of time into Windows compatibility, over five years > later. > > My guess is that a credible SEPostgres offering will require a long-term > amount of work at least equal to, and very possibly a good deal more > than, what it took to make a native Windows port. If SEPostgres could > bring us even 10% as many new users as the Windows port did, it'd > probably be a worthwhile use of our resources. But again, that's an > assumption that's difficult to type without bursting into laughter. > > regards, tom lane So a couple of us in the Maryland/DC area went to the BWPUG meeting last night and we sat down for two hours and answered a bunch of questions from Greg Smith, Steve Frost, and a few others. Greg was taking notes during the entire meeting and I believe he will be starting a thread with the minutes from the meeting. Greg brought up 5 or 6 concerns that he has observed in the community about the work including the issue of who is going to use this. The minutes will give a much better account of the conversation but Josh Brindle and I have gave examples outside of DoD where the MAC framework without row based access controls can be useful. For our purposes in DoD we need the MAC Framework and the row based access controls but if a good starting point is to just do the access control over the database objects then it will be useful for some commercial cases and some limited military cases. Dave -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Andres Freund on 10 Dec 2009 17:25
Hi, On Thursday 10 December 2009 23:08:17 Tom Lane wrote: > My guess is that a credible SEPostgres offering will require a long-term > amount of work at least equal to, and very possibly a good deal more > than, what it took to make a native Windows port. If SEPostgres could > bring us even 10% as many new users as the Windows port did, it'd > probably be a worthwhile use of our resources. But again, that's an > assumption that's difficult to type without bursting into laughter. Sorry, could not resist: It could possibly bring us more interesting users... While mainly an humoristic remark, I think it might even have some truth to it... Andres -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |