Adding support for SE-Linux security
in [PgSql]
|
From: Mark Mielke on 10 Dec 2009 17:24 My two cents - if it's desired - I invariably disable selinux from all of my production machines. Once upon a time I tried to work with it time and time again - but it was such a head ache to administer for what I considered to be marginal gains, that I eventually gave up. Every time I add a server, it needs to be setup. Or it runs in tolerant mode at which point I'm not sure what value I am really getting at all. Too many times people have come to me with weird problems of servers not starting, or not working properly, and I have now started with the question "do you have selinux running?" "try turning it off..." I'm sure some people somewhere love selinux - but I suspect most people find the most relief once they turn it off. I vote for PostgreSQL committers spending their time on things that bring value to the most number of people. Cheers, mark -- Mark Mielke<mark(a)mielke.cc> -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Greg Smith on 10 Dec 2009 20:28 Tom Lane wrote: > My guess is that a credible SEPostgres offering will require a long-term > amount of work at least equal to, and very possibly a good deal more > than, what it took to make a native Windows port. Wow, if I thought that was the case I'd be as negative about the whole thing as you obviously are. In my head, I've been mentally bounding the effort by thinking that its worst case work would be more like what it took to add the role-based security to the system. I'd think that adding a new feature to the existing security setup couldn't be more painful than adding security in the first place, right? I didn't carefully watch either play out , but I was under the impression that the Windows port was quite a bit more work than that. Since the current discussion keeps going around in circles, the way I was trying to tilt the other thread I started towards was asking the question "what would need to change in the current PostgreSQL code to make the impact of adding the SEPostgreSQL code smaller?" I'd be curious to hear any thoughts you had on that topic. We already sort of refactored out "adding row-level security" as one answer to that, I feel like there may be others in there too. -- Greg Smith 2ndQuadrant Baltimore, MD PostgreSQL Training, Services and Support greg(a)2ndQuadrant.com www.2ndQuadrant.com -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Robert Haas on 10 Dec 2009 20:41 On Thu, Dec 10, 2009 at 5:08 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: > If I thought that Bruce could go off in a corner and make this happen > and it would create no demands on anybody but him and KaiGai-san, I > would say "fine, if that's where you want to spend your time, go for > it". But even to state that implied claim is to see how false it is. > Bruce is pointing to the Windows port, but he didn't make it happen > by himself, or any close approximation of that. Everybody who works > on this project has been affected by that, and we're *still* putting > significant amounts of time into Windows compatibility, over five years > later. This is also one of my concerns. Bruce has been careful to say that he will either make this happen himself or find others to help. The thing is, who are the others, are they people we already trust, and how do we know whether they'll be around after this is committed? I'm excited to see Greg Smith getting more involved in dealing with this patch-set, and I know Stephen Frost did some reviewing as well, but overall the community support has been pretty limpid. It's probably impossible to completely eliminate the impact of this feature on the community, but having a core of involved people - preferably including several committers - who will maintain it would help a lot. We're not there yet. > My guess is that a credible SEPostgres offering will require a long-term > amount of work at least equal to, and very possibly a good deal more > than, what it took to make a native Windows port. If SEPostgres could > bring us even 10% as many new users as the Windows port did, it'd > probably be a worthwhile use of our resources. But again, that's an > assumption that's difficult to type without bursting into laughter. The SEPostgres community is surely a lot smaller than the Windows community, but I'm not sure whether the effort estimate is accurate or not. If "credible" includes "row-level security", then I think I might agree, but right now we're just trying to get off the ground. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: KaiGai Kohei on 10 Dec 2009 21:49 David P. Quigley wrote: > On Thu, 2009-12-10 at 17:08 -0500, Tom Lane wrote: >> Robert Haas <robertmhaas(a)gmail.com> writes: >>> Unlike Tom (I think), I do believe that there is demand (possibly only >>> from a limited number of people, but demand all the same) for this >>> feature. >> Please note that I do not think there is *zero* demand for the feature. >> There is obviously some. What I find highly dubious is whether there is >> enough demand to justify the amount of effort, both short- and long-term, >> that the community would have to put into it. >> >>> And I also believe that most people in our community are >>> generally supportive of the idea, but only a minority are willing to >>> put in time to make it happen. So I have no problem saying to the >>> people who want the feature - none of our committers feel like working >>> on this. Sorry. On the other hand, I also have no problem telling >>> them - good news, Bruce Momjian thinks this is a great feature and >>> wants to help you get it done. I *do* have a problem with saying - we >>> don't really know whether anyone will ever want to work on this with >>> you or not. >> If I thought that Bruce could go off in a corner and make this happen >> and it would create no demands on anybody but him and KaiGai-san, I >> would say "fine, if that's where you want to spend your time, go for >> it". But even to state that implied claim is to see how false it is. >> Bruce is pointing to the Windows port, but he didn't make it happen >> by himself, or any close approximation of that. Everybody who works >> on this project has been affected by that, and we're *still* putting >> significant amounts of time into Windows compatibility, over five years >> later. >> >> My guess is that a credible SEPostgres offering will require a long-term >> amount of work at least equal to, and very possibly a good deal more >> than, what it took to make a native Windows port. If SEPostgres could >> bring us even 10% as many new users as the Windows port did, it'd >> probably be a worthwhile use of our resources. But again, that's an >> assumption that's difficult to type without bursting into laughter. >> >> regards, tom lane > > So a couple of us in the Maryland/DC area went to the BWPUG meeting last > night and we sat down for two hours and answered a bunch of questions > from Greg Smith, Steve Frost, and a few others. Greg was taking notes > during the entire meeting and I believe he will be starting a thread > with the minutes from the meeting. Greg brought up 5 or 6 concerns that > he has observed in the community about the work including the issue of > who is going to use this. The minutes will give a much better account of > the conversation but Josh Brindle and I have gave examples outside of > DoD where the MAC framework without row based access controls can be > useful. For our purposes in DoD we need the MAC Framework and the row > based access controls but if a good starting point is to just do the > access control over the database objects then it will be useful for some > commercial cases and some limited military cases. > I repent that I live in behind of the earth. :( I'd like to introduce a story related to Maryland/Baltimore where is the first city I've visited in US a bit. The SELinux symposium and developers summit had been held in Baltimore between 2005 and 2007. (It has been held with LinuxCon at Portland/OR in recent years.) I also had a short (works-in-progress) session in the symposium of 2007 to introduce an early concept and design of SE-PostgreSQL. http://selinux-symposium.org/2007/wipsbofs.php#sepostgresql After the 20 minutes talks, I was encircled by several stalwart-guys and pestered with questions about its behavior and so on. He also gave me a contact address in ".mil" domain. It was the first experience for me to see this domain actually. Maybe, we cannot see these people in PGcon. What I want to say in this story is that our domain of audiences depends on our standpoint. If eyesight of developers cannot catch their figures, we may misunderstand actual voice and demands from (potential) users. However, it is *never* easy job. Please remind how much cost our company have spent on marketing research annually. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai(a)ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Tom Lane on 10 Dec 2009 23:45
Robert Haas <robertmhaas(a)gmail.com> writes: > On Thu, Dec 10, 2009 at 5:08 PM, Tom Lane <tgl(a)sss.pgh.pa.us> wrote: >> My guess is that a credible SEPostgres offering will require a long-term >> amount of work at least equal to, and very possibly a good deal more >> than, what it took to make a native Windows port. > The SEPostgres community is surely a lot smaller than the Windows > community, but I'm not sure whether the effort estimate is accurate or > not. If "credible" includes "row-level security", then I think I > might agree, but right now we're just trying to get off the ground. It's been perfectly clear since day one, and was reiterated as recently as today http://archives.postgresql.org/message-id/4B21757E.7090806(a)2ndquadrant.com that what the security community wants is row-level security. The proposals to make SEPostgres drive regular SQL permissions never came out of anyone from that side, they were proposed by PG people looking for a manageable first step. Whatever you might believe about the potential market for SEPostgres, you should divide by about a hundred as long as it's only an alternate interface to SQL permissions. See particularly here: http://wiki.postgresql.org/wiki/SEPostgreSQL_Review_at_the_BWPUG#Revisiting_row-level_security "Without it, it's questionable whether committing the existing stripped-down patch really accomplishes anything" --- how much clearer can they be? If you're not prepared to assume that we're going to do row level security, it's not apparent why we should be embarking on this course at all. And if you do assume that, I strongly believe that my effort estimate above is on the optimistic side. regards, tom lane -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |