Adding support for SE-Linux security
in [PgSql]
|
From: Bruce Momjian on 14 Dec 2009 08:45 Stephen Frost wrote: > * Bruce Momjian (bruce(a)momjian.us) wrote: > > I am not replying to many of these emails so I don't appear to be > > brow-beating (forcing) the community into accepting this features. I > > might be brow-beating the community, but I don't want to _appear_ to be > > brow-beating. ;-) > > My apologies if I come across this way- I don't intend to... But I'm You are fine. I was just saying that at a time I was one of the few loud voices on this, and if this is going to happen, it will be because we have a team that wants to do this, not because I am being loud. I see the team forming nicely. > also very enthusiastic about this. Also, it's become a much more > personal issue for me due to this: > > http://csrc.nist.gov/news_events/documents/omb/draft-omb-fy2010-security-metrics.pdf > > OMB is now looking to include label-based security in their metrics. > This directly impacts some of the PG-based systems I run. Ah, very interesting, and good. -- Bruce Momjian <bruce(a)momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + If your life is a hard drive, Christ can be your backup. + -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: Stephen Frost on 14 Dec 2009 22:21 Bruce, * Bruce Momjian (bruce(a)momjian.us) wrote: > You are fine. I was just saying that at a time I was one of the few > loud voices on this, and if this is going to happen, it will be because > we have a team that wants to do this, not because I am being loud. I > see the team forming nicely. Not to rain down on the parade too much here, but I have to disagree about a team forming nicely. That's, unfortunately, what it looks like from the 10k-foot level. Indeed, it looks like we're making good headway to get some kind of support into core from that level. The reality is that we've barely started and really have still got quite a ways to go and it would really be useful to bring in additional resources on this. I wouldn't consider myself to be that "additional resource" unless and until I can get funding for dedicated time (either my own or someone else's). I've got a few action items that I'm planning to resolve in the next few weeks, but I've been involved in this for over a year now and it hasn't made much progress, overall, in that time. So, for anyone else who's interested in label-based security happening for PostgreSQL (for whatever reason, masochisim perfectly acceptable), please speak up and offer to help. We could use it. Thanks, Stephen
From: Robert Haas on 15 Dec 2009 10:03 On Mon, Dec 14, 2009 at 10:21 PM, Stephen Frost <sfrost(a)snowman.net> wrote: > Bruce, > > * Bruce Momjian (bruce(a)momjian.us) wrote: >> You are fine. I was just saying that at a time I was one of the few >> loud voices on this, and if this is going to happen, it will be because >> we have a team that wants to do this, not because I am being loud. I >> see the team forming nicely. > > Not to rain down on the parade too much here, but I have to disagree > about a team forming nicely. That's, unfortunately, what it looks like > from the 10k-foot level. Indeed, it looks like we're making good > headway to get some kind of support into core from that level. > > The reality is that we've barely started and really have still got > quite a ways to go and it would really be useful to bring in additional > resources on this. I wouldn't consider myself to be that "additional > resource" unless and until I can get funding for dedicated time (either > my own or someone else's). I've got a few action items that I'm > planning to resolve in the next few weeks, but I've been involved in > this for over a year now and it hasn't made much progress, overall, in > that time. I completely agree. Many people have spent substantial time trying to help KaiGai extract a committable patch from his work, and that effort has not been successful. What I am concerned about is that by continuing to spend time on KaiGai's work, we are wasting a lot of community resources to no good end. It may be the case that even if we had a patch that was technically excellent, the community would decide that the amount of future maintenance that this feature would require is not warranted by the number of users it would attract. Tom is the only really vocal advocate that I'm aware of for that position, but there may well be other people who feel similarly. But these patches are, unfortunately, not technically excellent. There have been multiple reviews of these patches that have produced extensive laundry lists of items to be fixed. In the ordinary course of events, that leads to one of two things happening: either the patch author fixes most or all the problems and comes back with a patch that shows marked improvement, or he or she gives up. This patch is unique in my experience in that it has gone through - I believe - six CommitFests now without either of those things happening. Not that there hasn't been any improvement, but the ratio of reviewing-work to improvement seems to be much higher than what is typical for us. Like Stephen, I believe we need some additional resources who can improve that ratio before we can really make a push to get this done. ....Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
From: KaiGai Kohei on 15 Dec 2009 21:56
(2009/12/16 0:03), Robert Haas wrote: > But these patches are, unfortunately, not technically excellent. > There have been multiple reviews of these patches that have produced > extensive laundry lists of items to be fixed. In the ordinary course > of events, that leads to one of two things happening: either the patch > author fixes most or all the problems and comes back with a patch that > shows marked improvement, or he or she gives up. This patch is unique > in my experience in that it has gone through - I believe - six > CommitFests now without either of those things happening. Not that > there hasn't been any improvement, but the ratio of reviewing-work to > improvement seems to be much higher than what is typical for us. Like > Stephen, I believe we need some additional resources who can improve > that ratio before we can really make a push to get this done. I had a talk with Stephen off list to make clear what I wondered. It became apparent that I misunderstood the meaning of "cleanup first". IIUC, he suggested to consolidate permission checks in several places (such as createdb()) into same place to make more suitable for upcoming framework, but the default PG checks are still inlined, not consolidated to backend/security/*. He also concerned our earlier approach has required higher hurdle to join development, because it tried to do something useful feature although a lot of features are separated, so past patch had to touch both of core routines and selinux specific code. So, I agreed with his opinion that we should restart from the pure cleanup of the existing PG checks to make them more suitable for the upcoming security framework. The scope of this effort stay in the pgsql world 100%. I don't think it is an incorrect approach now. In actually, I was suggested similar things at the begining of CF#3 from Itagaki-san, but it was unclear whether we should go through the smaller SE-PgSQL patch first or security framework first at that time. I'll submit a small conceptual patch soon, as a draft. Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai(a)ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers |