From: Bruce Momjian on
Robert Haas wrote:
> > This is no harder than many of the other seemingly crazy things I have
> > done, e.g. Win32 port, client library threading. ?If this is a feature
> > we should have, I will get it done or get others to help me complete the
> > task.
>
> Well, I have always thought that it would be sort of a feather in our
> cap to support this, which is why I've done a couple of reviews of it
> in the past. I tend to agree with Tom that only a small fraction of
> our users will probably want it, but then again someone's been paying
> KaiGai to put a pretty hefty amount of work into this over the last
> year-plus, so obviously someone not only wants the feature but wants
> it merged. Within our community, I think that there have been a lot
> of people who have liked the concept of this feature but very few who
> have liked the patch, so there's somewhat of a disconnect between our
> aspirations and our better technical judgment. Tom is a notable
> exception who I believe likes neither the concept nor the patch, which
> is something we may need to resolve before getting too serious about
> this.

Agreed. SE-Linux support might expand our user base and give us
additional credibility, or it might be a feature that few people use ---
and I don't think anyone knows the outcome.

I wonder if we should rephrase this as, "How hard will this feature be
to add, and how hard will it be to remove in a few years if we decide we
don't want it?" SE-Linux support would certainly put Postgres in a
unique security category, and it builds on our existing good security
reputation.

Personally, I think AppArmor is a saner security system:

http://www.novell.com/linux/security/apparmor/selinux_comparison.html
(Novell-hosted URL)

but I am not advocating AppArmor support. I think the whole issue is
whether support for external integrated security systems is appropriate
for Postgres.

--
Bruce Momjian <bruce(a)momjian.us> http://momjian.us
EnterpriseDB http://enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Robert Haas on
On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(a)momjian.us> wrote:
> Robert Haas wrote:
>> > This is no harder than many of the other seemingly crazy things I have
>> > done, e.g. Win32 port, client library threading. ?If this is a feature
>> > we should have, I will get it done or get others to help me complete the
>> > task.
>>
>> Well, I have always thought that it would be sort of a feather in our
>> cap to support this, which is why I've done a couple of reviews of it
>> in the past.  I tend to agree with Tom that only a small fraction of
>> our users will probably want it, but then again someone's been paying
>> KaiGai to put a pretty hefty amount of work into this over the last
>> year-plus, so obviously someone not only wants the feature but wants
>> it merged.  Within our community, I think that there have been a lot
>> of people who have liked the concept of this feature but very few who
>> have liked the patch, so there's somewhat of a disconnect between our
>> aspirations and our better technical judgment.  Tom is a notable
>> exception who I believe likes neither the concept nor the patch, which
>> is something we may need to resolve before getting too serious about
>> this.
>
> Agreed.  SE-Linux support might expand our user base and give us
> additional credibility, or it might be a feature that few people use ---
> and I don't think anyone knows the outcome.
>
> I wonder if we should rephrase this as, "How hard will this feature be
> to add, and how hard will it be to remove in a few years if we decide we
> don't want it?"  SE-Linux support would certainly put Postgres in a
> unique security category, and it builds on our existing good security
> reputation.

Yes, I think that's the right way to think about it. At a guess, it's
two man-months of work to get it in, and ripping it out is likely
technically fairly simple but will probably be politically impossible.

> Personally, I think AppArmor is a saner security system:
>
>        http://www.novell.com/linux/security/apparmor/selinux_comparison.html
>        (Novell-hosted URL)

Agreed.

> but I am not advocating AppArmor support.  I think the whole issue is
> whether support for external integrated security systems is appropriate
> for Postgres.

It's not something I've run into a need for in my own work, but I
think there are definitely people out there who do need it, and I'd
like to see us be able to support it. One of the things that I think
would be worth looking into is whether there is a way to make this
pluggable, so that selinux and apparmor and trusted solaris and so on
could make use of the same framework, but that requires understanding
all of them well enough to design a framework that can meet all of
those needs. Every framework effort we've seen from KaiGai so far has
seemed extremely SE-Linux-specific and therefore pointless. But
really doing this right is a big development project, and not
something I can do in my free time.

....Robert

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: "Kevin Grittner" on
Robert Haas <robertmhaas(a)gmail.com> wrote:
> Bruce Momjian <bruce(a)momjian.us> wrote:

>> Personally, I think AppArmor is a saner security system:
>>
>>
http://www.novell.com/linux/security/apparmor/selinux_comparison.html

> Agreed.

> I'd like to see us be able to support it. One of the things that
> I think would be worth looking into is whether there is a way to
> make this pluggable, so that selinux and apparmor and trusted
> solaris and so on could make use of the same framework

Given the extreme patience and diligence exhibited by KaiGai, I
hesitate to say this, but it seems to me that this would be
critically important for the long term success of this feature. I
have no idea how much work it would be to make the interface to the
external security system pluggable, but if it's at all feasible, I
think it should be done.

-Kevin

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Tom Lane on
Robert Haas <robertmhaas(a)gmail.com> writes:
> On Mon, Dec 7, 2009 at 9:48 AM, Bruce Momjian <bruce(a)momjian.us> wrote:
>> I wonder if we should rephrase this as, "How hard will this feature be
>> to add, and how hard will it be to remove in a few years if we decide we
>> don't want it?"

> Yes, I think that's the right way to think about it. At a guess, it's
> two man-months of work to get it in,

It's not the "get it in" part that scares me. The problem I have with
it is that I see it as a huge time sink for future maintenance problems,
most of which will be classifiable as security breaches which increases
the pain of dealing with them immeasurably.

If I had more confidence that the basic design was right or useful
I might not be so worried about the maintenance prospects, but frankly
I have almost no confidence in it. This comes back to the lack of
involvement of any potential user community.

regards, tom lane

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

From: Alvaro Herrera on
Kevin Grittner escribi�:

> > I'd like to see us be able to support it. One of the things that
> > I think would be worth looking into is whether there is a way to
> > make this pluggable, so that selinux and apparmor and trusted
> > solaris and so on could make use of the same framework
>
> Given the extreme patience and diligence exhibited by KaiGai, I
> hesitate to say this, but it seems to me that this would be
> critically important for the long term success of this feature. I
> have no idea how much work it would be to make the interface to the
> external security system pluggable, but if it's at all feasible, I
> think it should be done.

This is how the code was developed initially -- the patch was called
PGACE and SELinux was but the first implementation on top of it.

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

--
Sent via pgsql-hackers mailing list (pgsql-hackers(a)postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers