Postgres Pro
Downloads
Home   >   mailing lists

Status Report on SE-PostgreSQL - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Status Report on SE-PostgreSQL
Date
Msg-id 49715CDA.5090506@kaigai.gr.jp
Whole thread Raw
Responses SE-PostgreSQL Updated Revision (r1460)  (KaiGai Kohei <kaigai@ak.jp.nec.com>)
Re: Status Report on SE-PostgreSQL  (KaiGai Kohei <kaigai@kaigai.gr.jp>)
List pgsql-hackers
Tree view 
I also think it is a good idea to summarize current status of
SE-PostgreSQL, as Simon Riggs doing on his works.

The current revision of SE-PostgreSQL is 1425, available here:
[1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1425.patch[2/5]
http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1425.patch[3/5]
http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1425.patch[4/5]
http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1425.patch[5/5]
http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1425.patch

We had various kind of comments, feature requests and discussions during
previous/current commit fest, then whole of them are already included.

Currently, we have no open issues here.

As I summarized as follows, we had many discussions about its design
issues mainly, so my patch set has been updated to support them.
I believe we should move to detailed-reviews to merge the feature any
time now, since we should aware of v8.4 schedule.

I really would like folks to help/volunteer reviewing the patches, please!

* CommitFest:Nov- Simon Riggs requires a new GUC option to turn on/off row-level security  labeling to reduce storage
comsumption,then updated as follows:    http://archives.postgresql.org/message-id/492691A8.8030103@ak.jp.nec.com- Bruce
Momjiansuggested Row-level database ACLs to be compiled in default.- Discussions for default compile options:
PostgreSQLdoesn't prefer compile  time option to turn on/off features, except for platform specific one.  SE-PostgreSQL
isindeed platform specific feature. But, it makes other  issue that need mutually-exclusive enhanced security feature.
Weconcluded it as follows:  - All configurable features should be compiled within a single binary.  - Both of DAC and
MACshould be available simultaneously in row-level also.  - DAC is hardwired, and we allow users to choose an enhanced
securityfeature.- I updated the patch set to support both of Row-level database ACLs and  an enhanced security feature
(SELinux)simultaneously. ('08/12/17)    http://archives.postgresql.org/message-id/4948B6BD.1050402@ak.jp.nec.com-
RobertHaas concerned about Stephen Frost's column-level privileges has  a trouble, so it's unclear whether it can get
mergedinto v8.4.  - I also worked for his patch, then it got being ready for commit:
http://archives.postgresql.org/message-id/20090116045825.GY4656@tamriel.snowman.net-Alvaro Herrera suggested "static
inline"is not preferable.
 

* CommitFest:Sep- Peter Eisentraut commented about its design specifications:
http://archives.postgresql.org/message-id/48D03953.6000308@gmx.net-The hot issues were lack of fine-grained access
controlsin SQL-level,  and covert channels with row-level controls.- We finally made agreement to provide platform
independentrow-level controls,  and explicit documentation about covert channels in PK/FK constraints.  No one didn't
wantto apply polyinstantiation idea.- Simon Riggs requires wiki article to introduce SE-PostgreSQL.
http://wiki.postgresql.org/wiki/SEPostgreSQL-Patch set was updated to support Row-level database ACLs
http://archives.postgresql.org/message-id/48F46606.4080207@ak.jp.nec.com

* CommitFest:Jul- The patch set got documentation/testcases.- Peter Eisentraut commented about some of items:
http://archives.postgresql.org/message-id/200807071739.58428.peter_e@gmx.net-Then, these items are updated:
http://archives.postgresql.org/message-id/48773188.6000809@ak.jp.nec.com

* CommitFest:May- First patch set for v8.4 were proposed.- Tom Lane gave us various items to be improved.
http://archives.postgresql.org/message-id/3275.1210019965@sss.pgh.pa.us-I had a presentation at PGcon2008 ottawa.
http://sepgsql.googlecode.com/files/PGCON20080523.pdf

* Prior phase- First proposal of PGACE security framework, but I didn't know it was  just after the date of feature
freezein v8.3. So, it was suggested  to wait for v8.4 development cycle. ('07/04/17)- 8.2.x based SE-PostgreSQL
announced.('07/09/04)- SE-PostgreSQL package got merged into Fedora Project. ('07/11/08)- 8.3.x based SE-PostgreSQL
announced.('08/03/08)
 

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>

pgsql-hackers by date:

Previous
From: Tom Lane
Date:
Subject: Re: WIP: Automatic view update rules
Next
From: Simon Riggs
Date:
Subject: MemoryContextSwitchTo (Re: [GENERAL] Autovacuum daemon terminated by signal 11)