Re: SE-PostgreSQL Specifications - Mailing list pgsql-hackers

From KaiGai Kohei
Subject Re: SE-PostgreSQL Specifications
Date
Msg-id 4A6C60D7.3050505@kaigai.gr.jp
Whole thread Raw
In response to Re: SE-PostgreSQL Specifications  (Andrew Dunstan <andrew@dunslane.net>)
Responses Re: SE-PostgreSQL Specifications
List pgsql-hackers
Andrew Dunstan wrote:
> 
> 
> KaiGai Kohei wrote:
>>
>> The SELinux provides a certain process privilege to make backups and
>> restore them. In the (currect) default policy, it is called "unconfined".
>>
>> However, it is also *possible* to define a new special process privilege
>> for backup and restore tools. For example, it can access all the databse
>> objects and can make backups, but any other process cannot touch the
>> backup files. It means that DBA can launch a backup tool and it creates
>> a black-boxed file, then he cal also lauch a restore tool to restore
>> the black-boxed backup, but he cannot see the contents of the backup.
>> (It might be a similar idea of "sudo" mechanism.)
>>
>>
> 
> Really? How you enforce this black box rule for a backup made across the 
> network? From the server's POV there is no such thing as a backup. All 
> it sees is a set of SQL statements all of which it might see in some 
> other context.

The recent SELinux provide a feature to exchange the security context of
peer process over the network connection.
It allows to control a certain process to send/receive packets to/from
only a certain process, even if they communicate using remote connection.

This feature is named "Labeled IPsec". The key exchange daemon (racoon)
was enhanced to exchange the security context of peer processes also,
prior to the actual communications.

Thanks,
-- 
KaiGai Kohei <kaigai@kaigai.gr.jp>


pgsql-hackers by date:

Previous
From: KaiGai Kohei
Date:
Subject: Re: SE-PostgreSQL Specifications
Next
From: Andrew Dunstan
Date:
Subject: Re: SE-PostgreSQL Specifications