Thread: [0/4] Proposal of SE-PostgreSQL patches
The series of patches are the proposal of Security-Enhanced PostgreSQL (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle. [1/4] sepostgresql-pgace-8.4devel-3.patch provides PGACE (PostgreSQL Access Control Extension) framework [2/4] sepostgresql-sepgsql-8.4devel-3.patch provides SE-PostgreSQL feature, based on PGACE framework. [3/4] sepostgresql-pg_dump-8.4devel-3.patch enables pg_dump to dump database with security attribute. [4/4] sepostgresql-policy-8.4devel-3.patch provides the default security policy for SE-PostgreSQL. We can provide a quick overview of SE-PostgreSQL at: http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL Any comment and suggestion are welcome. Thanks, ENVIRONMENT ----------- Please confirm your environment. The followings are requriements of SE-PostgreSQL. * Fedora 8 or later system * SELinux is enabled and working * kernel-2.6.24 or later * selinux-policy and selinux-policy-devel v3.0.8 or later * libselinux, policycoreutils INSTALLATION ------------ $ tar jxvf postgresql-snapshot.tar.bz2 $ cd postgresql-snapshot $ patch -p1 < ../sepostgresql-pgace-8.4devel-3.patch $ patch -p1 < ../sepostgresql-sepgsql-8.4devel-3.patch $ patch -p1 < ../sepostgresql-pg_dump-8.4devel-3.patch $ patch -p1 < ../sepostgresql-policy-8.4devel-3.patch $ ./configure --enable-selinux $ make $ make -C contrib/sepgsql-policy $ su # make install # /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp (NOTE: semodule is a utility to load/unload security policy modules.) # /sbin/restorecon -R /usr/local/pgsql (NOTE: restorecon is a utilicy to initialize security context of files.) SETUP ----- # mkdir -p /opt/sepgsql # chown foo_user:var_group /opt/sepgsql # chcon -t postgresql_db_t /opt/sepgsql (NOTE: chcon is a utility to set up security context of files.) # exit $ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql (NOTE: run_init is a utility to start a program, as if it is branched from init script.) $ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
[1/4] - sepostgresql-pgace-8.4devel-3.patch.gz This patch provides PGACE (PostgreSQL Access Control Extension) framework. It has a similar idea of LSM (Linu Security Module). It can provide a guest module several hooks at strategic points. The guest module can make its decision whether required actions should be allowed, or not. In addition, PGACE also provides falicilites to manage security attribute of database objects. Any tuple can have a its security attribute, and the guest module can refer it to control accesses. A more conprehensive memo at: http://code.google.com/p/sepgsql/wiki/WhatIsPGACE (This patch is gzip'ed, bacause it overed the limitation of filesize.) Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
Attachment
[2/4] - sepostgresql-sepgsql-8.4devel-3.patch.gz This patch provides SE-PostgreSQL facilities based on PGACE. Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension built in PostgreSQL, to provide system-wide consistency in access controls. It enables to apply a single unigied security policy of SELinux for both operating system and database management system. In addition, it also provides fine-grained mandatory access which includes column-/row- level non-bypassable access control even if privileged database users. Quick overview at: http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL (This patch is gzip'ed, bacause it overed the limitation of filesize.) Thanks, -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
Attachment
Kohei KaiGai wrote: > The series of patches are the proposal of Security-Enhanced PostgreSQL > (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle. Before we go any further, is this work derived from SELinux? If so, is it covered under the GPL? If so, can it be licensed under BSD terms? Obviously, if it's not BSD, we cannot include it in Postgres. -- Alvaro Herrera http://www.CommandPrompt.com/ PostgreSQL Replication, Consulting, Custom Development, 24x7 support
Alvaro Herrera wrote: > Kohei KaiGai wrote: >> The series of patches are the proposal of Security-Enhanced PostgreSQL >> (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle. > > Before we go any further, is this work derived from SELinux? If so, is > it covered under the GPL? If so, can it be licensed under BSD terms? > > Obviously, if it's not BSD, we cannot include it in Postgres. All of SE-PostgreSQL works are licensed unser BSD terms. We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from the beginning, and we understand to choose GPL makes it impossible. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
I'll submit the proposal of SE-PostgreSQL patches again, because some of previous messages are filtered due to attachment and I cannot provide whole of patches yet. Please refer the pointed URL, as follows. ------ The series of patches are the proposal of Security-Enhanced PostgreSQL (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle. [1/4] sepostgresql-pgace-8.4devel-3.patch provides PGACE (PostgreSQL Access Control Extension) framework http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch [2/4] sepostgresql-sepgsql-8.4devel-3.patch provides SE-PostgreSQL feature, based on PGACE framework. http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch [3/4] sepostgresql-pg_dump-8.4devel-3.patch enables pg_dump to dump database with security attribute. http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch [4/4] sepostgresql-policy-8.4devel-3.patch provides the default security policy for SE-PostgreSQL. http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch We can provide a quick overview for SE-PostgreSQL at: http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL ENVIRONMENT ----------- Please confirm your environment. The followings are requriements of SE-PostgreSQL. * Fedora 8 or later system * SELinux is enabled and working * kernel-2.6.24 or later * selinux-policy and selinux-policy-devel v3.0.8 or later * libselinux, policycoreutils INSTALLATION ------------ $ tar jxvf postgresql-snapshot.tar.bz2 $ cd postgresql-snapshot $ patch -p1 < ../sepostgresql-pgace-8.4devel-3.patch $ patch -p1 < ../sepostgresql-sepgsql-8.4devel-3.patch $ patch -p1 < ../sepostgresql-pg_dump-8.4devel-3.patch $ patch -p1 < ../sepostgresql-policy-8.4devel-3.patch $ ./configure --enable-selinux $ make $ make -C contrib/sepgsql-policy $ su # make install # /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp (NOTE: semodule is a utility to load/unload security policy modules.) # /sbin/restorecon -R /usr/local/pgsql (NOTE: restorecon is a utilicy to initialize security context of files.) SETUP ----- # mkdir -p /opt/sepgsql # chown foo_user:var_group /opt/sepgsql # chcon -t postgresql_db_t /opt/sepgsql (NOTE: chcon is a utility to set up security context of files.) # exit $ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql (NOTE: run_init is a utility to start a program, as if it is branched from init script.) $ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start SUMMARYS FOR EVERY PATCHES -------------------------- [1/4] - sepostgresql-pgace-8.4devel-3.patch This patch provides PGACE (PostgreSQL Access Control Extension) framework. It has a similar idea of LSM (Linu Security Module). It can provide a guest module several hooks at strategic points. The guest module can make its decision whether required actions should be allowed, or not. In addition, PGACE also provides falicilites to manage security attribute of database objects. Any tuple can have a its security attribute, and the guest module can refer it to control accesses. A more conprehensive memo at: http://code.google.com/p/sepgsql/wiki/WhatIsPGACE [2/4] - sepostgresql-sepgsql-8.4devel-3.patch This patch provides SE-PostgreSQL facilities based on PGACE. Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension built in PostgreSQL, to provide system-wide consistency in access controls. It enables to apply a single unigied security policy of SELinux for both operating system and database management system. In addition, it also provides fine-grained mandatory access which includes column-/row- level non-bypassable access control even if privileged database users. Quick overview at: http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL [3/4] - sepostgresql-pg_dump-8.4devel-3.patch This patch gives us a feature to dump database with security attribute. It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall, when the server works as SE- version. No need to say, users need to have enough capabilities to dump whole of database. It it same when they tries to restore the database. [4/4] - sepostgresql-policy-8.4devel-3.patch This patch gives us the default security policy for SE-PostgreSQL. You can build it as a security policy module. It can be linked with the existing distributor's policy, and reloaded. -- KaiGai Kohei <kaigai@kaigai.gr.jp>
KaiGai Kohei wrote: > Alvaro Herrera wrote: >> Before we go any further, is this work derived from SELinux? If so, is >> it covered under the GPL? If so, can it be licensed under BSD terms? > > All of SE-PostgreSQL works are licensed unser BSD terms. > We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from > the beginning, and we understand to choose GPL makes it impossible. Right. The question is: since this is derived from SE-Linux, is it affected by SE-Linux license? -- Alvaro Herrera http://www.CommandPrompt.com/ The PostgreSQL Company - Command Prompt, Inc.
Alvaro Herrera wrote: > KaiGai Kohei wrote: >> Alvaro Herrera wrote: > >>> Before we go any further, is this work derived from SELinux? If so, is >>> it covered under the GPL? If so, can it be licensed under BSD terms? >> All of SE-PostgreSQL works are licensed unser BSD terms. >> We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from >> the beginning, and we understand to choose GPL makes it impossible. > > Right. The question is: since this is derived from SE-Linux, is it > affected by SE-Linux license? No, SE-PostgreSQL does not derivered from SELinux. I guess you worry about SE-PostgreSQL contains a part of SELinux licensed as GPL, but it is incorrect. SE-PostgreSQL communicate with SELinux to make its decision in access control, via an official interface provided by libselinux, because it does not have information to make its decision. The libselinux is linked with SE-PostgreSQL, but it is licensed as public domain software by NSA. Therefore, we have no issues related to imcompatible licenses. Thanks, -- KaiGai Kohei <kaigai@kaigai.gr.jp>
KaiGai, > The series of patches are the proposal of Security-Enhanced PostgreSQL > (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle. Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into PostgreSQL as well this year, I'm going to ask them to look over PGACE to see if this implementation is (still) generic enough to support TS as well. If it is, then it's probably generic enough to be a general building block. -- Josh Berkus PostgreSQL @ Sun San Francisco