I updated the patch set of SE-PostgreSQL and related ones (r1324). [1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1324.patch [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1324.patch [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1324.patch [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1324.patch [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1324.patch
Draft of the SE-PostgreSQL documentation is here: http://wiki.postgresql.org/wiki/SEPostgreSQL List of updates: - The patches are rebased to the latest CVS HEAD. - Now the "sepostgresql-sepgsql-8.4devel-3-r1324.patch" contains PGACE security framework, SE-PostgreSQL and Row-level ACLs. So, the 6th patch has gone. - It enables to compile multiple security features within a single binary. The Row-level ACLs feature is always available, and SE-PostgreSQL is available when we build it with "--enable-selinux" option. - Two new system columns ("security_acl" and "security_label") are added. The first one is for the Row-level ACLs, and the other is for the guest of PGACE security framework which is chosen by user. - Some of interfaces are changed: * initdb got a new option "--pgace-feature" which enables to specify one or no MAC feature on initialization of $PGDATA. e.g) $ initdb --pgace-feature=selinux * pg_dump got two new options (--security-acl and --security-label) to dump row-level ACLs and security contexts. * $PGDATA/postgresql.conf has a new parameter of "pgace_feature". It enables users to choose an enhanced security mechanism from candidates. Currently, SE-PostgreSQL is the only candidate. - Todo item * Documentation updates. The "sepostgresql-docs-8.4devel-3-r1324.patch" is not uptodate, because higher priority should be given to provide the patch set for reviewers. So, I'll update the src/doc/* from now. Thanks, ===[ Example ]======================================================== postgres=# CREATE TABLE t1 (a int, b text) WITH (row_level_acl=on); CREATE TABLE postgres=# INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc'); INSERT 0 3 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl | a | b ------------------------------------------+----------------+---+----- unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaa unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbb unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 3 | ccc (3 rows) postgres=# INSERT INTO t1 (security_acl, a, b) VALUES ('{kaigai=rw/kaigai}', 4, 'ddd'); INSERT 0 1 postgres=# INSERT INTO t1 (security_label, security_acl, a, b) VALUES ('system_u:object_r:sepgsql_ro_table_t:s0', '{kaigai=rx/kaigai}', 5, 'eee'); INSERT 0 1 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl | a | b ------------------------------------------+--------------------+---+----- unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaa unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbb unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 3 | ccc unconfined_u:object_r:sepgsql_table_t:s0 | {kaigai=rw/kaigai} | 4 | ddd system_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=rx/kaigai} | 5 | eee (5 rows) postgres=# UPDATE t1 SET security_label = sepgsql_set_user(security_label, 'system_u'), security_acl = '{kaigai=r/kaigai}'; UPDATE 5 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl | a | b -----------------------------------------+-------------------+---+----- system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 1 | aaa system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 2 | bbb system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 3 | ccc system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 4 | ddd system_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=r/kaigai} | 5 | eee (5 rows) postgres=# -- OSS Platform Development Division, NEC KaiGai Kohei <kai...@ak.jp.nec.com> -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
