KaiGai Kohei wrote:
Andrew Dunstan wrote:
KaiGai Kohei wrote:
The SELinux provides a certain process privilege to make backups and
restore them. In the (currect) default policy, it is called
"unconfined".
However, it is also *possible* to define a new special process
privilege
for backup and restore tools. For example, it can access all the
databse
objects and can make backups, but any other process cannot touch the
backup files. It means that DBA can launch a backup tool and it creates
a black-boxed file, then he cal also lauch a restore tool to restore
the black-boxed backup, but he cannot see the contents of the backup.
(It might be a similar idea of "sudo" mechanism.)
Really? How you enforce this black box rule for a backup made across
the network? From the server's POV there is no such thing as a
backup. All it sees is a set of SQL statements all of which it might
see in some other context.
The recent SELinux provide a feature to exchange the security context of
peer process over the network connection.
It allows to control a certain process to send/receive packets to/from
only a certain process, even if they communicate using remote connection.
This feature is named "Labeled IPsec". The key exchange daemon (racoon)
was enhanced to exchange the security context of peer processes also,
prior to the actual communications.
Interesting, I can see this having some use in quite a number of areas.
Of course, in the end, it still comes down to this issue, which is as
old as Plato: "Quis custodiet ipsos custodes?" (see
<http://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%3F> )
cheers
andrew
*/
/*
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
