On Fri, 2009-12-11 at 11:28 -0500, Stephen Frost wrote: [snip...] > > The main concern I hear is that people are worried that this is an > > SELinux specific design. I heard at the meeting on Wednesday that the > > Trusted Extensions people looked at the framework and said it meets > > their needs as well. If thats the case where does the concept that the > > design is SELinux specific stem from? We've asked Casey Schaufler the > > developer of another label based MAC system for Linux to look at the > > hooks as well and make a statement about their usability. > > Hope I didn't steal your thunder wrt Casey! Thanks again.
So we contacted Casey about another MAC model for PG using PG-ACE and he got back to us with these reponses. Josh Brindle (JB): So my question is, does smack have a facility for userspace object managers? Casey Schaufler (cs): Yes. The smack-util package includes a small library which supports a user space version of the kernel smackaccess() function. You pass it the subject label, object label, and desired access and it returns a yes/no answer based on what it reads from /smack/load. So this answers our questions on whether or not SMACK has the faculties to act as the security decision engine for PG. JB: If so, I want to make the argument that doing a smack integration using the pgace abstraction layer would not only work but be fairly easy. CS: Looking at some of the documentation I think that you can safely make that argument. The security_label column would just be the Smack label. The rules can be enforced by the user space smackaccess(). "System" rows, whatever that might be, could get the floor ("_") label. Casey mentions the row level access control in here but its safe to say we've broken row based access control into a followup discussion/project. JB: All the sepgsql docs and code are up at <http://code.google.com/p/sepgsql/> and I'd like to get your feedback before I start making claims... CS: I can't see how it would take more than about a day if pgace does what it looks like it should. This seems to be a favorable assesment of the pgace framework's ability to be used by something other than SELinux. So Casey's Smack module plus the Sun guys saying it is usable by their legacy TSOL or TX code would lend credence to the idea that pgace is bringing to the table. It may be possible that you're not happy with certain aspects of the implementation but the objects and permissions listed in pgace are definitely ones that are worth mediating. Dave Dave -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers