Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

Bruce, KaiGai,

Is PGACE ready for CommitFest, now?

--Josh

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Josh Berkus wrote:

Bruce, KaiGai,

Is PGACE ready for CommitFest, now?

--Josh


Yes, it's ready now.

See the following message:
  http://archives.postgresql.org/pgsql-hackers/2008-06/msg00980.php
  http://archives.postgresql.org/pgsql-hackers/2008-06/msg00840.php

Thanks,
--
KaiGai Kohei [EMAIL PROTECTED]

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

KaiGai Kohei wrote:

Josh Berkus wrote:

Bruce, KaiGai,

Is PGACE ready for CommitFest, now?

--Josh


Yes, it's ready now.


OK, added to CommitFest.

--Josh

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Bruce Momjian]

Added to TODO:

* Improve server security options

  http://archives.postgresql.org/pgsql-hackers/2008-04/msg01875.php
  http://archives.postgresql.org/pgsql-hackers/2008-05/msg0.php


---

KaiGai Kohei wrote:
 I updated the series of SE-PostgreSQL patches for the latest pgsql-8.4devel 
 tree.
 
 [1/4] sepostgresql-pgace-8.4devel-3-r739.patch
   provides PGACE (PostgreSQL Access Control Extension) framework.

 http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r739.patch
 
 [2/4] sepostgresql-sepgsql-8.4devel-3-r739.patch
   provides SE-PostgreSQL feature, based on PGACE framework.

 http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r739.patch
 
 [3/4] sepostgresql-pg_dump-8.4devel-3-r739.patch
   enables to dump databases with security attribute.

 http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r739.patch
 
 [4/4] sepostgresql-policy-8.4devel-3-r739.patch
   provides the default security policy of SE-PostgreSQL.

 http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r739.patch
 
 We provide a quick overview for SE-PostgreSQL at:
 http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL
 
 Thanks,
 
 KaiGai Kohei wrote:
  The series of patches are the proposal of Security-Enhanced PostgreSQL 
  (SE-PostgreSQL)
  for the upstreamed PostgreSQL 8.4 development cycle.
  
   [1/4] sepostgresql-pgace-8.4devel-3.patch
   provides PGACE (PostgreSQL Access Control Extension) framework
  
  http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch
  
   [2/4] sepostgresql-sepgsql-8.4devel-3.patch
   provides SE-PostgreSQL feature, based on PGACE framework.
  
  http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch
  
   [3/4] sepostgresql-pg_dump-8.4devel-3.patch
   enables pg_dump to dump database with security attribute.
  
  http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch
  
   [4/4] sepostgresql-policy-8.4devel-3.patch
   provides the default security policy for SE-PostgreSQL.
  
  http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch
  
  We can provide a quick overview for SE-PostgreSQL at:
  http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL
  
  ENVIRONMENT
  ---
  Please confirm your environment.
  The followings are requriements of SE-PostgreSQL.
   * Fedora 8 or later system
   * SELinux is enabled and working
   * kernel-2.6.24 or later
   * selinux-policy and selinux-policy-devel v3.0.8 or later
   * libselinux, policycoreutils
  
  INSTALLATION
  
  $ tar jxvf postgresql-snapshot.tar.bz2
  $ cd postgresql-snapshot
  $ patch -p1  ../sepostgresql-pgace-8.4devel-3.patch
  $ patch -p1  ../sepostgresql-sepgsql-8.4devel-3.patch
  $ patch -p1  ../sepostgresql-pg_dump-8.4devel-3.patch
  $ patch -p1  ../sepostgresql-policy-8.4devel-3.patch
  
  $ ./configure --enable-selinux
  $ make
  $ make -C contrib/sepgsql-policy
  $ su
  # make install
  
  # /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
(NOTE: semodule is a utility to load/unload security policy modules.)
  
  # /sbin/restorecon -R /usr/local/pgsql
(NOTE: restorecon is a utilicy to initialize security context of files.)
  
  SETUP
  -
  # mkdir -p /opt/sepgsql
  # chown foo_user:var_group /opt/sepgsql
  # chcon -t postgresql_db_t /opt/sepgsql
(NOTE: chcon is a utility to set up security context of files.)
  # exit
  
  $ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
(NOTE: run_init is a utility to start a program, as if it is branched 
  from init script.)
  $ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start
  
  
  SUMMARYS FOR EVERY PATCHES
  --
  [1/4] - sepostgresql-pgace-8.4devel-3.patch
  
  This patch provides PGACE (PostgreSQL Access Control Extension) framework.
  
  It has a similar idea of LSM (Linu Security Module).
  It can provide a guest module several hooks at strategic points.
  The guest module can make its decision whether required actions should be
  allowed, or not.
  In addition, PGACE also provides falicilites to manage security attribute
  of database objects. Any tuple can have a its security attribute, and the
  guest module can refer it to control accesses.
  
A more conprehensive memo at:
  http://code.google.com/p/sepgsql/wiki/WhatIsPGACE
  
  [2/4] - sepostgresql-sepgsql-8.4devel-3.patch
  
  This patch provides SE-PostgreSQL facilities based on PGACE.
  
  Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
  built in PostgreSQL, to provide system-wide consistency in access
  controls. It enables to apply a single unigied security policy of
  SELinux for both operating system and database management system.
  In addition, it also provides fine-grained mandatory access 

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Dawid Kuroczko]

On Wed, May 7, 2008 at 7:52 AM, KaiGai Kohei [EMAIL PROTECTED] wrote:
 Tom, Thanks for your reviewing.
 The patch hasn't got a mode in which SELinux support is compiled in but
 not active.  This is a good way to ensure that no one will ever ship
 standard RPMs with the feature compiled in, because they will be entirely
 nonfunctional for people who aren't interested in setting up SELinux.
 I think you need an enable_sepostgres GUC, or something like that.
 (Of course, the overhead of the per-row security column would probably
 discourage anyone from wanting to use such a configuration anyway,
 so maybe the point is moot.)
 We can turn on/off SELinux globally, not bounded to SE-PostgreSQL.
 The reason why I didn't provide a mode bit like enable_sepostgresql
 is to keep consistency in system configuration.

Hmm, I think ACE should be a CREATE DATABASE parameter.

If I were to create a SE-database I would wish that disabling it was
more difficult than changing a GUC in database.  And being able to
set it on per-database basis would help get SE/ACE enabled by
packagers.

   Regards,
  Dawid
-- 
Solving [site load issues] with [more database replication] is a lot
like solving your own personal problems with heroin - at first it
sorta works, but after a while things just get out of hand.

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom Lane wrote:
 The idea of input functions that alter system tables scares me.

An example:
  SELECT 'system_u:object_r:sepgsql_table_t:SystemHigh'::security_label;

can insert a new tuple into pg_security, but it is not a desirable behavior.

To fix this, I'll remove security_label type and define security_context
system column as a text type column, and translate the contents into
an internal identifical representation just before update or insert a tuple.

It enables to avoid to insert a temporary used (unnecessary) security context,
and enables to use various kind of text functions.

Please comment it, if you have anything.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom Lane wrote:
 KaiGai Kohei [EMAIL PROTECTED] writes:
 Tom Lane wrote:
 Yeah, I remember those.  What needs to be looked at here is *why* the
 output is changing.  For a patch that allegedly does not touch the
 planner, it's fairly disturbing that you don't get the same results.
 
 SE-PostgreSQL does not touch the planner, but it modifies given query
 to filter violated tuples for the current user.
 
 Hmm.  Is that really a good idea, compared to hard-wiring the checks
 into nodeSeqscan and friends?  I didn't look at the query-rewriting
 portion of the patch in any detail, but I'd tend not to trust suchte
 a technique very far: getting it right is going to be quite complex
 and probably bug prone.

In the prior base version (8.2.x and 8.3.x), I tended to implement
these stuffs in the modular part as far as possible, because massive
patched hanks makes more difficult to follow the mainstreamed PostgreSQL. :-(

However, the hard-wides checks look like a good idea for me.
I tried to implement a prototype of the disign, and currently it works fine.
If we can replace the implementation of tuple-level access controls by this
design, it makes the implementation simpler.

Now, I add a hook into ExecScan(). It can return true or false, to decide
whether a given tuple is filtered or not.
Permissions to be evaluated are delivered via Scan structure. A variable
named as pgaceTuplePerms (uint32) is added to keep permission set for
tuple level access controls into Scan structure.
If the security module put a proper bitmask on pgaceTuplePerms of RangeTblEntry,
it is copied to related Scan structure later.

 Are you sure that the security_label type should not have an array type?
 
 Yes, security_label type should not have an array type.
 
 You didn't provide one ounce of justification for making it not obey the
 expected behavior, so I'm not accepting this position.  It doesn't seem
 to me to be all that unlikely that users would want to compute with
 arrays of security labels.  As an example:
   select ... where security_label in ('foo', 'bar')
 which will become an = ANY(ARRAY[]) construct under the hood.

Ah.., I didn't intend such kind of usage, so security_label type does not
have operators to use it directly, not only array support.

I'll add it in the next patch set.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom Lane wrote:
 KaiGai Kohei [EMAIL PROTECTED] writes:
 Some of the test fails contains minor differences from expected results, 
 like:
 
 |   SELECT '' AS xxx, *
 | FROM J1_TBL t1 (a, b, c) NATURAL JOIN J2_TBL t2 (d, a);
 |xxx | a | b |  c   | d
 |   -+---+---+--+---
 |  - | 0 |   | zero |
 || 2 | 3 | two  | 2
 || 4 | 1 | four | 2
 |  + | 0 |   | zero |
 |   (3 rows)
 
 Yeah, I remember those.  What needs to be looked at here is *why* the
 output is changing.  For a patch that allegedly does not touch the
 planner, it's fairly disturbing that you don't get the same results.

SE-PostgreSQL does not touch the planner, but it modifies given query
to filter violated tuples for the current user.
Thus, the above query is dealt as if the following query is inputed.

SELECT '' AS xxx, *
  FROM J1_TBL t1 (a, b, c) NATURAL JOIN J2_TBL t2 (d, a)
  ON sepgsql_tuple_perms(t1.security_context, SEPGSQL_PERMS_SELECT, ...)
 and sepgsql_tuple_perms(t2.security_context, SEPGSQL_PERMS_SELECT, ...);

sepgsql_tuple_perms() returns true, if the security policy allows user
to access a given tuple. It returns false, if not so.

The result of EXPLAIN shows it more clearly:

| kaigai=# EXPLAIN SELECT '' AS xxx, * FROM J1_TBL t1 (a, b, c) NATURAL JOIN 
J2_TBL t2 (d, a);
|   QUERY PLAN
| 
---
|  Hash Join  (cost=29023.54..82599.93 rows=1380 width=44)
|Hash Cond: (t2.a = t1.a)
|-  Seq Scan on j2_tbl t2  (cost=0.00..53526.05 rows=713 width=8)
|  Filter: pg_catalog.sepgsql_tuple_perms(tableoid, security_context, 
12288, t2.*)
|-  Hash  (cost=29018.70..29018.70 rows=387 width=40)
|  -  Seq Scan on j1_tbl t1  (cost=0.00..29018.70 rows=387 width=40)
|Filter: pg_catalog.sepgsql_tuple_perms(tableoid, 
security_context, 12288, t1.*)
| (7 rows)

 and, some of them are trivial ones, like:
 
 |   SELECT p1.oid, p1.typname
 |   FROM pg_type as p1
 |   WHERE p1.typtype in ('b','e') AND p1.typname NOT LIKE E'\\_%' AND NOT 
 EXISTS
 |   (SELECT 1 FROM pg_type as p2
 |WHERE p2.typname = ('_' || p1.typname)::name AND
 |  p2.typelem = p1.oid and p1.typarray = p2.oid);
 |  - oid | typname
 |  --+-
 |  - 210 | smgr
 |  - 705 | unknown
 |  -(2 rows)
 |  + oid  |typname
 |  +--+
 |  +  210 | smgr
 |  +  705 | unknown
 |  + 3403 | security_label
 |  +(3 rows)
 
 Are you sure that the security_label type should not have an array type?
 I do not offhand see a good argument for that.  If it really shouldn't,
 we can change the expected output here, but you've got to make that
 case first.

Yes, security_label type should not have an array type.
It is defined with typelem=0 and typarray=0.
The purpose of this type is to represent the new system column of
security attribute (security_context column).

So, I think it is a case that a new expented output should be modified.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

KaiGai Kohei [EMAIL PROTECTED] writes:
 Tom Lane wrote:
 Yeah, I remember those.  What needs to be looked at here is *why* the
 output is changing.  For a patch that allegedly does not touch the
 planner, it's fairly disturbing that you don't get the same results.

 SE-PostgreSQL does not touch the planner, but it modifies given query
 to filter violated tuples for the current user.

Hmm.  Is that really a good idea, compared to hard-wiring the checks
into nodeSeqscan and friends?  I didn't look at the query-rewriting
portion of the patch in any detail, but I'd tend not to trust such
a technique very far: getting it right is going to be quite complex
and probably bug prone.

 Are you sure that the security_label type should not have an array type?

 Yes, security_label type should not have an array type.

You didn't provide one ounce of justification for making it not obey the
expected behavior, so I'm not accepting this position.  It doesn't seem
to me to be all that unlikely that users would want to compute with
arrays of security labels.  As an example:
select ... where security_label in ('foo', 'bar')
which will become an = ANY(ARRAY[]) construct under the hood.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Andrew Dunstan]

Tom Lane wrote:

KaiGai Kohei [EMAIL PROTECTED] writes:
  

Tom Lane wrote:


Yeah, I remember those.  What needs to be looked at here is *why* the
output is changing.  For a patch that allegedly does not touch the
planner, it's fairly disturbing that you don't get the same results.
  


  

SE-PostgreSQL does not touch the planner, but it modifies given query
to filter violated tuples for the current user.



Hmm.  Is that really a good idea, compared to hard-wiring the checks
into nodeSeqscan and friends?  I didn't look at the query-rewriting
portion of the patch in any detail, but I'd tend not to trust such
a technique very far: getting it right is going to be quite complex
and probably bug prone.

  


My eyebrows went up when I read this too. Presumably, if it's hardwired 
like you suggest then the planner can't take any account of the filter, 
though. Do we want it to?


OTOH, I'm not happy about silently rewriting queries, either - it would 
make optimising queries a lot harder, I suspect.


cheers

andrew

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

Andrew Dunstan [EMAIL PROTECTED] writes:
 Tom Lane wrote:
 Hmm.  Is that really a good idea, compared to hard-wiring the checks
 into nodeSeqscan and friends?

 My eyebrows went up when I read this too. Presumably, if it's hardwired 
 like you suggest then the planner can't take any account of the filter, 
 though. Do we want it to?

Well, the planner could have hardwired knowledge about the existence of
the hardwired filters --- if anything, that'd probably be easier than
hacking it to have a similar level of knowledge about generic-looking
function calls.  But in reality, since we don't know at plan time which
userid will execute the constructed plan, I'm not sure we could come up
with useful estimates anyway.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom Lane wrote:
 KaiGai Kohei [EMAIL PROTECTED] writes:
 Tom Lane wrote:
 * It does not come close to passing the regression tests.  I saw a lot of
 ! ERROR:  unrecognized node type: 903
 which suggests that something's been screwed up about parse analysis
 (903 = T_A_Const, which shouldn't get further than parse analysis),
 
 Could you tell me what queries hit these errors?
 
 I remember seeing it on some EXECUTEs, but you really ought to run the
 tests for yourself.  A *minimum* requirement on any submitted patch
 is that it should pass the regression tests.

Some of the test fails contains minor differences from expected results, like:

|   SELECT '' AS xxx, *
| FROM J1_TBL t1 (a, b, c) NATURAL JOIN J2_TBL t2 (d, a);
|xxx | a | b |  c   | d
|   -+---+---+--+---
|  - | 0 |   | zero |
|| 2 | 3 | two  | 2
|| 4 | 1 | four | 2
|  + | 0 |   | zero |
|   (3 rows)

and, some of them are trivial ones, like:

|   SELECT p1.oid, p1.typname
|   FROM pg_type as p1
|   WHERE p1.typtype in ('b','e') AND p1.typname NOT LIKE E'\\_%' AND NOT EXISTS
|   (SELECT 1 FROM pg_type as p2
|WHERE p2.typname = ('_' || p1.typname)::name AND
|  p2.typelem = p1.oid and p1.typarray = p2.oid);
|  - oid | typname
|  --+-
|  - 210 | smgr
|  - 705 | unknown
|  -(2 rows)
|  + oid  |typname
|  +--+
|  +  210 | smgr
|  +  705 | unknown
|  + 3403 | security_label
|  +(3 rows)

Isn't it necessary to consider them as regressions?

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

KaiGai Kohei [EMAIL PROTECTED] writes:
 Some of the test fails contains minor differences from expected results, like:

 |   SELECT '' AS xxx, *
 | FROM J1_TBL t1 (a, b, c) NATURAL JOIN J2_TBL t2 (d, a);
 |xxx | a | b |  c   | d
 |   -+---+---+--+---
 |  - | 0 |   | zero |
 || 2 | 3 | two  | 2
 || 4 | 1 | four | 2
 |  + | 0 |   | zero |
 |   (3 rows)

Yeah, I remember those.  What needs to be looked at here is *why* the
output is changing.  For a patch that allegedly does not touch the
planner, it's fairly disturbing that you don't get the same results.

 and, some of them are trivial ones, like:

 |   SELECT p1.oid, p1.typname
 |   FROM pg_type as p1
 |   WHERE p1.typtype in ('b','e') AND p1.typname NOT LIKE E'\\_%' AND NOT 
 EXISTS
 |   (SELECT 1 FROM pg_type as p2
 |WHERE p2.typname = ('_' || p1.typname)::name AND
 |  p2.typelem = p1.oid and p1.typarray = p2.oid);
 |  - oid | typname
 |  --+-
 |  - 210 | smgr
 |  - 705 | unknown
 |  -(2 rows)
 |  + oid  |typname
 |  +--+
 |  +  210 | smgr
 |  +  705 | unknown
 |  + 3403 | security_label
 |  +(3 rows)

Are you sure that the security_label type should not have an array type?
I do not offhand see a good argument for that.  If it really shouldn't,
we can change the expected output here, but you've got to make that
case first.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

 The whole early security business looks like a mess :-(.  I suspect
 you should rip all that out of the backend and add a step to initdb
 that fills in those tables.
 
 I also think early security codes are ad-hoc. :-(
 Pushing it into initdb seems me a good idea.
 I'll try to consider whether it is possible, or not.

The purpose of early security code is to manage relationship security
identifier and text representation before pg_security creation.

Therefore, we can make it redundant if initializing security attributes
can be done later. In the next patch set, I'll inject a hook to initialize
them at the last of bootstraping phase, and remove early security code.

Any tuples inserted during bootstraping mode are unlabeled, and this
operation is always allowed. Then, this hook is invoked after setting
up all system catalog, and it labels whole of database, as if restorecon
command initialize security context of filesystem objects.

How do you think about this design?
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom Lane wrote:
 After that, and a whole bunch of foolery with manually putting the right
 security labels on files (because the contrib module is unhelpful for
 test installations with nonstandard PREFIXes), I managed to get a
 version that worked well enough to test.  What I found out:

I'll improve the way to provide security policy.
Please wait for a while.

 * It does not come close to passing the regression tests.  I saw a lot of
 ! ERROR:  unrecognized node type: 903
 which suggests that something's been screwed up about parse analysis
 (903 = T_A_Const, which shouldn't get further than parse analysis),

Could you tell me what queries hit these errors?
I guess this message was generated in expression_tree_walker() called within
sepgsqlExprWalker(), but it is invoked after query rewriter.

 and it dumps core in the TRUNCATE test.

This bug came from misoperations of List.

 * pgbench shows a relatively marginal speed difference, which is not
 too surprising since it pushes only a few tuples around per query.
 The worst case for sepostgres is likely to be bulk operations.
 I tried select count(*) from accounts (at scale factor 20, so this
 is 200 tuples) and got about 550 msec from CVS HEAD, about
 1340 msec from HEAD plus patch.  That's with no actual useful policy
 loaded, mind you.
 
 So the overhead is indeed pretty bad, but it seems reasonable to think
 that with some optimization effort it could be brought down to where
 it'd be acceptable for people who really need the feature.

Thanks for your information.
It indeed has performance degrading, but, I expect users who want to apply
SELinux policy don't put their first priority on edge performance.


 AFAICS the only thing left that really needs to be discussed more during
 this commit-fest is the business about whether it's sane to be trying to
 apply selinux restrictions in simple_heap_update and friends.  The more
 I think about that the more I think it's simply a bad idea.  Those
 functions are used primarily (if not solely) for system-initiated
 catalog updates, and I fail to see any plausible reason to let
 user-written policy be applied at that level.  For instance, it would
 be a completely bad move to allow such policy to prevent autovacuum
 from updating relfrozenxid values. 

In generally, fewer and more fundamental security checks are more
comprehensive. simple_heap_update() can trap any updating, called
from more than 80 places.

The purpose of SE-PostgreSQL is to apply security policy on user's
queries, not an internal one. Therefore, we don't apply any policy
on some of *internal* operations, like updating TOAST table.

Currently I don't apply any special care for autovacuum, however,
it is a solution to handle *internal* updating as an exception for
checks. (Because it is NOT came from external users.)

 Furthermore, those functions are
 much too low-level to have any idea of the reason for the change they
 are being asked to make, so they can't apply any intelligence to the
 allow-or-not decision. 

We can abstract finer-grained access control unit later, however,
its reverse is difficult.
For example, we have to have the following permission to create
a new table.
 - Insert a new tuple into pg_class
 - Insert a new tuple into pg_type
 - Insert new tuples into pg_attribute

These are abstracted in the default security policy.
If you want non-administrative users to create/drop table,
set sepgsql_enable_users_ddl boolean to turn on/off the permission set.

  # setsebool sepgsql_enable_users_ddl=1

 Lastly, I don't see any use-case for policy there
 that wouldn't be served as well or better by the standard SQL privilege
 mechanism.  So I think that really all needs to be ripped out, and
 do enforcement in the executor instead.

The primary purpose of SE-PostgreSQL is to apply common access control
policy on database objects, as if clients access filesystem objects.

See the following diagram:
  http://sepgsql.googlecode.com/files/sepgsql_dfc.png

It shows two users within different domain tries to communicate each
other, and any message have to go through inter-processes communication
method like files, networks, and so on.
(Security policy enforces single directed data flow, from lower to higher.)

SELinux can prevent data leaking via shared files because it is managed
by operating system. However, it is impossible for database objects.

SE-PostgreSQL apply (system-wide) common security policy on database objects.
This concept enables to maintain consistency of access control policy.

The standard SQL privilegs machanism is suitable to control accesses
on database objects, however, it is not easy to maintain its consistency
with operating systems's policy.

Is it appropriate answer for your question?

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Andrew Sullivan]

On Wed, May 07, 2008 at 12:01:21AM -0400, Greg Smith wrote:

 It may be the case that clean row and column filtering at the SQL layer are 
 pre-requisites for a clean SELinux implementation, where the only 
 difference is that the permission checks are handled by asking SELinux 
 instead of looking in the catalog.

That strikes me as an approach more likely to be fruitful.

I get the point about imposing all the restrictions at the SELinux
layer.  But the way to do that, I think, is to make the individual
policies possible to implement in PostgreSQL simpliciter, and then
have some interface to the SELinux permissions system so that it
becomes possible to set those definitions outside Postgres.  (I know
that the latter raises all sorts of nasty DoS scenarios.  That's
clearly one of the problems that will need addressing.)

Again, I support the effort in principle; I'm just not sure that the
current proof-of-concept work is what will be needed to address the
design goals.  I do think that somewhat clearer scope definitions
would be a big help in deciding which modifications are really needed,
and where.

A

-- 
Andrew Sullivan
[EMAIL PROTECTED]
+1 503 667 4564 x104
http://www.commandprompt.com/

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

KaiGai Kohei [EMAIL PROTECTED] writes:
 Tom Lane wrote:
 * It does not come close to passing the regression tests.  I saw a lot of
 ! ERROR:  unrecognized node type: 903
 which suggests that something's been screwed up about parse analysis
 (903 = T_A_Const, which shouldn't get further than parse analysis),

 Could you tell me what queries hit these errors?

I remember seeing it on some EXECUTEs, but you really ought to run the
tests for yourself.  A *minimum* requirement on any submitted patch
is that it should pass the regression tests.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Marc Munro]

In a digest for Tue, 2008-05-06 at 22:57 -0300, Tom Lane wrote:
...[discussion of SE-PostgreSQL patch deleted]...
 (And of course the next question after that is why we should want to
 depend on SELinux at all, rather than implementing row filtering
 in the framework of SQL permissions...)

I would love to see something like this to replace Veil which I develop
and support.  What sort of row filtering did you have in mind?

As a database application developer I have found being able to define
access controls in terms of data relationships to be tremendously useful
and I would love to see something like this built into postgres.

As far as I have been able to understand SE-PostgreSQL, it is aimed at a
very security-conscious, and expert, customer base but it cannot offer
the sort of relationally-defined security access that Veil is intended
for (I'd be happy to be wrong about this).  On the other hand Veil is
not going to be able to provide the degree of certainty (provability?)
of SE-PostgreSQL.

As an example of relationally-defined security, suppose I want only the
members of a project team to be able to see project information:

In the veil demo application (
http://veil.projects.postgresql.org/curdocs/demo-model.html ) we can
assign a developer to a project by inserting into the assignments table
a record for that developer, the given project and a specific role.
Once assigned, the developer can see project_details for that project
that previously were unavailable.

If row filtering is to be implemented directly within Postgres, I would
like this sort of capability to be considered.  For the record, Veil was
written to provide similar functionality to Oracle's Virtual Private
Databases.

__
Marc


signature.asc
Description: This is a digitally signed message part

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

Andrew, Marc,


FWIW, I support and think important the row- and column- level access
controls this seems to be proposing, at least in principle.  Whether
that's a support that will extend to 2x overhead on everything is
rather a different matter.  Also, I am more than prepared to trade
away some cases in order to get a broadly useful functionality (so if
you can't hide the existence of a table, but all efforts to learn its
contents don't work, I might be willing to support that trade-off).


Well, there are two different goals we can satisfy.  One is to help 
support the kind of VPS functionality that Veil is designed for, and the 
majority of users want.  The second goal is upholding the kind of 
security systems demanded by highly secure environments which have 
statutory requirements about how security should work.


That is, while Veil-like funcitonality is what most developers want, 
it's not what NSA/Banks/military want, who have their own ideas about 
security.  I think we can conceivably capture both.


I do think that SE functionality which goes beyond reasonable SQL 
requirements should be a build-time options because I don't feasably see 
ways to implement them that won't cause a big performance hit.


Also, I think you should be aware that for serious multilevel security 
hackers (one of whom will be working on Postgres soon) SEPostgres is the 
beginning and not the end.  One of the requirements of many militaries, 
for example, is not merely data hiding by data substitution, where the 
row contents you see depend on your security clearance.


Also, re: pg_dump: it's actually a desired feature that, for example, 
some users only be able to dump a subset of the database.  Including 
some DBAs.  One of the issues which SE/Mulitlevel tries to address is 
what happens if you don't trust your DBA 100%?  So if we can retain 
that, it's actually a feature and not a bug.


--Josh





--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

I wrote:
 I tried to do a bit of testing of this, but it does not work on current
 Fedora 8, because the policy module doesn't build:

I got past that by commenting out the last few lines of sepostgresql.te,
which apparently are intended for some SELinux feature that's not
shipped yet in F8.

After that, and a whole bunch of foolery with manually putting the right
security labels on files (because the contrib module is unhelpful for
test installations with nonstandard PREFIXes), I managed to get a
version that worked well enough to test.  What I found out:

* It does not come close to passing the regression tests.  I saw a lot of
! ERROR:  unrecognized node type: 903
which suggests that something's been screwed up about parse analysis
(903 = T_A_Const, which shouldn't get further than parse analysis),
and it dumps core in the TRUNCATE test.

* pgbench shows a relatively marginal speed difference, which is not
too surprising since it pushes only a few tuples around per query.
The worst case for sepostgres is likely to be bulk operations.
I tried select count(*) from accounts (at scale factor 20, so this
is 200 tuples) and got about 550 msec from CVS HEAD, about
1340 msec from HEAD plus patch.  That's with no actual useful policy
loaded, mind you.

So the overhead is indeed pretty bad, but it seems reasonable to think
that with some optimization effort it could be brought down to where
it'd be acceptable for people who really need the feature.

AFAICS the only thing left that really needs to be discussed more during
this commit-fest is the business about whether it's sane to be trying to
apply selinux restrictions in simple_heap_update and friends.  The more
I think about that the more I think it's simply a bad idea.  Those
functions are used primarily (if not solely) for system-initiated
catalog updates, and I fail to see any plausible reason to let
user-written policy be applied at that level.  For instance, it would
be a completely bad move to allow such policy to prevent autovacuum
from updating relfrozenxid values.  Furthermore, those functions are
much too low-level to have any idea of the reason for the change they
are being asked to make, so they can't apply any intelligence to the
allow-or-not decision.  Lastly, I don't see any use-case for policy there
that wouldn't be served as well or better by the standard SQL privilege
mechanism.  So I think that really all needs to be ripped out, and
do enforcement in the executor instead.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Andrew Sullivan]

On Tue, May 06, 2008 at 02:56:41PM -0400, Tom Lane wrote:

 AFAICS the only thing left that really needs to be discussed more during
 this commit-fest is the business about whether it's sane to be trying to
 apply selinux restrictions in simple_heap_update and friends.  

I don't have any opinion about the patches, obviously, but I'm
wondering whether there is, somewhere, an outline of what the _goals_
of this system are.  If we have requirements that we can measure the
implementation against, we can know whether to throw away a particular
goal as being basically incompatible with the design of Postgres
(i.e. not an enhancement but a reconception) or else as being
implementable with another approach.

A

-- 
Andrew Sullivan
[EMAIL PROTECTED]
+1 503 667 4564 x104
http://www.commandprompt.com/

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

Andrew Sullivan [EMAIL PROTECTED] writes:
 I don't have any opinion about the patches, obviously, but I'm
 wondering whether there is, somewhere, an outline of what the _goals_
 of this system are.

The only documentation I've seen is

http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

which contains only examples of enforcing restrictions on *user*
queries and tables.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Andrew Sullivan]

On Tue, May 06, 2008 at 03:28:25PM -0400, Tom Lane wrote:
 
 The only documentation I've seen is
 
 http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL
 
 which contains only examples of enforcing restrictions on *user*
 queries and tables.

I agree that, having just read that, anything that involves itself
with the system catalogues and such is way overstepping the stated
design goal.

There is an issue in most high-security systems having to do with
side-channel leakage of supposedly sensitive data.  So, the mere
exsistence of certain tables, columns, or users might be regarded as 
security-sensitive data.  I'm not sure I see how to get around that
without mucking in the areas that are causing some of the trouble.

But I think before we get into that discussion, a fairly clear
statement of exactly which problems are going to be in scope is
needed.

FWIW, I support and think important the row- and column- level access
controls this seems to be proposing, at least in principle.  Whether
that's a support that will extend to 2x overhead on everything is
rather a different matter.  Also, I am more than prepared to trade
away some cases in order to get a broadly useful functionality (so if
you can't hide the existence of a table, but all efforts to learn its
contents don't work, I might be willing to support that trade-off).

A

-- 
Andrew Sullivan
[EMAIL PROTECTED]
+1 503 667 4564 x104
http://www.commandprompt.com/

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

Andrew Sullivan [EMAIL PROTECTED] writes:
 There is an issue in most high-security systems having to do with
 side-channel leakage of supposedly sensitive data.  So, the mere
 exsistence of certain tables, columns, or users might be regarded as 
 security-sensitive data.  I'm not sure I see how to get around that
 without mucking in the areas that are causing some of the trouble.

Well, the setup that I suggested would still allow people to set
restrictions that would prevent *user* queries from seeing rows in the
system catalogs.  I'm not sure that's a good idea either --- pg_dump,
meet foot gun --- but at least it can't corrupt the functioning of the
server itself.

 But I think before we get into that discussion, a fairly clear
 statement of exactly which problems are going to be in scope is
 needed.

Agreed, that would help.

 FWIW, I support and think important the row- and column- level access
 controls this seems to be proposing, at least in principle.  Whether
 that's a support that will extend to 2x overhead on everything is
 rather a different matter.  Also, I am more than prepared to trade
 away some cases in order to get a broadly useful functionality (so if
 you can't hide the existence of a table, but all efforts to learn its
 contents don't work, I might be willing to support that trade-off).

Yeah, that's something that we need to think about too.  ISTM that this
patch's proposed restrictions on SQL object access are largely
duplicative of SQL-standard access permissions, and they'll become more
so if the pending patch to implement SQL column permissions gets in.
I think a good case could be made for throwing out all of that and using
the SELinux code only for row-level filtering.

(And of course the next question after that is why we should want to
depend on SELinux at all, rather than implementing row filtering
in the framework of SQL permissions...)

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Greg Smith]

On Tue, 6 May 2008, Tom Lane wrote:

And of course the next question after that is why we should want to 
depend on SELinux at all, rather than implementing row filtering in the 
framework of SQL permissions...


It may be the case that clean row and column filtering at the SQL layer 
are pre-requisites for a clean SELinux implementation, where the only 
difference is that the permission checks are handled by asking SELinux 
instead of looking in the catalog.


As for why SQL restrictions alone aren't enough...the simple answer is 
because it's not SELinux, which I say in all seriousness because it is 
turning into a requirement in some places.


SELinux lets you control what a user login is capable of no matter what 
application they run, and managing those capabilities can happen in one 
place--the SELinux tools.  There's lots of ways to address OS login 
problems.  Let's say the logins have a PAM plug-in that restrict what you 
can login to based on what machine you're on, and also require one of 
those randomly generating key cards so that you can't steal someone else's 
username/password.  If you've got a scheme like that, and the database 
enforces SELinux restrictions, it doesn't matter whether your DBA followed 
all the PostgreSQL security rules correctly, as long as they got the 
SELinux mapping part right.  And you don't have to make sure whatever 
custom security mechanism you've integrated into the login or post-login 
process is recognized by the database proper at all, as long as the 
restrictions can be mapped to the SELinux+database space.


Simple example of something hard to replicate without this framework: 
you discover someone is a rat.  You update your list of active users and 
push that to all your servers.  Now even if said rat is already logged 
into the database server and busy doing 'psql -o /disk/usbkey -c select * 
from secretdata' you just cut them off in the middle of the 
query--without needing to find all the database servers and execute alter 
table secretdata set ..., just by doing simple user account maintenance 
the way people are already comfortable with and have procedures for.


That's the basic idea here--put the authorization into one layer where 
it's easy (for some definitions of easy) to manage and extensible as 
needed, without having to touch the individual applications directly, just 
by adjusting what permissions you publish when data is requested.  I'm 
sure someone can raise issues or suggest alternate implemenations for my 
specific examples, but much like other privledge escalation defense 
mechanisms these environments look for redundant layers of security.  In 
reality users of this would aim for a completely locked down base 
PostgreSQL *and* a completely locked down SELinux implementation 
integrated into that, reinforcing one another, rather than just relying on 
one level of security.


--
* Greg Smith [EMAIL PROTECTED] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Tom, Thanks for your reviewing.

Tom Lane wrote:
 KaiGai Kohei [EMAIL PROTECTED] writes:
 I updated the series of SE-PostgreSQL patches for the latest pgsql-8.4devel 
 tree.
 
 I tried to do a bit of testing of this, but it does not work on current
 Fedora 8, because the policy module doesn't build:
 
 [EMAIL PROTECTED] sepgsql-policy]$ make
 make -f /usr/share/selinux/devel/Makefile NAME=targeted
 make[1]: Entering directory `/home/tgl/sepgsql/contrib/sepgsql-policy'
 Compiling targeted sepostgresql module
 /usr/bin/checkmodule:  loading policy configuration from tmp/sepostgresql.tmp
 sepostgresql.te:349:ERROR 'syntax error' at token 
 'corenet_tcp_recvfrom_labeled' on line 5675:
 # NOTE: These changes are to be merged in the later releases.
 corenet_tcp_recvfrom_labeled(sepgsql_server_type, sepgsql_client_type)
 /usr/bin/checkmodule:  error(s) encountered while parsing configuration
 make[1]: *** [tmp/sepostgresql.mod] Error 1
 make[1]: Leaving directory `/home/tgl/sepgsql/contrib/sepgsql-policy'
 make: *** [sepostgresql.pp] Error 2
 [EMAIL PROTECTED] sepgsql-policy]$ 

This policy can be built on Fedora 9 or rawhide now.
The latest selinux-policy on Fedora 8 does not contain labeled networking
interfaces, so it makes errors.

FYI,
I also have a discussion to merge the SE-PostgreSQL security policy module
into the default upstreamed policy (called as reference policy).
  http://marc.info/?t=12057466831r=1w=2

I guess it will be merged former than the release date of PostgreSQL v8.4,
so it may not be necessary to include it within contrib/ .

In the next patch set, I like to provide it with different form.

 In the meantime, here are some random comments after my failed test
 build and a very fast scan through the patch:

 The patch tries to re-add ipcclean to the source tree --- probably a
 merge error?

I don't intend to modify ipcclean.
It is a bug in patch generation scripts, to be fixed soon.


 autoconf complains about the description-free AC_DEFINEs

OK, I add the following descriptions for my AC_DEFINEs.

AC_DEFINE(SECURITY_SYSATTR_NAME, security_context,
  [Enables system column for security attribute support])
AC_DEFINE_UNQUOTED(HAVE_SELINUX, 1,
  [Enables SE-PostgreSQL feature])


 Doesn't compile warning-free if selinux not enabled ... for that matter,
 it doesn't compile warning-free if selinux IS enabled.

Does it mean you run configure script without --enable-selinux?
I also confirmed some warnings to be fixed in the next patch set.
Or, is selinux disabled on your workstation?


 No documentation updates whatsoever :-(

OK, I'll add a new documentation at doc/src/sgml .
Is it your intention, isn't it?


 About half of the patch seems to be conditional on
   #ifdef SECURITY_SYSATTR_NAME
 and the other half on
   #ifdef HAVE_SELINUX
 This seems bizarre: is there really any chance that there are two
 independently usable chunks of code here?  And why is it conditional
 on a macro that is a field name, rather than conditional on a feature
 macro?  That is, I'd expect to see something like
   #ifdef ENABLE_SEPOSTGRES
 throughout.

SECURITY_SYSATTR_NAME is a name of security attribute system column,
and used to enable/disable this feature provided by PGACE.
I think PGACE has possible users more than SELinux, like Solaris TX.
Applying separated symbols are worthwhile when a new security module
requires security attribute but it is not SELinux.


 For that matter, what is the point of treating SECURITY_SYSATTR_NAME
 as a configurable thing in the first place?  I can hardly imagine a
 worse idea than a security-critical column having different names in
 different installations.

SECURITY_SYSATTR_NAME is defined as security_context in SE-PostgreSQL.
However, it is a special term of SELinux.
If we can agree this name, we don't have to abstract the name of security
attribute system column.


 The patch hasn't got a mode in which SELinux support is compiled in but
 not active.  This is a good way to ensure that no one will ever ship
 standard RPMs with the feature compiled in, because they will be entirely
 nonfunctional for people who aren't interested in setting up SELinux.
 I think you need an enable_sepostgres GUC, or something like that.
 (Of course, the overhead of the per-row security column would probably
 discourage anyone from wanting to use such a configuration anyway,
 so maybe the point is moot.)

We can turn on/off SELinux globally, not bounded to SE-PostgreSQL.
The reason why I didn't provide a mode bit like enable_sepostgresql
is to keep consistency in system configuration.
It is undesirable situation to disable SELinux on a partial inter-process
communication channels.

BTW, what does it mean the overhead of the per-row security column?
When SELinux is disabled, it is not labeled and does not consume any
additional spaces.

 sepgsql-policy has got usability problems:
 * It should pay attention to the configured installation PREFIX instead 

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

KaiGai Kohei [EMAIL PROTECTED] writes:
 I updated the series of SE-PostgreSQL patches for the latest pgsql-8.4devel 
 tree.

I tried to do a bit of testing of this, but it does not work on current
Fedora 8, because the policy module doesn't build:

[EMAIL PROTECTED] sepgsql-policy]$ make
make -f /usr/share/selinux/devel/Makefile NAME=targeted
make[1]: Entering directory `/home/tgl/sepgsql/contrib/sepgsql-policy'
Compiling targeted sepostgresql module
/usr/bin/checkmodule:  loading policy configuration from tmp/sepostgresql.tmp
sepostgresql.te:349:ERROR 'syntax error' at token 
'corenet_tcp_recvfrom_labeled' on line 5675:
# NOTE: These changes are to be merged in the later releases.
corenet_tcp_recvfrom_labeled(sepgsql_server_type, sepgsql_client_type)
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
make[1]: *** [tmp/sepostgresql.mod] Error 1
make[1]: Leaving directory `/home/tgl/sepgsql/contrib/sepgsql-policy'
make: *** [sepostgresql.pp] Error 2
[EMAIL PROTECTED] sepgsql-policy]$ 


In the meantime, here are some random comments after my failed test
build and a very fast scan through the patch:

The patch tries to re-add ipcclean to the source tree --- probably a
merge error?

autoconf complains about the description-free AC_DEFINEs

Doesn't compile warning-free if selinux not enabled ... for that matter,
it doesn't compile warning-free if selinux IS enabled.

No documentation updates whatsoever :-(

About half of the patch seems to be conditional on
#ifdef SECURITY_SYSATTR_NAME
and the other half on
#ifdef HAVE_SELINUX
This seems bizarre: is there really any chance that there are two
independently usable chunks of code here?  And why is it conditional
on a macro that is a field name, rather than conditional on a feature
macro?  That is, I'd expect to see something like
#ifdef ENABLE_SEPOSTGRES
throughout.

For that matter, what is the point of treating SECURITY_SYSATTR_NAME
as a configurable thing in the first place?  I can hardly imagine a
worse idea than a security-critical column having different names in
different installations.

The patch hasn't got a mode in which SELinux support is compiled in but
not active.  This is a good way to ensure that no one will ever ship
standard RPMs with the feature compiled in, because they will be entirely
nonfunctional for people who aren't interested in setting up SELinux.
I think you need an enable_sepostgres GUC, or something like that.
(Of course, the overhead of the per-row security column would probably
discourage anyone from wanting to use such a configuration anyway,
so maybe the point is moot.)

sepgsql-policy has got usability problems:
* It should pay attention to the configured installation PREFIX instead of
hardwiring a couple of random possible installation locations
* It can only support the build machine's SELINUXTYPE --- how am I supposed
to produce RPMs that support all available types?

The contents and use of sepgsqlGetTupleName() make it look like the
entire security scheme is based on object name alone.  That doesn't
even account for schemas, let alone overloaded function names.  Please
tell me this is not as broken-by-design as it looks.

I occasionally tell people try to make the patch look like it's always
been there.  This is pretty far from meeting that goal.  Random bits
of code that are commented PGACE: are obviously not intended to just
fit in.  You've generally ignored the Postgres code layout conventions
(pgindent will help to some extent but it's far from a panacea) and our
commenting conventions --- eg, hardly any of the functions have header
comments, and the ones that do follow conventions seen noplace in the
Postgres code, like using @ on parameter names.  In general the number
and quality of the comments is far below the standard for Postgres code,
and the lack of any implementation documentation isn't helping.

Another big problem, which I understand your motivation for but that
doesn't make the code any less ugly, is that you've got trivial bits
of code that're separated by two(!) levels of hook calls from where
they're actually being used.  Not only does that make it unreadable
but the files that actually do the work combine bits of code that
should be scattered across a lot of modules, causing those files to
be just horrid from a modularity standpoint --- they've got their
fingers stuck in everyplace.  If you want this to get applied you need
to start thinking of it as an integral part of the code, not an add-on.

Some other bits of add-on-itis:
* If you need a dedicated LWLock, declare it in lwlock.h.
* If you need a node type, declare it in nodes.h (T_SEvalItem is utterly
  broken)

Why in the world would you have security restrictions associated with
TOAST tuples?  Seems like all the interesting restrictions should be
on the parent table.

Don't randomly invent your own style of management of a postmaster
child process.  For one thing, this code doesn't cope with either

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Greg Smith]

On Mon, 5 May 2008, Tom Lane wrote:


elog() should not be used for user-facing errors.  I couldn't easily
tell just which of the messages are likely to be seen by users and
which ones should be can't happen cases, but certainly there are
a whole lot of these that need to be ereport()s.  Likely there need
to be some new ERRCODEs too.


And it would be a nice step toward the scenarios I was asking about if 
there was a GUC variable for what level to log security violations at.  I 
realize now the tuple-level warnings are going into the SELinux logs 
rather than the PostgreSQL ones, but it should be easier to change policy 
violations that impact the server to something other than just ERROR.


--
* Greg Smith [EMAIL PROTECTED] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Tom Lane]

Josh Berkus [EMAIL PROTECTED] writes:
 For hackers who don't understand security frameworks, I'm going to make a 
 strong case for KaiGai's patch.
 ...
 So it would be much better to have this functionality be mainstream 
 rather than a fork.  If it does get bounced, please do it becuase of code 
 quality and not because nobody is asking for this.  

Well, let's be perfectly blunt here: this is an extremely sizable patch
that will be of interest to less than 1% of our users (and I think I'm
being generous in that estimate).  If it's going to get in, it's going
to have to not cost us anything much on reliability, maintainability,
or performance --- rank those however you please, there is someone out
there who will be most interested in any one of them.

My look at the code today convinced me that it's not going to get
applied without a whole lot of further work.  I think what we must
figure out in this commit-fest is whether to encourage KaiGai to start
doing that work, or to decide that it probably is a dead issue and he
shouldn't bother.

As to reliability: the issue that worries me the most was already raised
by Greg Smith --- this patch puts security checks and consequent catalog
lookups into some mighty low-level places that IMHO have no business
triggering catalog accesses.  If I'd been able to make the patch work
today, I'd have tested whether it could get through the regression tests
with CLOBBER_CACHE_ALWAYS defined.  I'd be happier if it were refactored
to put the security checks only into executor code paths, and not try to
enforce security restrictions against the system itself.  (Thought
experiment: what happens if SELinux denies access to a row of
pg_security to the code that is supposed to be checking security?
Or try this one: it looks to me like you can set up the system to
pretend to some user that the pg_class rows for certain indexes don't
exist, even though he has update rights on their parent table.  Instant
index corruption.)

As to maintainability: I already posted a lot of unhappy remarks on code
style and readability.  I don't think there's anything unfixable there,
but there's a lot of work to do to convert what was evidently written as
an arms-length add-on into a sensible part of core Postgres.

As to performance: frankly, I'm afraid the performance is abysmal.
This was what I was mainly hoping to check out if I could have gotten
it to build today.  We need to at least get some rough pgbench readings
before deciding whether it's worth pushing forward.

regards, tom lane

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Greg Smith]

On Wed, 30 Apr 2008, KaiGai Kohei wrote:


[1/4] sepostgresql-pgace-8.4devel-3-r739.patch
 provides PGACE (PostgreSQL Access Control Extension) framework.
  http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r739.patch


For those overwhelmed by sheer volume here, this is the patch to start 
with, because it's got all the core changes to the server.  I'm also in 
the camp that would like to see this feature added, but rather than just 
giving it a +1 I started looking at it.


The overall code is nice:  easy to understand, structured modularly.  I 
have some concerns though.  The first two things that jump out at me on an 
initial review appear right from the beginning for those who want to take 
a look:


-I'm a bit unnerved by both the performance and reliability implications 
from how the security check calls are done in every case, even if there is 
no SELinux support included.  Those checks are sitting in some pretty low 
level tuple and heap calls.


The approach taken here is to put all the #ifdef logic into the 
underlying ACE interface (see patch [2/4]), so that the caller doesn't 
have to care.  If SELinux support is off then the calls turns into


  void x(y) {} or
  bool a(b) { return true; }

This is a very clean design, but it's putting extra (possibly optimized 
away) calls into a lot of places.  While it would be uglier, it might make 
sense to put that on/off logic in all the places where the calls are made, 
so that when you turn SELinux support off most of the code really does go 
completely away rather than just turning into stubs.


-The only error reporting and handling method used is elog(ERROR, 
That seems a bit heavy handed for something that can be expected to happen 
all the time.


If I understand this correctly, when you're scanning a table with 1000 
rows where you're only allowed to see 50% of them, that's going to be 500 
call to elog(), one for each tuple you can't see.  Having a tuple get 
screened out isn't really an error per se, and while I can see how 
sensitive installs would want those all reported there are others where 
this volume of log activity would be too much.  Just because someone with 
classified clearance is looking at a big table that also has a lot of 
secret info in it, not all installs will want a million errors reported 
just because there's data that person can't see available.


At a minimum, this needs some finer log control, and maybe a rethinking 
altogether of how to handle error cases.


--
* Greg Smith [EMAIL PROTECTED] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Gregory Stark]

Greg Smith [EMAIL PROTECTED] writes:

 The approach taken here is to put all the #ifdef logic into the underlying
 ACE interface (see patch [2/4]), so that the caller doesn't have to care.  If
 SELinux support is off then the calls turns into

   void x(y) {} or
   bool a(b) { return true; }

 This is a very clean design, but it's putting extra (possibly optimized away)
 calls into a lot of places.  While it would be uglier, it might make sense to
 put that on/off logic in all the places where the calls are made, so that when
 you turn SELinux support off most of the code really does go completely away
 rather than just turning into stubs.

It's nicer to do it the way they have but we don't generally trust compilers
to inline functions. Is it hard to make those functions into macros?

 -The only error reporting and handling method used is elog(ERROR, That
 seems a bit heavy handed for something that can be expected to happen all the
 time.

 If I understand this correctly, when you're scanning a table with 1000 rows
 where you're only allowed to see 50% of them, that's going to be 500 call to
 elog(), one for each tuple you can't see.  Having a tuple get screened out
 isn't really an error per se, and while I can see how sensitive installs would
 want those all reported there are others where this volume of log activity
 would be too much.  Just because someone with classified clearance is looking
 at a big table that also has a lot of secret info in it, not all installs will
 want a million errors reported just because there's data that person can't see
 available.

I don't understand, if it's ERROR it would throw an error and stop the current
query. Or is this all within a PG_TRY() ? 

-- 
  Gregory Stark
  EnterpriseDB  http://www.enterprisedb.com
  Ask me about EnterpriseDB's RemoteDBA services!

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Greg Smith wrote:

On Wed, 30 Apr 2008, KaiGai Kohei wrote:


[1/4] sepostgresql-pgace-8.4devel-3-r739.patch
 provides PGACE (PostgreSQL Access Control Extension) framework.
  
http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r739.patch 



For those overwhelmed by sheer volume here, this is the patch to start 
with, because it's got all the core changes to the server.  I'm also in 
the camp that would like to see this feature added, but rather than just 
giving it a +1 I started looking at it.


The overall code is nice:  easy to understand, structured modularly.  I 
have some concerns though.  The first two things that jump out at me on 
an initial review appear right from the beginning for those who want to 
take a look:


Thanks for your attention  reviewing.

-I'm a bit unnerved by both the performance and reliability implications 
from how the security check calls are done in every case, even if there 
is no SELinux support included.  Those checks are sitting in some pretty 
low level tuple and heap calls.


The approach taken here is to put all the #ifdef logic into the 
underlying ACE interface (see patch [2/4]), so that the caller doesn't 
have to care.  If SELinux support is off then the calls turns into


  void x(y) {} or
  bool a(b) { return true; }

This is a very clean design, but it's putting extra (possibly optimized 
away) calls into a lot of places.  While it would be uglier, it might 
make sense to put that on/off logic in all the places where the calls 
are made, so that when you turn SELinux support off most of the code 
really does go completely away rather than just turning into stubs.


Your concern is fair enough. I indeed used inline function to avoid unnecessary
invokation in the previous version, as follows:
  
http://code.google.com/p/sepgsql/source/browse/branches/pgsql-8.2.x/sepgsql/src/include/security/pgace.h

However, I changed this design, because it requires any security modules
have to provides its implementation for any hooks, including just a stub.
In the current design, author of another security modules can leave unused
hooks unchanged. It improves code maintenancability.

But an inspiration hit me just now.
If we declare any hooks as static inline functions which includes #ifdef
block, it can resolve these matters as follows:
 EXAMPLE 
static inline bool pgaceHeapTupleInsert(Relation rel, HeapTuple tuple,
bool is_internal, bool with_returning) {
#ifdef HAVE_SELINUX
if (sepgsqlIsEnabled())
return sepgsqlHeapTupleInsert(rel, tuple, is_internal, with_returning);
#endif
return true;
}

Is it reasonable idea?

-The only error reporting and handling method used is elog(ERROR, 
That seems a bit heavy handed for something that can be expected to 
happen all the time.


SE-PostgreSQL invokes elog(ERROR,..., when a given query tries to access
violated columns, tables and so on, but not for each tuple.

In row-level access controls, it filters violated tuples without aborting
query execution. However, elog(NOTICE,... can be invoked, if the security
policy requires to generate access denied logs on row-level.

If I understand this correctly, when you're scanning a table with 1000 
rows where you're only allowed to see 50% of them, that's going to be 
500 call to elog(), one for each tuple you can't see.


The security policy can control whether access denied logs should be
printed, or not.
In the default security policy provided by the patch [4/4], row-level
access denied logs are disabled to avoid flood of logs as you noticed.

If you want to turn on/off row-level logs, use the following command:
  # setsebool -P sepgsql_enable_audittuple=(1|0)
It changes the internal state of security policy, and SE-PostgreSQL
works according to this one.

Having a tuple 
get screened out isn't really an error per se, and while I can see how 
sensitive installs would want those all reported there are others where 
this volume of log activity would be too much.  Just because someone 
with classified clearance is looking at a big table that also has a lot 
of secret info in it, not all installs will want a million errors 
reported just because there's data that person can't see available.


At a minimum, this needs some finer log control, and maybe a rethinking 
altogether of how to handle error cases.


Thanks,
--
KaiGai Kohei [EMAIL PROTECTED]

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

I updated the series of SE-PostgreSQL patches for the latest pgsql-8.4devel 
tree.

[1/4] sepostgresql-pgace-8.4devel-3-r739.patch
  provides PGACE (PostgreSQL Access Control Extension) framework.
   http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r739.patch

[2/4] sepostgresql-sepgsql-8.4devel-3-r739.patch
  provides SE-PostgreSQL feature, based on PGACE framework.
   
http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r739.patch

[3/4] sepostgresql-pg_dump-8.4devel-3-r739.patch
  enables to dump databases with security attribute.
   
http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r739.patch

[4/4] sepostgresql-policy-8.4devel-3-r739.patch
  provides the default security policy of SE-PostgreSQL.
   http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r739.patch

We provide a quick overview for SE-PostgreSQL at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

Thanks,

KaiGai Kohei wrote:
 The series of patches are the proposal of Security-Enhanced PostgreSQL 
 (SE-PostgreSQL)
 for the upstreamed PostgreSQL 8.4 development cycle.
 
  [1/4] sepostgresql-pgace-8.4devel-3.patch
  provides PGACE (PostgreSQL Access Control Extension) framework
 
 http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch
 
  [2/4] sepostgresql-sepgsql-8.4devel-3.patch
  provides SE-PostgreSQL feature, based on PGACE framework.
 
 http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch
 
  [3/4] sepostgresql-pg_dump-8.4devel-3.patch
  enables pg_dump to dump database with security attribute.
 
 http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch
 
  [4/4] sepostgresql-policy-8.4devel-3.patch
  provides the default security policy for SE-PostgreSQL.
 
 http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch
 
 We can provide a quick overview for SE-PostgreSQL at:
 http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL
 
 ENVIRONMENT
 ---
 Please confirm your environment.
 The followings are requriements of SE-PostgreSQL.
  * Fedora 8 or later system
  * SELinux is enabled and working
  * kernel-2.6.24 or later
  * selinux-policy and selinux-policy-devel v3.0.8 or later
  * libselinux, policycoreutils
 
 INSTALLATION
 
 $ tar jxvf postgresql-snapshot.tar.bz2
 $ cd postgresql-snapshot
 $ patch -p1  ../sepostgresql-pgace-8.4devel-3.patch
 $ patch -p1  ../sepostgresql-sepgsql-8.4devel-3.patch
 $ patch -p1  ../sepostgresql-pg_dump-8.4devel-3.patch
 $ patch -p1  ../sepostgresql-policy-8.4devel-3.patch
 
 $ ./configure --enable-selinux
 $ make
 $ make -C contrib/sepgsql-policy
 $ su
 # make install
 
 # /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
   (NOTE: semodule is a utility to load/unload security policy modules.)
 
 # /sbin/restorecon -R /usr/local/pgsql
   (NOTE: restorecon is a utilicy to initialize security context of files.)
 
 SETUP
 -
 # mkdir -p /opt/sepgsql
 # chown foo_user:var_group /opt/sepgsql
 # chcon -t postgresql_db_t /opt/sepgsql
   (NOTE: chcon is a utility to set up security context of files.)
 # exit
 
 $ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
   (NOTE: run_init is a utility to start a program, as if it is branched from 
 init script.)
 $ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start
 
 
 SUMMARYS FOR EVERY PATCHES
 --
 [1/4] - sepostgresql-pgace-8.4devel-3.patch
 
 This patch provides PGACE (PostgreSQL Access Control Extension) framework.
 
 It has a similar idea of LSM (Linu Security Module).
 It can provide a guest module several hooks at strategic points.
 The guest module can make its decision whether required actions should be
 allowed, or not.
 In addition, PGACE also provides falicilites to manage security attribute
 of database objects. Any tuple can have a its security attribute, and the
 guest module can refer it to control accesses.
 
   A more conprehensive memo at:
 http://code.google.com/p/sepgsql/wiki/WhatIsPGACE
 
 [2/4] - sepostgresql-sepgsql-8.4devel-3.patch
 
 This patch provides SE-PostgreSQL facilities based on PGACE.
 
 Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
 built in PostgreSQL, to provide system-wide consistency in access
 controls. It enables to apply a single unigied security policy of
 SELinux for both operating system and database management system.
 In addition, it also provides fine-grained mandatory access which
 includes column-/row- level non-bypassable access control even if
 privileged database users.
 
   Quick overview at:
 http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL
 
 [3/4] - sepostgresql-pg_dump-8.4devel-3.patch
 
 This patch gives us a feature to dump database with security attribute.
 It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
 when the server works as SE- 

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

Folks,

For hackers who don't understand security frameworks, I'm going to make a 
strong case for KaiGai's patch.  Because of my current presentation 
series, I've been talking to PostgreSQL users about security features 
around the world for the last several months, and there's a *lot* of 
interest in security framework support.  Not only are existing users 
interested in it, but some potential users (security agencies, banks) who 
didn't use PostgreSQL before have come to talk to me becuase of 
SE-Postgres.

Further, I've asked the TrustedSolaris folks to take a look at KaiGai's 
implementation to see if it was generic enough for them to build on as a 
test of whether SE-Postgres was too specific to SE-Linux; the answer has 
been a tentative yes, it's generic.

So it would be much better to have this functionality be mainstream 
rather than a fork.  If it does get bounced, please do it becuase of code 
quality and not because nobody is asking for this.  

Thanks!

-- 
--Josh

Josh Berkus
PostgreSQL @ Sun
San Francisco

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Joshua D. Drake]

Josh Berkus wrote:
 Folks,

 So it would be much better to have this functionality be mainstream 
 rather than a fork.  If it does get bounced, please do it becuase of code 
 quality and not because nobody is asking for this.  

+1

Joshua D. Drake

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Andrej Ricnik-Bay]

On 01/05/2008, Josh Berkus [EMAIL PROTECTED] wrote:
  Further, I've asked the TrustedSolaris folks to take a look at KaiGai's
  implementation to see if it was generic enough for them to build on as a
  test of whether SE-Postgres was too specific to SE-Linux; the answer has
  been a tentative yes, it's generic.

  So it would be much better to have this functionality be mainstream
  rather than a fork.  If it does get bounced, please do it becuase of code
  quality and not because nobody is asking for this.

Not a hacker, just a curious reader ... are there equivalent frameworks
for the other supported platforms?  E.g. MacOS, *BSD, Windows? Are
the similarities between those (if they exist) close enough not to introduce
a maintenance nightmare?


Cheers,
Andrej

-- 
Please don't top post, and don't use HTML e-Mail :}  Make your quotes concise.

http://www.american.edu/econ/notes/htmlmail.htm

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Greg Smith]

On Thu, 1 May 2008, Andrej Ricnik-Bay wrote:


Not a hacker, just a curious reader ... are there equivalent frameworks
for the other supported platforms?  E.g. MacOS, *BSD, Windows?


SELinux is a Linux implementation of ideas from an earlier NSA project 
named Flask.  There is port of another variant of that, Flask/TE, that is 
making its way into the BSD variants via a project called SEBSD. 
TrustedBSD, Darwin (OS X), and OpenSolaris all have projects in this area 
already (the Solaris one just launched last month).  A good starter page 
is http://www.trustedbsd.org/sebsd.html


Particularly given the common heritage, I suspect that the PostgreSQL side 
of all these projects will be similar, and that once those hooks are in 
place it will just be a matter of tying them into the higher levels of the 
other framework.  It would be too ambitious to target all of them all at 
once for a first pass, but it may be worth a look at the fundamentals of 
SEBSD to make sure the right hooks look like they're in place.


Windows has this thing called Group Policy that's supposedly leaped 
forward for Windows Server 2008.  They are now advertising it as like 
SELinux, but better.  The presentation PDF I just read on that subject 
sounds like something written by the crazy guy at Broadway  57th street I 
used to walk by, as he talked on fruit as if they were his cell phone. 
It's such a deluded and wildly misguided bit of sales fluff that you can't 
take it seriously, and the whole thing just leaves me feeling sorry for 
them instead.


--
* Greg Smith [EMAIL PROTECTED] http://www.gregsmith.com Baltimore, MD

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

KaiGai,

 NSA and SUN announces a new project launched which tries to port FLASK
 security architecture, it is named as FMAC.
 It can be a good candidate to host multilevel database security.
 (SELinux is also based on FLASK security architecture.)

 SEBSD project is also known. It is a poring of SELinux into BSD platform.
   SEBSD: http://www.trustedbsd.org/sebsd.html

Keen.  I'm sure Kathy's team understands all this.  It's over my head.  ;-)

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Kohei KaiGai]

Zdenek Kotala wrote:
 Kohei KaiGai napsal(a):
 It seems to me some of SE-PostgreSQL patches are not delivered yet,
 although [3/4] and [4/4] were already done.

 Does anti-spam system caught my previous three messages?
 If necessary, I will send them again.
 
 There is a file size limitation. If your patch is too big (I guess over
 40kB), please gzip it or send only url for download.
 
   Zdenek

Thanks for your information,

Your estimation is correct. Two of them are over the limitaion.
So, I'll send it again with gzip'ed attachment.

[EMAIL PROTECTED] a]$ ls -lh *-8.4devel-*.patch
-rw-r--r-- 1 kaigai users  17K 2008-03-17 13:01 
sepostgresql-pg_dump-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 134K 2008-03-17 13:01 
sepostgresql-pgace-8.4devel-3.patch
-rw-r--r-- 1 kaigai users  17K 2008-03-17 13:01 
sepostgresql-policy-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 138K 2008-03-17 13:01 
sepostgresql-sepgsql-8.4devel-3.patch

-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Zdenek Kotala]

Kohei KaiGai napsal(a):
 It seems to me some of SE-PostgreSQL patches are not delivered yet,
 although [3/4] and [4/4] were already done.
 
 Does anti-spam system caught my previous three messages?
 If necessary, I will send them again.

There is a file size limitation. If your patch is too big (I guess over
40kB), please gzip it or send only url for download.

Zdenek

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Alvaro Herrera wrote:

Kohei KaiGai wrote:

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.


Before we go any further, is this work derived from SELinux?  If so, is
it covered under the GPL?  If so, can it be licensed under BSD terms?

Obviously, if it's not BSD, we cannot include it in Postgres.


All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.

Thanks,
--
KaiGai Kohei [EMAIL PROTECTED]

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

I'll submit the proposal of SE-PostgreSQL patches again, because some of 
previous
messages are filtered due to attachment and I cannot provide whole of patches 
yet.
Please refer the pointed URL, as follows.

--
The series of patches are the proposal of Security-Enhanced PostgreSQL 
(SE-PostgreSQL)
for the upstreamed PostgreSQL 8.4 development cycle.

 [1/4] sepostgresql-pgace-8.4devel-3.patch
 provides PGACE (PostgreSQL Access Control Extension) framework
http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch

 [2/4] sepostgresql-sepgsql-8.4devel-3.patch
 provides SE-PostgreSQL feature, based on PGACE framework.

http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch

 [3/4] sepostgresql-pg_dump-8.4devel-3.patch
 enables pg_dump to dump database with security attribute.

http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch

 [4/4] sepostgresql-policy-8.4devel-3.patch
 provides the default security policy for SE-PostgreSQL.

http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch

We can provide a quick overview for SE-PostgreSQL at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

ENVIRONMENT
---
Please confirm your environment.
The followings are requriements of SE-PostgreSQL.
 * Fedora 8 or later system
 * SELinux is enabled and working
 * kernel-2.6.24 or later
 * selinux-policy and selinux-policy-devel v3.0.8 or later
 * libselinux, policycoreutils

INSTALLATION

$ tar jxvf postgresql-snapshot.tar.bz2
$ cd postgresql-snapshot
$ patch -p1  ../sepostgresql-pgace-8.4devel-3.patch
$ patch -p1  ../sepostgresql-sepgsql-8.4devel-3.patch
$ patch -p1  ../sepostgresql-pg_dump-8.4devel-3.patch
$ patch -p1  ../sepostgresql-policy-8.4devel-3.patch

$ ./configure --enable-selinux
$ make
$ make -C contrib/sepgsql-policy
$ su
# make install

# /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
  (NOTE: semodule is a utility to load/unload security policy modules.)

# /sbin/restorecon -R /usr/local/pgsql
  (NOTE: restorecon is a utilicy to initialize security context of files.)

SETUP
-
# mkdir -p /opt/sepgsql
# chown foo_user:var_group /opt/sepgsql
# chcon -t postgresql_db_t /opt/sepgsql
  (NOTE: chcon is a utility to set up security context of files.)
# exit

$ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
  (NOTE: run_init is a utility to start a program, as if it is branched from 
init script.)
$ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start


SUMMARYS FOR EVERY PATCHES
--
[1/4] - sepostgresql-pgace-8.4devel-3.patch

This patch provides PGACE (PostgreSQL Access Control Extension) framework.

It has a similar idea of LSM (Linu Security Module).
It can provide a guest module several hooks at strategic points.
The guest module can make its decision whether required actions should be
allowed, or not.
In addition, PGACE also provides falicilites to manage security attribute
of database objects. Any tuple can have a its security attribute, and the
guest module can refer it to control accesses.

  A more conprehensive memo at:
http://code.google.com/p/sepgsql/wiki/WhatIsPGACE

[2/4] - sepostgresql-sepgsql-8.4devel-3.patch

This patch provides SE-PostgreSQL facilities based on PGACE.

Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied security policy of
SELinux for both operating system and database management system.
In addition, it also provides fine-grained mandatory access which
includes column-/row- level non-bypassable access control even if
privileged database users.

  Quick overview at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

[3/4] - sepostgresql-pg_dump-8.4devel-3.patch

This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
database. It it same when they tries to restore the database.

[4/4] - sepostgresql-policy-8.4devel-3.patch

This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.

-- 
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Alvaro Herrera]

Kohei KaiGai wrote:
 The series of patches are the proposal of Security-Enhanced PostgreSQL
 (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Before we go any further, is this work derived from SELinux?  If so, is
it covered under the GPL?  If so, can it be licensed under BSD terms?

Obviously, if it's not BSD, we cannot include it in Postgres.

-- 
Alvaro Herrerahttp://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Alvaro Herrera]

KaiGai Kohei wrote:
 Alvaro Herrera wrote:

 Before we go any further, is this work derived from SELinux?  If so, is
 it covered under the GPL?  If so, can it be licensed under BSD terms?

 All of SE-PostgreSQL works are licensed unser BSD terms.
 We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
 the beginning, and we understand to choose GPL makes it impossible.

Right.  The question is: since this is derived from SE-Linux, is it
affected by SE-Linux license?

-- 
Alvaro Herrerahttp://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Alvaro Herrera wrote:

KaiGai Kohei wrote:

Alvaro Herrera wrote:



Before we go any further, is this work derived from SELinux?  If so, is
it covered under the GPL?  If so, can it be licensed under BSD terms?

All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.


Right.  The question is: since this is derived from SE-Linux, is it
affected by SE-Linux license?


No, SE-PostgreSQL does not derivered from SELinux.

I guess you worry about SE-PostgreSQL contains a part of SELinux licensed
as GPL, but it is incorrect.
SE-PostgreSQL communicate with SELinux to make its decision in access control,
via an official interface provided by libselinux, because it does not have
information to make its decision.
The libselinux is linked with SE-PostgreSQL, but it is licensed as public
domain software by NSA.

Therefore, we have no issues related to imcompatible licenses.

Thanks,
--
KaiGai Kohei [EMAIL PROTECTED]

--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

KaiGai,

 The series of patches are the proposal of Security-Enhanced PostgreSQL
 (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into 
PostgreSQL as well this year, I'm going to ask them to look over PGACE to see 
if this implementation is (still) generic enough to support TS as well.  If 
it is, then it's probably generic enough to be a general building block.

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[KaiGai Kohei]

Josh Berkus wrote:
 KaiGai,
 
 The series of patches are the proposal of Security-Enhanced PostgreSQL
 (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
 
 Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into 
 PostgreSQL as well this year, I'm going to ask them to look over PGACE to see 
 if this implementation is (still) generic enough to support TS as well.  If 
 it is, then it's probably generic enough to be a general building block.

We can extend PGACE framework to mount TrustedSolaris features.
If they need new hooks which is not used in SE-PostgreSQL, it can
remain the default behavior.
The default PGACE behavior gives us no effects in access controls.

A flexible framework is worthwhile for both operating systems.
Please confirm it to the TS folks.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Josh Berkus]

KaiGai,

 A flexible framework is worthwhile for both operating systems.
 Please confirm it to the TS folks.

Yep, that's the idea.  Glenn was fine with your stuff last year, I expect 
it'll still be fine.  

Other than SELinux and TrustedSolaris, does anyone know of other role-based or 
multilevel security frameworks we should check against?  I'd like to have any 
security framework we approve be plug-in adaptable to everything out there.

-- 
Josh Berkus
PostgreSQL @ Sun
San Francisco

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers

Re: [HACKERS] [0/4] Proposal of SE-PostgreSQL patches

[Kohei KaiGai]

It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.

Does anti-spam system caught my previous three messages?
If necessary, I will send them again.

Thanks,

Kohei KaiGai wrote:
 The series of patches are the proposal of Security-Enhanced PostgreSQL
 (SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.
 
  [1/4] sepostgresql-pgace-8.4devel-3.patch
  provides PGACE (PostgreSQL Access Control Extension) framework
  [2/4] sepostgresql-sepgsql-8.4devel-3.patch
  provides SE-PostgreSQL feature, based on PGACE framework.
  [3/4] sepostgresql-pg_dump-8.4devel-3.patch
  enables pg_dump to dump database with security attribute.
  [4/4] sepostgresql-policy-8.4devel-3.patch
  provides the default security policy for SE-PostgreSQL.
 - snip -

-- 
OSS Platform Development Division, NEC
KaiGai Kohei [EMAIL PROTECTED]

-- 
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers