Re: SE-PostgreSQL Specifications - Mailing list pgsql-hackers
| From | Sam Mason |
|---|---|
| Subject | Re: SE-PostgreSQL Specifications |
| Date | |
| Msg-id | 20090725234933.GN5407@samason.me.uk Whole thread Raw |
| In response to | Re: SE-PostgreSQL Specifications (Robert Haas <robertmhaas@gmail.com>) |
| Responses |
Re: SE-PostgreSQL Specifications
Re: SE-PostgreSQL Specifications |
| List | pgsql-hackers |
On Sat, Jul 25, 2009 at 04:39:29PM -0400, Robert Haas wrote: > On Sat, Jul 25, 2009 at 4:27 PM, Sam Mason<sam@samason.me.uk> wrote: > > I thought the whole point of MAC was that superusers don't exist any > > more--at least not with the power they currently do. > > It's been billed that way, but it's not really accurate. A more > accurate statement would be that it's possible to create a system in > which there is no unconfined role. Yes, that sounds more precise! I'm still unsure of terminology; what's a "unconfined role"? I guess the layman's description is similar to a "superuser", but I'm sure there's a more refined definition somewhere. Hum, I've just found Fedora's guide, is the following considered a reasonable picture: http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/chap-Security-Enhanced_Linux-Targeted_Policy.html > > Organizations may > > well not trust specific parts of their database to certain types of > > backups, SE-PG should allow this to be controlled somewhat. > > I imagine it would be possible to run pg_dump on a database where you > couldn't see all of the objects, and get a dump of just those, but > that's only tangentially related to whether such things as superusers > exist. I'm not sure what point you're trying to make; in my understanding superusers can see and do anything--hence they can make a backup. > If superusers DON'T exist, that would be making the opposite > statement, namely, that there isn't ANY WAY to get a backup that you > can be sure DOES contain all of the objects. The traditional approach would be to maintain multiple physically separate databases; in this setup it's obvious that when you perform a backup of one of these databases you're only seeing a subset of "all of the objects". Isn't SE-PG just allowing you to do this within a single PG database? > And while I believe > SE-Linux/SE-PostgreSQL would allow you to configure such a system, you > might want to think carefully before you decide to do so, and the > system certainly shouldn't (and can't) force you to set it up that > way. I agree that this would seem to make the resulting system easier to manage, however I can also imagine scenarios where the converse would be true. This is a fuzzy engineering decision of the sort that I don't like making without a use case---and it would be nice to have several here. > > pg_dump can complain if it doesn't see everything it expected to > > If pg_dump can tell that there is information missing, the system > hasn't done a very good job of hiding its existence, which is surely > the whole point here. Hum, good point--scratch that idea then! -- Sam http://samason.me.uk/
pgsql-hackers by date: