Updates of SE-PostgreSQL 8.4devel patches (r1324) - Mailing list pgsql-hackers
| From | KaiGai Kohei |
|---|---|
| Subject | Updates of SE-PostgreSQL 8.4devel patches (r1324) |
| Date | |
| Msg-id | 4948B6BD.1050402@ak.jp.nec.com Whole thread Raw |
| In response to | Updates of SE-PostgreSQL 8.4devel patches (r1280) (KaiGai Kohei <kaigai@ak.jp.nec.com>) |
| Responses |
Re: Updates of SE-PostgreSQL 8.4devel patches (r1324)
Re: Updates of SE-PostgreSQL 8.4devel patches (r1324) Updates of SE-PostgreSQL 8.4devel patches (r1348) |
| List | pgsql-hackers |
I updated the patch set of SE-PostgreSQL and related ones (r1324). [1/5] http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r1324.patch [2/5] http://sepgsql.googlecode.com/files/sepostgresql-utils-8.4devel-3-r1324.patch [3/5] http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r1324.patch [4/5] http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1324.patch [5/5] http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1324.patch Draft of the SE-PostgreSQL documentation is here: http://wiki.postgresql.org/wiki/SEPostgreSQL List of updates: - The patches are rebased to the latest CVS HEAD. - Now the "sepostgresql-sepgsql-8.4devel-3-r1324.patch" contains PGACE security framework, SE-PostgreSQL and Row-level ACLs.So, the 6th patch has gone. - It enables to compile multiple security features within a single binary. The Row-level ACLs feature is always available,and SE-PostgreSQL is available when we build it with "--enable-selinux" option. - Two new system columns ("security_acl" and "security_label") are added. The first one is for the Row-level ACLs, and theother is for the guest of PGACE security framework which is chosen by user. - Some of interfaces are changed: * initdb got a new option "--pgace-feature" which enables to specify one or no MAC featureon initialization of $PGDATA. e.g) $ initdb --pgace-feature=selinux * pg_dump got two new options (--security-acland --security-label) to dump row-level ACLs and security contexts. * $PGDATA/postgresql.conf has a newparameter of "pgace_feature". It enables users to choose an enhanced security mechanism from candidates. Currently,SE-PostgreSQL is the only candidate. - Todo item * Documentation updates. The "sepostgresql-docs-8.4devel-3-r1324.patch" is not uptodate, because higher priorityshould be given to provide the patch set for reviewers. So, I'll update the src/doc/* from now. Thanks, ===[ Example ]======================================================== postgres=# CREATE TABLE t1 (a int, b text) WITH (row_level_acl=on); CREATE TABLE postgres=# INSERT INTO t1 VALUES (1, 'aaa'), (2, 'bbb'), (3, 'ccc'); INSERT 0 3 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl | a | b ------------------------------------------+----------------+---+-----unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai}| 1 | aaaunconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbbunconfined_u:object_r:sepgsql_table_t:s0| {=rwdx/kaigai} | 3 | ccc (3 rows) postgres=# INSERT INTO t1 (security_acl, a, b) VALUES ('{kaigai=rw/kaigai}', 4, 'ddd'); INSERT 0 1 postgres=# INSERT INTO t1 (security_label, security_acl, a, b) VALUES ('system_u:object_r:sepgsql_ro_table_t:s0', '{kaigai=rx/kaigai}',5, 'eee'); INSERT 0 1 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl |a | b ------------------------------------------+--------------------+---+-----unconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 1 | aaaunconfined_u:object_r:sepgsql_table_t:s0 | {=rwdx/kaigai} | 2 | bbbunconfined_u:object_r:sepgsql_table_t:s0| {=rwdx/kaigai} | 3 | cccunconfined_u:object_r:sepgsql_table_t:s0 | {kaigai=rw/kaigai}| 4 | dddsystem_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=rx/kaigai} | 5 | eee (5 rows) postgres=# UPDATE t1 SET security_label = sepgsql_set_user(security_label, 'system_u'), security_acl = '{kaigai=r/kaigai}'; UPDATE 5 postgres=# SELECT security_label, security_acl, * FROM t1; security_label | security_acl | a| b -----------------------------------------+-------------------+---+-----system_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai}| 1 | aaasystem_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 2 | bbbsystem_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai} | 3 | cccsystem_u:object_r:sepgsql_table_t:s0 | {kaigai=r/kaigai}| 4 | dddsystem_u:object_r:sepgsql_ro_table_t:s0 | {kaigai=r/kaigai} | 5 | eee (5 rows) postgres=# -- OSS Platform Development Division, NEC KaiGai Kohei <kaigai@ak.jp.nec.com>
pgsql-hackers by date: