[0/4] Proposal of SE-PostgreSQL patches

[3/4] - sepostgresql-pg_dump-8.4devel-3.patch

This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
database. It it same when they tries to restore the database.

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[4/4] - sepostgresql-policy-8.4devel-3.patch

This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.

Does anti-spam system caught my previous three messages?
If necessary, I will send them again.

Thanks,

Kohei KaiGai wrote:

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

[1/4] sepostgresql-pgace-8.4devel-3.patch
provides PGACE (PostgreSQL Access Control Extension) framework
[2/4] sepostgresql-sepgsql-8.4devel-3.patch
provides SE-PostgreSQL feature, based on PGACE framework.
[3/4] sepostgresql-pg_dump-8.4devel-3.patch
enables pg_dump to dump database with security attribute.
[4/4] sepostgresql-policy-8.4devel-3.patch
provides the default security policy for SE-PostgreSQL.

- snip -

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Kohei KaiGai napsal(a):

It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.

Does anti-spam system caught my previous three messages?
If necessary, I will send them again.

There is a file size limitation. If your patch is too big (I guess over
40kB), please gzip it or send only url for download.

Zdenek

Zdenek Kotala wrote:

Kohei KaiGai napsal(a):

It seems to me some of SE-PostgreSQL patches are not delivered yet,
although [3/4] and [4/4] were already done.

Does anti-spam system caught my previous three messages?
If necessary, I will send them again.

There is a file size limitation. If your patch is too big (I guess over
40kB), please gzip it or send only url for download.

Zdenek

Thanks for your information,

Your estimation is correct. Two of them are over the limitaion.
So, I'll send it again with gzip'ed attachment.

[kaigai@saba a]$ ls -lh *-8.4devel-*.patch
-rw-r--r-- 1 kaigai users 17K 2008-03-17 13:01 sepostgresql-pg_dump-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 134K 2008-03-17 13:01 sepostgresql-pgace-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 17K 2008-03-17 13:01 sepostgresql-policy-8.4devel-3.patch
-rw-r--r-- 1 kaigai users 138K 2008-03-17 13:01 sepostgresql-sepgsql-8.4devel-3.patch

--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[1/4] - sepostgresql-pgace-8.4devel-3.patch.gz

This patch provides PGACE (PostgreSQL Access Control Extension) framework.

It has a similar idea of LSM (Linu Security Module).
It can provide a guest module several hooks at strategic points.
The guest module can make its decision whether required actions should be
allowed, or not.
In addition, PGACE also provides falicilites to manage security attribute
of database objects. Any tuple can have a its security attribute, and the
guest module can refer it to control accesses.

A more conprehensive memo at:
http://code.google.com/p/sepgsql/wiki/WhatIsPGACE

(This patch is gzip'ed, bacause it overed the limitation of filesize.)

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

[2/4] - sepostgresql-sepgsql-8.4devel-3.patch.gz

This patch provides SE-PostgreSQL facilities based on PGACE.

Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied security policy of
SELinux for both operating system and database management system.
In addition, it also provides fine-grained mandatory access which
includes column-/row- level non-bypassable access control even if
privileged database users.

Quick overview at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

(This patch is gzip'ed, bacause it overed the limitation of filesize.)

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Kohei KaiGai wrote:

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Before we go any further, is this work derived from SELinux? If so, is
it covered under the GPL? If so, can it be licensed under BSD terms?

Obviously, if it's not BSD, we cannot include it in Postgres.

--
Alvaro Herrera http://www.CommandPrompt.com/
PostgreSQL Replication, Consulting, Custom Development, 24x7 support

Alvaro Herrera wrote:

Kohei KaiGai wrote:

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Before we go any further, is this work derived from SELinux? If so, is
it covered under the GPL? If so, can it be licensed under BSD terms?

Obviously, if it's not BSD, we cannot include it in Postgres.

All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
messages are filtered due to attachment and I cannot provide whole of patches yet.
Please refer the pointed URL, as follows.

------
The series of patches are the proposal of Security-Enhanced PostgreSQL (SE-PostgreSQL)
for the upstreamed PostgreSQL 8.4 development cycle.

[1/4] sepostgresql-pgace-8.4devel-3.patch
provides PGACE (PostgreSQL Access Control Extension) framework
http://sepgsql.googlecode.com/files/sepostgresql-pgace-8.4devel-3-r704.patch

[2/4] sepostgresql-sepgsql-8.4devel-3.patch
provides SE-PostgreSQL feature, based on PGACE framework.
http://sepgsql.googlecode.com/files/sepostgresql-sepgsql-8.4devel-3-r704.patch

[3/4] sepostgresql-pg_dump-8.4devel-3.patch
enables pg_dump to dump database with security attribute.
http://sepgsql.googlecode.com/files/sepostgresql-pg_dump-8.4devel-3-r704.patch

[4/4] sepostgresql-policy-8.4devel-3.patch
provides the default security policy for SE-PostgreSQL.
http://sepgsql.googlecode.com/files/sepostgresql-policy-8.4devel-3-r704.patch

We can provide a quick overview for SE-PostgreSQL at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

ENVIRONMENT
-----------
Please confirm your environment.
The followings are requriements of SE-PostgreSQL.
* Fedora 8 or later system
* SELinux is enabled and working
* kernel-2.6.24 or later
* selinux-policy and selinux-policy-devel v3.0.8 or later
* libselinux, policycoreutils

INSTALLATION
------------
$ tar jxvf postgresql-snapshot.tar.bz2
$ cd postgresql-snapshot
$ patch -p1 < ../sepostgresql-pgace-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-sepgsql-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-pg_dump-8.4devel-3.patch
$ patch -p1 < ../sepostgresql-policy-8.4devel-3.patch

$ ./configure --enable-selinux
$ make
$ make -C contrib/sepgsql-policy
$ su
# make install

# /usr/sbin/semodule -i contrib/sepgsql-policy/sepostgresql.pp
(NOTE: semodule is a utility to load/unload security policy modules.)

# /sbin/restorecon -R /usr/local/pgsql
(NOTE: restorecon is a utilicy to initialize security context of files.)

SETUP
-----
# mkdir -p /opt/sepgsql
# chown foo_user:var_group /opt/sepgsql
# chcon -t postgresql_db_t /opt/sepgsql
(NOTE: chcon is a utility to set up security context of files.)
# exit

$ /usr/sbin/run_init /usr/local/pgsql/bin/initdb -D /opt/sepgsql
(NOTE: run_init is a utility to start a program, as if it is branched from init script.)
$ /usr/local/pgsql/bin/pg_ctl -D /opt/sepgsql start

SUMMARYS FOR EVERY PATCHES
--------------------------
[1/4] - sepostgresql-pgace-8.4devel-3.patch

This patch provides PGACE (PostgreSQL Access Control Extension) framework.

It has a similar idea of LSM (Linu Security Module).
It can provide a guest module several hooks at strategic points.
The guest module can make its decision whether required actions should be
allowed, or not.
In addition, PGACE also provides falicilites to manage security attribute
of database objects. Any tuple can have a its security attribute, and the
guest module can refer it to control accesses.

A more conprehensive memo at:
http://code.google.com/p/sepgsql/wiki/WhatIsPGACE

[2/4] - sepostgresql-sepgsql-8.4devel-3.patch

This patch provides SE-PostgreSQL facilities based on PGACE.

Security-Enhanced PostgreSQL (SE-PostgreSQL) is a security extension
built in PostgreSQL, to provide system-wide consistency in access
controls. It enables to apply a single unigied security policy of
SELinux for both operating system and database management system.
In addition, it also provides fine-grained mandatory access which
includes column-/row- level non-bypassable access control even if
privileged database users.

Quick overview at:
http://code.google.com/p/sepgsql/wiki/WhatIsSEPostgreSQL

[3/4] - sepostgresql-pg_dump-8.4devel-3.patch

This patch gives us a feature to dump database with security attribute.
It is turned on with '--enable-selinux' option at pg_dump/pg_dumpall,
when the server works as SE- version.
No need to say, users need to have enough capabilities to dump whole of
database. It it same when they tries to restore the database.

[4/4] - sepostgresql-policy-8.4devel-3.patch

This patch gives us the default security policy for SE-PostgreSQL.
You can build it as a security policy module. It can be linked with
the existing distributor's policy, and reloaded.

--
KaiGai Kohei <kaigai@kaigai.gr.jp>

KaiGai Kohei wrote:

Alvaro Herrera wrote:

Before we go any further, is this work derived from SELinux? If so, is
it covered under the GPL? If so, can it be licensed under BSD terms?

All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.

Right. The question is: since this is derived from SE-Linux, is it
affected by SE-Linux license?

--
Alvaro Herrera http://www.CommandPrompt.com/
The PostgreSQL Company - Command Prompt, Inc.

Alvaro Herrera wrote:

KaiGai Kohei wrote:

Alvaro Herrera wrote:

Before we go any further, is this work derived from SELinux? If so, is
it covered under the GPL? If so, can it be licensed under BSD terms?

All of SE-PostgreSQL works are licensed unser BSD terms.
We are considering to push SE-PostgreSQL into upstreamed PostgreSQL from
the beginning, and we understand to choose GPL makes it impossible.

Right. The question is: since this is derived from SE-Linux, is it
affected by SE-Linux license?

No, SE-PostgreSQL does not derivered from SELinux.

I guess you worry about SE-PostgreSQL contains a part of SELinux licensed
as GPL, but it is incorrect.
SE-PostgreSQL communicate with SELinux to make its decision in access control,
via an official interface provided by libselinux, because it does not have
information to make its decision.
The libselinux is linked with SE-PostgreSQL, but it is licensed as public
domain software by NSA.

Therefore, we have no issues related to imcompatible licenses.

Thanks,
--
KaiGai Kohei <kaigai@kaigai.gr.jp>

On Mon, 17 Mar 2008, KaiGai Kohei wrote:

I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
messages are filtered due to attachment and I cannot provide whole of patches yet.

This is actually what you should have done from the beginning. And it
only should have gone to the pgsql-hackers list, which is the only one I'm
replying to. Your patches are at this point a proposal, as you say in the
subject, and those go to the pgsql-hackers list with the minimum of files
necessary to support them. pgsql-patches is generally aimed at patches
that have already been discussed on the hackers list, ones that are
basically ready to apply to the source code.

The libselinux is linked with SE-PostgreSQL, but it is licensed as
public domain software by NSA.

As for the licensing issues here, what everyone is looking for is a clear
statement of the SELinux license from the source of that code. The
official NSA statment at http://www.nsa.gov/selinux/info/license.cfm says:

"All source code found on this site is released under the same terms and
conditions as the original sources. For example, the patches to the Linux
kernel, patches to many existing utilities, and some of the new programs
available here are released under the terms and conditions of the GNU
General Public License (GPL). Please refer to the source code for specific
license information."

GPL is a perfectly good license, but it's far from clear whether code
derived from it can be incorporated into PostgreSQL even if you wrote all
of it yourself. I just checked libselinux, and as you say it includes a
LICENSE file that states "This library (libselinux) is public domain
software, i.e. not copyrighted.". That's good, but a similar independant
review will need to happen for every component you interact with here, on
top of a technical review. Luckily this is something a lot of people
would like and that should all get taken care of.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD

KaiGai,

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into
PostgreSQL as well this year, I'm going to ask them to look over PGACE to see
if this implementation is (still) generic enough to support TS as well. If
it is, then it's probably generic enough to be a general building block.

--
Josh Berkus
PostgreSQL @ Sun
San Francisco

"Greg Smith" <gsmith@gregsmith.com> writes:

On Mon, 17 Mar 2008, KaiGai Kohei wrote:

I'll submit the proposal of SE-PostgreSQL patches again, because some of previous
messages are filtered due to attachment and I cannot provide whole of patches yet.

This is actually what you should have done from the beginning. And it only
should have gone to the pgsql-hackers list, which is the only one I'm replying
to. Your patches are at this point a proposal, as you say in the subject, and
those go to the pgsql-hackers list with the minimum of files necessary to
support them. pgsql-patches is generally aimed at patches that have already
been discussed on the hackers list, ones that are basically ready to apply to
the source code.

Some people shout any time you send patches to -hackers. For the -patches is
there mainly to catch large attachments regardless of their maturity.

But it's true that it's best to post a plan and have discussion prior to
developing big patches.

--
Gregory Stark
EnterpriseDB http://www.enterprisedb.com
Ask me about EnterpriseDB's PostGIS support!

On Mon, 17 Mar 2008, Gregory Stark wrote:

Some people shout any time you send patches to -hackers.

Right, but if you note the improved version I give the thumbs-up to didn't
include any patches--just links to where you could get them. There's
little reason to include any code as an attachment for a proposal if you
can direct people to the web for them. That's why I suggested sending
"the minimum of files necessary", which in this case was zero.

--
* Greg Smith gsmith@gregsmith.com http://www.gregsmith.com Baltimore, MD

Josh Berkus wrote:

KaiGai,

The series of patches are the proposal of Security-Enhanced PostgreSQL
(SE-PostgreSQL) for the upstreamed PostgreSQL 8.4 development cycle.

Since I'm (Finally!) expecting the TrustedSolaris folks to put some work into
PostgreSQL as well this year, I'm going to ask them to look over PGACE to see
if this implementation is (still) generic enough to support TS as well. If
it is, then it's probably generic enough to be a general building block.

We can extend PGACE framework to mount TrustedSolaris features.
If they need new hooks which is not used in SE-PostgreSQL, it can
remain the default behavior.
The default PGACE behavior gives us no effects in access controls.

A flexible framework is worthwhile for both operating systems.
Please confirm it to the TS folks.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Greg Smith wrote:

On Mon, 17 Mar 2008, KaiGai Kohei wrote:

I'll submit the proposal of SE-PostgreSQL patches again, because some
of previous
messages are filtered due to attachment and I cannot provide whole of
patches yet.

This is actually what you should have done from the beginning. And it
only should have gone to the pgsql-hackers list, which is the only one
I'm replying to. Your patches are at this point a proposal, as you say
in the subject, and those go to the pgsql-hackers list with the minimum
of files necessary to support them. pgsql-patches is generally aimed at
patches that have already been discussed on the hackers list, ones that
are basically ready to apply to the source code.

OK, I can understand the purpose of pgsql-hackers and pgsql-patches list.
At first, I'll have a discussion here.

The libselinux is linked with SE-PostgreSQL, but it is licensed as
public domain software by NSA.

As for the licensing issues here, what everyone is looking for is a
clear statement of the SELinux license from the source of that code.
The official NSA statment at http://www.nsa.gov/selinux/info/license.cfm
says:

"All source code found on this site is released under the same terms and
conditions as the original sources. For example, the patches to the
Linux kernel, patches to many existing utilities, and some of the new
programs available here are released under the terms and conditions of
the GNU General Public License (GPL). Please refer to the source code
for specific license information."

GPL is a perfectly good license, but it's far from clear whether code
derived from it can be incorporated into PostgreSQL even if you wrote
all of it yourself. I just checked libselinux, and as you say it
includes a LICENSE file that states "This library (libselinux) is public
domain software, i.e. not copyrighted.". That's good, but a similar
independant review will need to happen for every component you interact
with here, on top of a technical review. Luckily this is something a
lot of people would like and that should all get taken care of.

SE-PostgreSQL internally uses libselinux, glibc and PostgreSQL internal
APIs like SearchSysCache().
I'm not a lawyer, but I believe they cannot enforce us to apply a specific
lisence. So, I clearly say SE-PostgreSQL feature is licensed with the same
one of PostgreSQL.
No need to say, more conprehensive checks and reviews are welcome.

Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 18 Mar 2008 10:41:42 +0900
KaiGai Kohei <kaigai@ak.jp.nec.com> wrote:

GPL is a perfectly good license, but it's far from clear whether
code derived from it can be incorporated into PostgreSQL even if
you wrote all of it yourself. I just checked libselinux, and as
you say it includes a LICENSE file that states "This library
(libselinux) is public domain software, i.e. not copyrighted.".
That's good, but a similar independant review will need to happen
for every component you interact with here, on top of a technical
review. Luckily this is something a lot of people would like and
that should all get taken care of.

SE-PostgreSQL internally uses libselinux, glibc and PostgreSQL
internal APIs like SearchSysCache().
I'm not a lawyer, but I believe they cannot enforce us to apply a
specific lisence. So, I clearly say SE-PostgreSQL feature is licensed
with the same one of PostgreSQL.
No need to say, more conprehensive checks and reviews are welcome.

Hmmm,

Everything that I read says that libselinux is GPL. That could present
a problem for anyone that wants to use the BSD features of
PostgreSQL :).

I can check with SFLC if people are really curious.

Sincerely,

Joshua D. Drake

- --
The PostgreSQL Company since 1997: http://www.commandprompt.com/
PostgreSQL Community Conference: http://www.postgresqlconference.org/
Donate to the PostgreSQL Project: http://www.postgresql.org/about/donate
PostgreSQL political pundit | Mocker of Dolphins

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH3x/wATb/zqfZUUQRAq6WAJ9h2ecrYrsZ5bJUTJGhyS2LZSOqkACfeGoB
EHwcHtq7Ow5k3AlKNPwOVzs=
=yamT
-----END PGP SIGNATURE-----