SEPostgreSQL-patch

Please do not discuss this URL on the hackers email list until Wednesday, 2009-01-28 1200 GMT.

Introduction

This patch introduces two new capabilities to Postgres. The first is SQL-level row permissions. With this feature, you can assign permissions to rows similar to the permissions assigned to tables:

          INSERT INTO ratbl_p (security_acl, a, b)
          VALUES ('{rausr_x=r/rausr_o}', 2, 'bbb');

Permissions are assigned by specifying literal strings to the system column 'security_label', rather than using GRANT/REVOKE commands.

The second feature is SE-Linux integration. Security values are assigned as literal strings, like SQL-level row permissions:

          INSERT INTO t1 (security_label, x, y)
          VALUES ('system_u:object_r:sepgsql_table_t:s0', 1, 'aaa');

The system column used is 'security_label'. The big advantage of SE-Linux integration is that database permissions are controlled by a site-wide security policy, rather than a database-specific one.

This wiki has an excellent introduction to the feature set: http://wiki.postgresql.org/wiki/SEPostgreSQL

This basically implements TCSEC (Trusted Computer System Evaluation Criteria). While it currently only supports SE-Linux, it could be extended to support other security infrastructures.

Patches

Most recent patch submission: http://archives.postgresql.org/pgsql-hackers/2009-01/msg00661.php

Documentation patch: http://sepgsql.googlecode.com/files/sepostgresql-docs-8.4devel-3-r1398.patch

Regression test patch (has examples): http://sepgsql.googlecode.com/files/sepostgresql-tests-8.4devel-3-r1398.patch

Questions

• Have we avoided covert channels as well as we can? http://archives.postgresql.org/pgsql-hackers/2008-09/msg01750.php

• Is the ability to see system table information properly protected?

Email Discussions

• http://archives.postgresql.org/pgsql-hackers/2009-01/msg01991.php
• http://archives.postgresql.org/pgsql-hackers/2009-01/msg02295.php

Code Size Impact

Here is my analysis of the code impact of SE-PostgreSQL vs. text search, which was included in PostgreSQL 8.3. Text search was 4x larger, if measured by total lines or by lines outside dedicated directories; the only larger aspect of SE-PostgreSQL is that there are more C files affected:

 TEXT SEARCH:
 total lines	48924
 /snowball	27232
 /tsearch	 7199
 utils/adt	 6180
 mixed	         8313
 -------
 C files:         46

 SE-PGSQL:
 total lines	10040
 /security	 7721
 mixed	         2319
 -------
 C files:        104

TODO

• Allow system columns 'security_acl' and 'security_label' to be assigned per row without requiring CREATE TABLE options, and require no storage space if not assigned

• Find way to delete unreferenced pg_security rows

Press

Kaigai Kohei and SE PostgreSQL are already listed on the U.S. National Security Agency (NSA) website: http://www.nsa.gov/research/selinux/contrib.shtml