From: KaiGai Kohei <kaigai@ak.jp.nec.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>,
cpebenito@tresys.com, dwalsh@redhat.com, selinux@tycho.nsa.gov,
ewalsh@tycho.nsa.gov
Subject: Re: Fedora/SE-PostgreSQL
Date: Tue, 07 Aug 2007 13:41:19 +0900 [thread overview]
Message-ID: <46B7F7EF.2030200@ak.jp.nec.com> (raw)
In-Reply-To: <1186428187.17889.166.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2007-08-01 at 21:17 +0900, KaiGai Kohei wrote:
>> Hi,
>>
>> A week ago, I submitted a review request of SE-PostgreSQL to
>> the Fedora project as follows:
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
>>
>> The biggest issue is lack of definitions of new object classes
>> and access vectors related to database.
>> Rest of policies can be installed as a binary security policy module
>> packed within the RPM package, but these definitions and MLS/MCS rules
>> cannot be moduled.
>>
>> The attached patch adds these definitions to the base policy.
>>
>> I remember Chris said as follows at the past.
>>> Is the code on a path to being merged upstream? I'm hesitant to apply
>>> class changes until the code is on a plan to be merged.
>> However, I would like you to consider it again.
>> I believe that spread of using secure applications, like SE-PostgreSQL,
>> can help promote SELinux more, and it's so worthful to make it more
>> uncomplicated to maintain.
>>
>> In addition, the next release of PostgreSQL with new features (8.4) is
>> planed at the autumn 2008. It means that any SE-PostgreSQL users have to
>> replace the default selinux-policy package by the modified one for a year
>> and more, at least. I think it's a senseless work.
>>
>> It may be a time the definitions of object classes related to database are
>> integrated into the base security policy.
>
> Likely a good idea as well to ensure that it does not collide with the X
> object class rework.
Future modification of object class number is not a matter, because SE-PostgreSQL
can also obtain them via /selinux/class on the kernel 2.6.23 or later.
Are you worried about that the reworked X object class uses same namespace
with what SE-PostgreSQL uses, like "database", "table" and so on?
Thanks,
--
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-08-07 4:41 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-01 12:17 Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-06 12:14 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-06 19:23 ` Fedora/SE-PostgreSQL Stephen Smalley
2007-08-07 4:41 ` KaiGai Kohei [this message]
2007-08-07 12:25 ` Fedora/SE-PostgreSQL Stephen Smalley
2007-08-07 13:40 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-07 12:25 ` Fedora/SE-PostgreSQL Christopher J. PeBenito
2007-08-07 13:51 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-07 14:09 ` Fedora/SE-PostgreSQL Christopher J. PeBenito
2007-08-07 17:28 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-08 1:12 ` Fedora/SE-PostgreSQL Joshua Brindle
2007-08-08 12:33 ` Fedora/SE-PostgreSQL Christopher J. PeBenito
2007-08-08 17:25 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-09 11:16 ` Fedora/SE-PostgreSQL KaiGai Kohei
2007-08-09 13:08 ` Fedora/SE-PostgreSQL Christopher J. PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46B7F7EF.2030200@ak.jp.nec.com \
--to=kaigai@ak.jp.nec.com \
--cc=cpebenito@tresys.com \
--cc=dwalsh@redhat.com \
--cc=ewalsh@tycho.nsa.gov \
--cc=kaigai@kaigai.gr.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.