Re: questions about persistent storage of security contexts

[KaiGai Kohei <kaigai@ak.jp.nec.com>]

>> I have also considered maintaining my own internal, persistent mapping
>> between string based contexts and an integer representation, the mapping
>> being stored/indexed inside the DBMS. This gives me a small storage overhead
>> with a fixed size.
> 
> I don't have a problem with internal mapping like that.

In SE-PostgreSQL, it maintains own internal mapping between text represented
security context and its integer identifier. The 'pg_security' system catalog
stores the pair of them.

Any tuple (including system catalog) has its security context. It is stored
within padding area of HeapTupleHeader as an integer value, and it means the
primary key of 'pg_security' system catalog.

It also enables to boost userspace AVC, because this idea makes possible to
implement it using a relationship between identifiers (not a text representation).


When the security policy is reloaded and it makes invalidate the stored context,
the stored one is dealt as 'unlabeled_t'.

> But, don't we already have sepostgresql?  Maybe you should be looking
> to see if that fits your needs or you might get ideas from the work
> that they performed?

FYI:
   http://code.google.com/p/sepgsql/

Andrew, what is your intended base RDBMS?

Currently, SE-PostgreSQL is the only SELinux awared RDBMS.
It is now under reviewing for the next release (v8.4) cycle.
   http://wiki.postgresql.org/wiki/CommitFest:2008-07

However, I think we can apply SELinux for any other relational model implementation.

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.