diff for duplicates of <49D23288.2030807@rubix.com> diff --git a/a/1.txt b/N1/1.txt index 11672fb..ef4a305 100644 --- a/a/1.txt +++ b/N1/1.txt @@ -72,4 +72,7 @@ DBMS policy? > to the RUBIX's design. > > Thanks, -> +> +-------------- next part -------------- +An HTML attachment was scrubbed... +URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090331/25855cfc/attachment.html diff --git a/a/2.bin b/a/2.bin deleted file mode 100644 index 5ebe09f..0000000 --- a/a/2.bin +++ /dev/null @@ -1,101 +0,0 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> -<html> -<head> - <meta content="text/html;charset=ISO-2022-JP" - http-equiv="Content-Type"> -</head> -<body bgcolor="#ffffff" text="#000000"> -<br> -<br> -KaiGai Kohei wrote: -<blockquote cite="mid:49D21FD5.7020600@kaigai.gr.jp" type="cite"> - <pre wrap="">Andy Warner wrote: - </pre> - <blockquote type="cite"> - <pre wrap="">looks good to me. - -One minor comment. For the superuser permission, this may be common use -of DBMS's but I believe is not a standard SQL feature. RUBIX has no such -concept, so we would generally ignore that permission. Also, it is -unclear to me what abilities the superuser should have (in the general -sense, not necessarily within sepostgresql). - </pre> - </blockquote> - <pre wrap=""><!----> -It is a request from the pgsql-hackers. - -In addition, the permission is well symmetrical with root capability -on operating system. -In PostgreSQL, database users with superuser privilege are allowed -various kind of operating, such as ignoring DAC policy, ignoring -ownership of database objects, installing shared libraries and so on. -The db_database:{superuser} enables to control these capabilities. - - </pre> -</blockquote> -Sounds like our DBA role. Basically, its just a different name. I agree -that the superuser is a common concept in OS's, but note that its use -is often discouraged. I'm note sure introducing it for databases is a -great idea. But, as I said before, we would just ignore it as -primarily its there to satisfy postgresql.<br> -<blockquote cite="mid:49D21FD5.7020600@kaigai.gr.jp" type="cite"> - <pre wrap=""></pre> - <blockquote type="cite"> - <pre wrap="">Is this just a permission -to override SQL DAC, or does it also give administrative abilities like -setting audit configurations, or "all the above." I think you said -before that it would not allow MAC override, correct? - </pre> - </blockquote> - <pre wrap=""><!----> -SELinux does not allow anyone to override MAC. -The unconfined domain is allowed anything in the result of access controls. - </pre> -</blockquote> -I am referring to things like:<br> -<br> -mlsconstrain { db_tuple } { use select }<br> - (( l1 dom l2 ) or<br> - (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or<br> - ( t1 == mlsdbread ) or<br> - ( t2 == mlstrustedobject ));<br> -<br> -where t1 == mlsdbread seems to imply an object is trusted to read -strictly dominating objects. Unless I am missing the meaning here, I -would call this a MAC override. I realize there is no concept of a TE -override, but MLS is part of MAC, no? And, this violates B&L rules. -This is something we would control with a Security Administrator -"role". Or, is this mlsdbread something that is impossible to give to a -domain in a DBMS policy?<br> -<blockquote cite="mid:49D21FD5.7020600@kaigai.gr.jp" type="cite"> - <pre wrap=""> - </pre> - <blockquote type="cite"> - <pre wrap="">RUBIX currently has four privileged "roles": -Database Administrator: DAC override -Security Administrator: MAC override, to some degree. With SELinux much -of this can be done with discrete rules. -Audit Administrator: administer audit trail and criteria -Database Operator: do the normal day-today administrative DBMS tasks, -like backup. - -I am curious, if the intended use of the db_database superuser -permission would be an encapsulation of our all of our roles, excluding -the Security Administrator. - </pre> - </blockquote> - <pre wrap=""><!----> -My preference is to adopt common design *as far as possible*. -If you need finer-grained privileges, please propose it as a characteristic -part for Trusted RUBIX, as if we did on db_catalog class. -Anyway, I cannot believe the pgsql-hackers accepts its design changes due -to the RUBIX's design. - </pre> -</blockquote> -<blockquote cite="mid:49D21FD5.7020600@kaigai.gr.jp" type="cite"> - <pre wrap=""> -Thanks, - </pre> -</blockquote> -</body> -</html> diff --git a/a/2.hdr b/a/2.hdr deleted file mode 100644 index 4d5ce0e..0000000 --- a/a/2.hdr +++ /dev/null @@ -1,2 +0,0 @@ -Content-Type: text/html; charset=ISO-2022-JP -Content-Transfer-Encoding: 7bit diff --git a/a/content_digest b/N1/content_digest index 9c874be..ca4f802 100644 --- a/a/content_digest +++ b/N1/content_digest @@ -1,16 +1,11 @@ "ref\049D1DA85.1030902@ak.jp.nec.com\0" "ref\049D1EAE7.8050100@rubix.com\0" "ref\049D21FD5.7020600@kaigai.gr.jp\0" - "From\0Andy Warner <warner@rubix.com>\0" - "Subject\0Re: [RFC] Security policy reworks for SE-PostgreSQL\0" + "From\0warner@rubix.com (Andy Warner)\0" + "Subject\0[refpolicy] [RFC] Security policy reworks for SE-PostgreSQL\0" "Date\0Tue, 31 Mar 2009 17:11:04 +0200\0" - "To\0KaiGai Kohei <kaigai@kaigai.gr.jp>\0" - "Cc\0KaiGai Kohei <kaigai@ak.jp.nec.com>" - cpebenito@tresys.com - method@manicmethod.com - selinux@tycho.nsa.gov - " refpolicy@oss.tresys.com\0" - "\01:1\0" + "To\0refpolicy@oss.tresys.com\0" + "\00:1\0" "b\0" "\n" "\n" @@ -86,109 +81,9 @@ "> to the RUBIX's design.\n" "> \n" "> Thanks,\n" - > - "\01:2\0" - "b\0" - "<!DOCTYPE html PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n" - "<html>\n" - "<head>\n" - " <meta content=\"text/html;charset=ISO-2022-JP\"\n" - " http-equiv=\"Content-Type\">\n" - "</head>\n" - "<body bgcolor=\"#ffffff\" text=\"#000000\">\n" - "<br>\n" - "<br>\n" - "KaiGai Kohei wrote:\n" - "<blockquote cite=\"mid:49D21FD5.7020600@kaigai.gr.jp\" type=\"cite\">\n" - " <pre wrap=\"\">Andy Warner wrote:\n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">looks good to me.\n" - "\n" - "One minor comment. For the superuser permission, this may be common use \n" - "of DBMS's but I believe is not a standard SQL feature. RUBIX has no such \n" - "concept, so we would generally ignore that permission. Also, it is \n" - "unclear to me what abilities the superuser should have (in the general \n" - "sense, not necessarily within sepostgresql).\n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\"><!---->\n" - "It is a request from the pgsql-hackers.\n" - "\n" - "In addition, the permission is well symmetrical with root capability\n" - "on operating system.\n" - "In PostgreSQL, database users with superuser privilege are allowed\n" - "various kind of operating, such as ignoring DAC policy, ignoring\n" - "ownership of database objects, installing shared libraries and so on.\n" - "The db_database:{superuser} enables to control these capabilities.\n" - "\n" - " </pre>\n" - "</blockquote>\n" - "Sounds like our DBA role. Basically, its just a different name. I agree\n" - "that the superuser is a common concept in OS's, but note that its use\n" - "is often discouraged. I'm note sure introducing it for databases is a\n" - "great idea. But, as I said before, we would just ignore it as\n" - "primarily its there to satisfy postgresql.<br>\n" - "<blockquote cite=\"mid:49D21FD5.7020600@kaigai.gr.jp\" type=\"cite\">\n" - " <pre wrap=\"\"></pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">Is this just a permission \n" - "to override SQL DAC, or does it also give administrative abilities like \n" - "setting audit configurations, or \"all the above.\" I think you said \n" - "before that it would not allow MAC override, correct?\n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\"><!---->\n" - "SELinux does not allow anyone to override MAC.\n" - "The unconfined domain is allowed anything in the result of access controls.\n" - " </pre>\n" - "</blockquote>\n" - "I am referring to things like:<br>\n" - "<br>\n" - "mlsconstrain { db_tuple } { use select }<br>\n" - " (( l1 dom l2 ) or<br>\n" - " (( t1 == mlsdbreadtoclr ) and ( h1 dom l2 )) or<br>\n" - " ( t1 == mlsdbread ) or<br>\n" - " ( t2 == mlstrustedobject ));<br>\n" - "<br>\n" - "where t1 == mlsdbread seems to imply an object is trusted to read\n" - "strictly dominating objects. Unless I am missing the meaning here, I\n" - "would call this a MAC override. I realize there is no concept of a TE\n" - "override, but MLS is part of MAC, no? And, this violates B&L rules.\n" - "This is something we would control with a Security Administrator\n" - "\"role\". Or, is this mlsdbread something that is impossible to give to a\n" - "domain in a DBMS policy?<br>\n" - "<blockquote cite=\"mid:49D21FD5.7020600@kaigai.gr.jp\" type=\"cite\">\n" - " <pre wrap=\"\">\n" - " </pre>\n" - " <blockquote type=\"cite\">\n" - " <pre wrap=\"\">RUBIX currently has four privileged \"roles\":\n" - "Database Administrator: DAC override\n" - "Security Administrator: MAC override, to some degree. With SELinux much \n" - "of this can be done with discrete rules.\n" - "Audit Administrator: administer audit trail and criteria\n" - "Database Operator: do the normal day-today administrative DBMS tasks, \n" - "like backup.\n" - "\n" - "I am curious, if the intended use of the db_database superuser \n" - "permission would be an encapsulation of our all of our roles, excluding \n" - "the Security Administrator.\n" - " </pre>\n" - " </blockquote>\n" - " <pre wrap=\"\"><!---->\n" - "My preference is to adopt common design *as far as possible*.\n" - "If you need finer-grained privileges, please propose it as a characteristic\n" - "part for Trusted RUBIX, as if we did on db_catalog class.\n" - "Anyway, I cannot believe the pgsql-hackers accepts its design changes due\n" - "to the RUBIX's design.\n" - " </pre>\n" - "</blockquote>\n" - "<blockquote cite=\"mid:49D21FD5.7020600@kaigai.gr.jp\" type=\"cite\">\n" - " <pre wrap=\"\">\n" - "Thanks,\n" - " </pre>\n" - "</blockquote>\n" - "</body>\n" - "</html>\n" + "> \n" + "-------------- next part --------------\n" + "An HTML attachment was scrubbed...\n" + URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20090331/25855cfc/attachment.html -be89453930bfe98821e7f9099113c23257e7793aa0a1cac90a50690b131abe0f +8f503375e3b0d2401fbb388b44887218147d288c371feec356e07603486e25c6
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.