SE-PostgreSQL 8.2.3-1.0 alpha was released as follows. The purpose of this version is to get any feedback from the open source community like requirements, your opinion, bug reports and so on. The developer welcomes anything to improve.
====================================================================== Security Enhanced PostgreSQL 8.2.3-1.0 alpha release ====================================================================== Security Enhanced PostgreSQL (SE-PostgreSQL) is an extension of PostgreSQL, provides fine grained mandatory access control based on the interaction with SELinux and its security policy. Those facilities of SE-PostgreSQL enables to build RDBMS into information flow control scheme integrated with operating system, and protects your information asset from threats like leaking, defacing and so on. * Fine grained access control SE-PostgreSQL enables access control onto row and column level. The native PostgreSQL access control list does not provide any access control onto database objects less than table, so SE-PostgreSQL enables DBA to setup finer-grained and flexible access control. * Mandatory access control An access control mechanism provided by SE-PostgreSQL is applied to any SQL queries including the ones come from privileged database users. So, SE-PostgreSQL works as a userspace reference monitor. * Interaction between SELinux and SE-PostgreSQL An access control mechanism provided by SE-PostgreSQL makes its decision based on the security policy of SELinux. The database client's authority is determined by the security context of the peer process. (*) The purpose of this version of SE-PostgreSQL is to get any feedback from the open source community like requirements and bug-reports. Thus, you should pay attention about what we have not verified enough quality of the code yet. (*) The development of this software is under the assist of Exploratory Software Project (second half of 2006), IPA Japan. ====================================================================== [Installation] You can set up SE-PostgreSQL on Fedora Core 6 system, SELinux installed. Get RPM packages from the following URL: http://code.google.com/p/sepgsql/downloads/list selinux-policy-2.4.6-40.sepgsql.noarch.rpm selinux-policy-targeted-2.4.6-40.sepgsql.noarch.rpm sepostgresql-8.2.3-0.206a.i386.rpm Install the selinux-policy and the selinux-policy-targeted package at first, and the sepostgresql package next. The default security policy of SE-PostgreSQL is also installed when the sepostgresql package is installed. (*) If you use 'psql' as a front-end, postgresql and postgresql-libs packages are necessary. Run the following script to initialize the database cluster: # /etc/init.d/sepostgresql initdb The database cluster is generated under /var/lib/sepgsql/data . Run the following script to start up SE-PostgreSQL server, after you confirm the native PostgreSQL server is stopping. # /etc/init.d/sepostgresql start The database cluster is initialized by 'sepgsql' user. You can translate 'sepgsql' user via 'su' command to create database, database role and so on. [example] # su - sepgsql $ createuser kaigai Shall the new role be a superuser? (y/n) y CREATE ROLE $ createdb kaigaidb CREATE DATABASE $ ====================================================================== [A sample database for playing] CREATE TABLE drink ( did integer primary key, dname text, dprice integer, dsoft bool, dstock integer ); ALTER TABLE drink ALTER dstock context = 'user_u:object_r:sepgsql_secret_table_t'; INSERT INTO drink VALUES (1, 'juice', 110, true, 35); INSERT INTO drink VALUES (2, 'coke', 110, true, 20); INSERT INTO drink VALUES (3, 'milk', 130, true, 5); INSERT INTO drink VALUES (4, 'water', 100, true, 10); INSERT INTO drink VALUES (5, 'beer', 240, false, 15); INSERT INTO drink VALUES (6, 'wine', 380, false, 0); UPDATE drink SET security_context = 'user_u:object_r:sepgsql_table_t:SystemHigh' where dsoft = false; create or replace function drink_stock_exist (integer) returns bool language 'sql' as 'select dstock > 0 from drink where did = $1'; ALTER FUNCTION drink_stock_exist(integer) context = 'user_u:object_r:sepgsql_trusted_proc_t'; ====================================================================== [A example of SQL execution] $ id -Z root:system_r:unconfined_t:SystemLow-SystemHigh $ psql -q kaigai=# select sepgsql_getcon(); sepgsql_getcon ------------------------------------------------- root:system_r:unconfined_t:SystemLow-SystemHigh (1 row) kaigai=# select * from drink; did | dname | dprice | dsoft | dstock -----+-------+--------+-------+-------- 1 | juice | 110 | t | 35 2 | coke | 110 | t | 20 3 | milk | 130 | t | 5 4 | water | 100 | t | 10 5 | beer | 240 | f | 15 6 | wine | 380 | f | 0 (6 rows) ## The security context of each tuples are stored in 'security_context' ## system column. kaigai=# select security_context,* from drink; security_context | did | dname | dprice | dsoft | dstock ---------------------------------+-----+-------+--------+-------+-------- user_u:object_r:sepgsql_table_t | 1 | juice | 110 | t | 35 user_u:object_r:sepgsql_table_t | 2 | coke | 110 | t | 20 user_u:object_r:sepgsql_table_t | 3 | milk | 130 | t | 5 user_u:object_r:sepgsql_table_t | 4 | water | 100 | t | 10 user_u:object_r:sepgsql_table_t | 5 | beer | 240 | f | 15 user_u:object_r:sepgsql_table_t | 6 | wine | 380 | f | 0 (6 rows) kaigai=# ## A example of execution under lower authority: ## The two tuples which have 'SystemHigh' were filtered. $ runcon -l s0 -- bash $ id -Z root:system_r:unconfined_t $ psql -q kaigai=# select sepgsql_getcon(); sepgsql_getcon ---------------------------- root:system_r:unconfined_t (1 row) kaigai=# select * from drink; NOTICE: SELinux: denied { select } scontext=root:system_r:unconfined_t tcontext=user_u:object_r:sepgsql_table_t:SystemHigh tclass=tuple NOTICE: SELinux: denied { select } scontext=root:system_r:unconfined_t tcontext=user_u:object_r:sepgsql_table_t:SystemHigh tclass=tuple did | dname | dprice | dsoft | dstock -----+-------+--------+-------+-------- 1 | juice | 110 | t | 35 2 | coke | 110 | t | 20 3 | milk | 130 | t | 5 4 | water | 100 | t | 10 (4 rows) kaigai=# $ exit ## We tried to connect from a domain which cannot access 'sepgsql_secret_table_t' $ runcon -t initrc_t -- bash $ id -Z root:system_r:initrc_t:SystemLow-SystemHigh $ psql -q kaigai=# select * from drink; ERROR: SELinux: denied { select } scontext=root:system_r:initrc_t:SystemLow-SystemHigh tcontext=user_u:object_r:sepgsql_secret_table_t tclass=column name=dstock ## The client in initrc_t domain cannot access dstock column which has ## sepgsql_table_t type, but we cann access the column via trusted ## procedure only. kaigai=# select did, dname, dprice, drink_stock_exist(did) from drink; did | dname | dprice | drink_stock_exist -----+-------+--------+------------------- 1 | juice | 110 | t 2 | coke | 110 | t 3 | milk | 130 | t 4 | water | 100 | t 5 | beer | 240 | t 6 | wine | 380 | f (6 rows) kaigai=# ====================================================================== [Hint] * There is no compatibility between SE-PostgreSQL and PostgreSQL. You have to pay attention not to destroy your database files for native PostgreSQL. * You can enable/disable access allowed/denied messages by using boolean stuff of SELinux. Set the following booleans by setsebool command. sepgsql_enable_auditallow sepgsql_enable_auditdeny sepgsql_enable_audittuple * initrc_t is defined as a less power domain for test purpose. We cannot use DDL statement from initrc_t domain, and cannot access tables, columns and tuples with sepgsql_secret_table_t type. * The security policy for SE-PostgreSQL under the strict policy is now under development. You have to switch to the targeted policy, if you try to use this version. -- KaiGai Kohei <[EMAIL PROTECTED]> ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match