Linux Today: Linux News On Internet Time.

More on LinuxToday

SELinux and PostgreSQL: a worthwhile union?

Dec 18, 2009, 13:32 (0 Talkback[s])
(Other stories by Jonathan Corbet)


Desktop-as-a-Service Designed for Any Cloud ? Nutanix Frame

"The SE-PgSQL patch has struggled to get into the PostgreSQL mainline; it is now preparing for what may well be its last push to be merged. Whether it's successful may, in the end, depend on whether it receives support from potential users.

"SELinux works by attaching labels to objects and roles to actors, then enforcing rules describing what sort of access to objects with specific labels is allowed to specific roles. It is a highly flexible system, but also highly complex; even a minimal SELinux policy can involve thousands of rules. The complexity of SELinux has almost certainly inhibited its adoption in the broader Linux community; when SELinux gets in the way of real work, figuring out how to fix it can be a nontrivial task. Over the years, many administrators have concluded, like Ted Ts'o, that "life is too short for SELinux."

"That said, Fedora and Red Hat have slowly made progress in using SELinux to confine parts of the system without creating too much user pain. And there is certainly a place for more comprehensive security models in general. But once one starts protecting data at the filesystem level, it makes sense to ask whether data which is accessed through higher-level mechanisms - a relational database manager, say - should also be subject to the system's security policies. In an ideal world, the same security policy would be operative at all levels."

Complete Story

Related Stories: