PGCon2008 - Final - we hope

PGCon 2008
The PostgreSQL Conference

KaiGai Kohei
Day Talks - second day (2008-05-23)
Room G
Start time 11:30
Duration 01:00
ID 77
Event type lecture
Track DBA
Language en

Security-Enhanced PostgreSQL

"System-wide consistency" in access control

SE-PostgreSQL is a security extension built-in PostgreSQL, collaborating with SELinux. The purpose is to achieve "system-wide consistency" in access control, with applying fine-grained mandatory access control to various database objects such as tables, columns and tuples. This feature enables to deploy a database management system within information flow control scheme integrated with operating system. It helps protect our information asset from some of threats like leaking, defacting and destruction.

This talk introduces the background, features and implementations of Security-Enhanced PostgreSQL (SE-PostgreSQL).

PostgreSQL's GRANT system offers extensive flexible access control.
However, it can be difficult to integrate this with a uniform, centralized security policy for a secure operating environment. Even if initial permissions on database objects are made consistent with the host system's security policy, maintaining consistency despite policy changes through manual updates by the DBA is prone to numerous failures. The situation becomes even more untenable if the DBA has restricted privileges.

Government security agencies are demanding a way to enforce uniform, top-down security policies across all of their information systems, including (and especially) databases. SE-PostgreSQL does this for PostgreSQL, allowing our database to be used for their purpose.

SE-PostgreSQL is a security extension built-in PostgreSQL. It works collaboraing with operating system (SELinux), and enables to provide fine-grained mandatory access control. When a database client send SQL queries, SE-PostgreSQL checks them and makes its decision refering the SELinux's security policy about whether these queries should be executed, or not. This check is never avoidable for any client including privileged one, and is also applied at column/tuple level.

SELinux applies its security policy to check any system call invocation. The key concept of SE-PostgreSQL is applying a single unified security policy for both OS and RDBMS. It will make same and consistent results, even if our information assets stored in different medias. We call the feature as "system-wide consistency" in access control. This feature is a piece of information flow control scheme, typically required by extreme robustness environment.