PGCon2011 - Final (2011.06.11)

PGCon 2011
The PostgreSQL Conference

KaiGai Kohei
Day Talks - 2 - 2011-05-20
Room DMS 1120
Start time 10:00
Duration 01:00
ID 344
Event type Lecture
Track 9.1 Features
Language used for presentation English

Label Based Mandatory Access Control on PostgreSQL

PostgreSQL v9.1 shall be released with a long-awaited feature that enables to apply label based mandatory access control. It was primarily developed to integrate security model of SELinux, however, it was evolved to more generic design by community efforts. Nowadays, we can apply an additional security mechanism from a difference perspective in addition to the default database privileges. This session offers a brief overview of this model, an introduction of what's new in v9.1 and limitations to be overcome in the future release.

This session will be consist of three parts.

The first one is a brief overview of label based mandatory access control; using SELinux as an example. A key concept is reference monitor model and criteria to make access control decision across heterogeneous object managers; such as filesystem and RDBMS.

The second one is what's new in v9.1. This version newly provides a basic facilities to manage security labels and security hooks on accesses. It enables us to implement external security provider as a plug-in module; such as SELinux support.

The last one is limitations of the current version and future works. However, we are still mid-way towards the fully expected functionalities, so we still have several limitations. We will also introduce our roadmap and elemental technologies being necessary to overcome.