Security-Enhanced PostgreSQL

This talk introduces the background, features and implementations of Security-Enhanced PostgreSQL (SE-PostgreSQL).

PostgreSQL's GRANT system offers extensive flexible access control.
However, it can be difficult to integrate this with a uniform, centralized security policy for a secure operating environment. Even if initial permissions on database objects are made consistent with the host system's security policy, maintaining consistency despite policy changes through manual updates by the DBA is prone to numerous failures. The situation becomes even more untenable if the DBA has restricted privileges.

Government security agencies are demanding a way to enforce uniform, top-down security policies across all of their information systems, including (and especially) databases. SE-PostgreSQL does this for PostgreSQL, allowing our database to be used for their purpose.

SE-PostgreSQL is a security extension built-in PostgreSQL. It works collaboraing with operating system (SELinux), and enables to provide fine-grained mandatory access control. When a database client send SQL queries, SE-PostgreSQL checks them and makes its decision refering the SELinux's security policy about whether these queries should be executed, or not. This check is never avoidable for any client including privileged one, and is also applied at column/tuple level.

SELinux applies its security policy to check any system call invocation. The key concept of SE-PostgreSQL is applying a single unified security policy for both OS and RDBMS. It will make same and consistent results, even if our information assets stored in different medias. We call the feature as "system-wide consistency" in access control. This feature is a piece of information flow control scheme, typically required by extreme robustness environment.