SE-PostgreSQL uses SELinux for database security

Security Enhanced Linux (SELinux) adds layers of security on top of the traditional discretionary access control (DAC) offered by UNIX-like systems to provide more fine-grained control over the operating system objects and data. The Security Enhanced PostgreSQL (SE-PostgreSQL) project seeks to provide the same kinds of fine-grained access controls to the PostgreSQL database engine, integrating those policies with SELinux. SE-PostgreSQL has just released its 1.0 beta and is encouraging users to report any bugs before the final 1.0 release.

Traditionally, database systems use a permissions model that is similar to, but separate from, the underlying operating system permissions. Users are created within the database and granted access to various database capabilities, some of which they can pass on to others (which is a feature of DAC). In addition, database management systems (DBMS) have a privileged user that bypasses all of the permissions checks. For a system running SELinux, this situation is less than desirable, as most, if not all, of the carefully crafted policies, for restricting data access, are ignored by the DBMS. SE-PostgreSQL works with SELinux to apply its policies on top of the DBMS permissions, allowing the administrator the fine-grained access control, afforded by SELinux, within PostgreSQL.

SELinux relies upon "security contexts", which are attached to each object in the operating system: files, directories, sockets, processes, users, etc. These contexts are permanently attached to the various objects and the SELinux policies then dictate how the contexts interact and what kind of operations are allowed to be performed. More information about SELinux and its enforcement mechanisms can be found on the project's webpage as well as in this introductory LWN article.

In a standard PostgreSQL installation, a Linux user can present the credentials (username and password) of any database user and perform the database operations allowed for that user. Using SE-PostgreSQL, SELinux security contexts are associated with each table, row and column of the database. The SELinux policy arbitrator in the kernel is consulted for each database operation and they are either allowed or denied based on the combination of the user context and the database object context. The PostgreSQL user must still have the ability to perform the requested action as the PostgreSQL permissions are checked before the SELinux policies are even consulted. This two-tiered permissions system is probably unnecessary, so SE-PostgreSQL could completely replace the database permissions in secure installations.

Because security contexts are attached to objects in the operating system, SE-PostgreSQL can alleviate a common problem with data migrating from the filesystem into the database. If filesystem data that requires an elevated level of security is inserted into a database table, that row will inherit the security context of the data. This will prevent users or processes with lower access capabilities from accessing it. Also, depending on the security context of the user querying the database, certain columns or rows may not be available and SE-PostgreSQL intercepts the queries and results, filtering them appropriately. Users will be able to see the query results they are allowed to access and no others.

Another related project is PostgreSQL Access Control Extension (PGACE), which provides an interface for PostgreSQL to use the facilities of a secure operating system. This allows SE-PostgreSQL to use the SELinux facilities, but will also allow PostgreSQL to use the Trusted Solaris or other security-oriented operating system facilities. It is meant to provide a common framework of hooks that PostgreSQL can call to determine whether to permit or deny access. It is similar in spirit to the Linux Security Modules (LSM) interface which allows different security implementations to be used by the kernel.

The development of SE-PostgreSQL was supported by the Exploratory Software Project of Japan's Information-Technology Promotion Agency. This project is aimed at funding young developers with new ideas and SE-PostgreSQL would certainly qualify. For security conscious companies using SELinux and PostgreSQL, a look at this project should be high on the list.