SELinux and PostgreSQL: a worthwhile union? [LWN.net]

By Jonathan Corbet
December 4, 2009

When your editor was in Tokyo recently, he had the privilege to talk with KaiGai Kohei at some length about the SE-PgSQL patch set. This work, developed by KaiGai for the last two years or so, integrates SELinux with the PostgreSQL database manager, enabling fine-grained control over access to data stored within a database. The SE-PgSQL patch has struggled to get into the PostgreSQL mainline; it is now preparing for what may well be its last push to be merged. Whether it's successful may, in the end, depend on whether it receives support from potential users.

SELinux works by attaching labels to objects and roles to actors, then enforcing rules describing what sort of access to objects with specific labels is allowed to specific roles. It is a highly flexible system, but also highly complex; even a minimal SELinux policy can involve thousands of rules. The complexity of SELinux has almost certainly inhibited its adoption in the broader Linux community; when SELinux gets in the way of real work, figuring out how to fix it can be a nontrivial task. Over the years, many administrators have concluded, like Ted Ts'o, that "life is too short for SELinux."

That said, Fedora and Red Hat have slowly made progress in using SELinux to confine parts of the system without creating too much user pain. And there is certainly a place for more comprehensive security models in general. But once one starts protecting data at the filesystem level, it makes sense to ask whether data which is accessed through higher-level mechanisms - a relational database manager, say - should also be subject to the system's security policies. In an ideal world, the same security policy would be operative at all levels.

That is the idea behind SE-PgSQL. With this patch, a database administrator can assign labels to databases, schemas, rows, and columns, then write access control rules for them. These are SELinux rules, which are evaluated by SELinux and enforced by PostgreSQL. So access to objects within the database can be governed by the same policy as access to objects elsewhere in the system. On the surface, it is an elegant concept. It is also a concept that NEC (KaiGai's employer) sees as an important component of its future offerings based around cloud computing. For this reason, NEC has funded this work for the last couple of years.

The world is full of free software projects which are starved for developers and which would be overjoyed to accept a feature contribution at this level. The PostgreSQL hackers are somewhat more finicky, though. As is the case with a number of longstanding, successful projects, PostgreSQL developers understand that they will be maintaining any code they accept for many years, and that they cannot afford to accept code which might compromise the project's reputation for stability. So they have been balking at merging SE-PgSQL.

There would appear to be two specific objections getting in the way of this patch: (1) it's big, complicated, and hard to understand, and (2) it's not clear that the benefit of merging this functionality will be worth the costs.

To address the first qualm, KaiGai has worked to minimize the patch to the greatest extent possible, stripping out much of the functionality in the process. Among other things, the latest version of the code does not support row-level labeling. He has also written some extensive documentation which should be required reading for anybody wanting to understand how this patch should work. The end result is a patch which still weighs in at 13,000 lines - but the bulk of it is documentation and regression tests.

PostgreSQL hacker Bruce Momjian was pleased with the reduced patch, saying that is "exactly what I was hoping to see." He also noted, though:

So, one big problem is that no one has agreed to review it, partly or probably because few developers understand the SE-Linux API, and many people who have used SE-Linux have been confused by it.

He expressed willingness to do the review, but requested help from developers who understand SELinux better. KaiGai has offered to try to round up such a developer, so, with luck, this particular obstacle can be overcome.

That leaves the cost/benefit question. The strongest critic of this patch is almost certainly Tom Lane, who said:

Even if we were to accept the SEPostgres patches lock stock and barrel tomorrow, I don't foresee that it will ever get to the point of being useful except to an extremely small group of users who are driven by extreme need. Nobody else is going to have the motivation needed to develop custom security policies, and there simply isn't any chance of anyone developing any generally useful default policy.

On the other hand, Josh Berkus noted that he has seen interest in the feature:

PostgreSQL is the most security-conscious of the OSS databases, and is widely used by certain groups (security software, military, credit card processing) precisely because of this reputation. These folks, while unlikely to speak up on -hackers, are interested in new/further security features; when I was at the Pentagon 2 years ago several people there from HS were quite interested in SE-Postgres specifically. Further, I've been mentioning SE-Postgres in my "DB security talk" for the last 18 months and I *always* get a question about it.

This unwillingness to speak up on the part of potential users could well doom this patch. The code probably cannot be minimized much further without becoming pointless, and even a contributor as persistent and patient as KaiGai can only get discouraged eventually. It would not be surprising if this PostgreSQL development cycle were the last go-round for SE-PgSQL if it is not accepted.

Part of participating in a free software community is contributing code. But another important part is providing feedback to the developers. Otherwise, they are unlikely to know which development directions make sense for many of their users, and they might just turn down patches which their users would rather see incorporated. Companies are often reluctant to talk about their security needs and plans. But, for potential SE-PgSQL users, that kind of silence at this time could be counterproductive. If nobody shows up to express a need for SELinux integration into PostgreSQL, the developers might conclude that there is no interest in this feature and act accordingly.

(Log in to post comments)

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 4, 2009 22:32 UTC (Fri) by dpquigl (subscriber, #52852) [Link]

There currently is at least one more example of this. The base concept is called a user-space object manager. The idea is that an application may have objects that exist outside the OS model that it wants to mediate access over. For instance an application may store its information in one file which the OS can label however that file is composed of a bunch of application specific objects. I'm sure KaiGai has a much better description than I can hope to give in his documentation.

In addition to SE-Postgres work has been done in the X server to provide a framework similar to the LSM framework called XACE (X Access Control Extensions). Just like the LSM framework you can create modules for XACE and one for SELinux has been developed. So the X server is acting as the enforcement mechanism and it queries the kernel security server to ask about access decisions just like SE-Postgres does.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 7, 2009 2:35 UTC (Mon) by kaigai (subscriber, #12001) [Link]

More generally, Linux kernel also has similar design.

It manages system resources such as files and networks.
When a user tries to access these resources, he has to invoke system calls.
The kernel has routines to handle system calls, and these routines
voluntarily
invoke SELinux code (via LSM) whether the requires access should be allowed,
or not.

SELinux makes its access control decision, and return it into the caller,
then the caller performs according to the decision.
On the model, we call it "security server" which can provide access control
decision independent from the class of subsystems.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 10, 2009 10:29 UTC (Thu) by michaeljt (subscriber, #39183) [Link]

And here I take it that the database is the equivalent of the filesystem, with the SELinux labels stored inside it associated with the parts of the database they relate to?

Why?

Posted Dec 5, 2009 1:33 UTC (Sat) by gbutler69 (guest, #54063) [Link]

Why do you think a shim is better? Why don't you think database roles, schema, table, column,
and row permissions/restrictions are good/better?

Why?

Posted Dec 5, 2009 4:07 UTC (Sat) by cetialphav (subscriber, #22533) [Link]

Indeed, it isn't obvious to me that shims are a better solution as there are some serious downsides. A shim is much less flexible and may need to be changed (and have its security audited) every time the application needs to change how it accesses the database. It also becomes an attack vector. If an application can coopt the shim, then it has full access to the database.

I can see where there could be some interesting usage for the integration of databases and SELinux. Many organizations have a centralized database storing everything, yet few departments actually should be able to see the whole thing. I am thinking of something like a medical institution where the people doing the billing need to know what I owe, but don't need my medical history. Of course, databases already offer ways to limit what certain users see, but security people don't have a centralized way to set these policies.

This kind of integration is one step towards giving administrators one centralized place to set the security policy and I think that offers a lot of benefits. The difficulty of writing these policies in SELinux is an issue, but I can see where companies like IBM would be happy to offer this as a consulting service.

Why?

Posted Dec 10, 2009 14:00 UTC (Thu) by Baylink (subscriber, #755) [Link]

> A shim is much less flexible and may need to be changed (and have its security audited) every time the application needs to change how it accesses the database.

Correct.

But that's not a bug, it's a feature!<tm>

A shim can be expected, generally, to be *much* smaller than the code on either side of it -- by 2 or 3 orders of magnitude if not more, unless someone's done something horribly wrong -- and should therefore be *much* easier to prove correct.

Why?

Posted Dec 5, 2009 4:26 UTC (Sat) by SEJeff (subscriber, #51588) [Link]

Search for the arguments on Discretionary Access Control (DAC) vs Mandatory Access Control (MAC).

Why?

Posted Dec 6, 2009 2:00 UTC (Sun) by flewellyn (subscriber, #5047) [Link]

PostgreSQL's role-based access controls do not neatly fall into either category.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 6, 2009 1:42 UTC (Sun) by dfetter (guest, #40012) [Link]

I only see a benefit in the proprietary forks. The checkboxers can always find (or create) a checkbox that the community version doesn't have, and trying to dance their dance for its own sake is fruitless.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 6, 2009 17:32 UTC (Sun) by Los__D (guest, #15263) [Link]

Since SE-PgSQL only uses SELinux as a rights database, I think the idea is to reduce the amount of security interfaces admins has to work with, not to remove attack vectors.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 7, 2009 2:22 UTC (Mon) by kaigai (subscriber, #12001) [Link]

> Can anyone give an example of some kind of malicious access that this
> could prevent but the excellent Postgres permission structure could not?

Can the page.24 of this slides help you?
http://sepgsql.googlecode.com/files/JLS2009-KaiGai-LAPP_S...

It allows SELinux to perform a logical-wall to separate each virtual-hosts
in a single tenant. However, it also has flexibility to share partial
tables or files across virtual domains, unlike virtualization.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 10, 2009 9:10 UTC (Thu) by smurf (subscriber, #17840) [Link]

I'd hope that row-level access control will get back in, once the core feature has landed.

Any kind of multi-customer database can benefit from that. Last year I had to tell a customer that converting his single-client database solution to multi-client wasn't possible without major redesign. With row-level access control I'd have been able to make them happy (and me too, by billing them for a month or so of work ;-) ).

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 7, 2009 2:54 UTC (Mon) by kaigai (subscriber, #12001) [Link]

SELinux also has been integrated into major distributions (Fedora/RedHat/...)
in much early phase.
So, in past, it made various kind of troubles, so SELinux developers have
continued to improve it for a long time.

Nowadays, we can see few cases which need to write our custom security
policy,
because the default security policy provides various kind of predefined
security policies. We can choose them as necessary, without writing our
custom security policy module.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 7, 2009 16:03 UTC (Mon) by dpquigl (subscriber, #52852) [Link]

Based on how I think you are defining complex and verbose I would say it is mostly verbose with a tiny bit of complexity brought in by the policy build structure. Most of the "complexity" that people associate with SELinux policy is the number of rules that the policy is expanded out to. While there might be some optimizations that can be done on the policy to remove duplicate rules or rules that may grant the same information flow it balances being lean with the ability to debug the policy.

The reality of the situation is this. SELinux is a default deny system where the policy consists of rules that say what is allowed. When you do this you have to basically model in policy the entire system and all applications running on it. To make it easier for people to write policy the reference policy has been broken up into several layers and exposes interfaces for policy writers to use instead of writing raw allow rules. However this yields a large policy because the system we're trying to protect is large and complex. We have examples of much smaller policies being written and applied but these are on more special purpose deployments where the set of deployed applications is much smaller.

Now KaiGai is right in that a distro's integration of SELinux is very important. Since you're describing in policy the default behavior of the system it is important that all of the distro specific nuances are addressed. You can see this in the reference policy in places where there are distro checks for debian vs fedora. This is where most of the issues that people have with SELinux stem from. Dan Walsh has an article on his blog titled "4 things SELinux is trying to tell you" (or something like that)[1] that explains SELinux problems.

That said Fedora/RHEL and Debian/Ubuntu[2] have well supported SELinux integration with SUSE to make progress[3][4]. Its worth noting that I couldn't find a blog posting from Tom on SELinux support in opensuse 11.3 so its possible it has gotten better since his description of what he wants in 11.2. If you use the system as it is deployed out of the box then the SELinux policy should match up with the running system. If there are denials then that is a policy bug and should be reported to the guys at Tresys or through your distro specific bug tracking site. The problems are when people start moving things to non-standard places and then don't realize that just like the ugo bits they may have to set the SELinux label on the file as well. Dan's presentation and paper give a really good explination of this so I'd recommend reating that rather than having me repeat it here.

[1] http://danwalsh.livejournal.com/30837.html
[2] https://wiki.ubuntu.com/SELinux
[3] http://thetoms-random-thoughts.blogspot.com/2008/12/selin...
[4] http://thetoms-random-thoughts.blogspot.com/2009/06/selin...

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 13, 2009 19:21 UTC (Sun) by marcH (subscriber, #57642) [Link]

Thanks a lot for your answer.

Shouldn't SELinux policies be split across packages? (I mean RPMs/debs.) After all there is no centralized database to manage the good old file system permissions. And rightly so.

SELinux and PostgreSQL: a worthwhile union?

Posted Dec 11, 2009 0:32 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]

SELinux policies are horrible.

So most 'casual users' and administrators just turn SELinux off. Besides, with SELinux you also need to 'label' your filesystem. And if you're using an NFS, SMB or FAT32 partition - tough luck, then.

That's why I'm advocating for AppArmor - it's quite easy to use. You can write a policy for a simple daemon in 10 minutes, literally. And it'll be intuitively understandable. And it won't require you to label you filesystem.

And it'll be just as secure for most applications as is SELinux.