Recent Features
| |||||||||||||
Why?Why?Posted Dec 5, 2009 4:07 UTC (Sat) by cetialphav (subscriber, #22533)In reply to: Why? by gbutler69 Parent article: SELinux and PostgreSQL: a worthwhile union?
Indeed, it isn't obvious to me that shims are a better solution as there are some serious downsides. A shim is much less flexible and may need to be changed (and have its security audited) every time the application needs to change how it accesses the database. It also becomes an attack vector. If an application can coopt the shim, then it has full access to the database.
I can see where there could be some interesting usage for the integration of databases and SELinux. Many organizations have a centralized database storing everything, yet few departments actually should be able to see the whole thing. I am thinking of something like a medical institution where the people doing the billing need to know what I owe, but don't need my medical history. Of course, databases already offer ways to limit what certain users see, but security people don't have a centralized way to set these policies.
This kind of integration is one step towards giving administrators one centralized place to set the security policy and I think that offers a lot of benefits. The difficulty of writing these policies in SELinux is an issue, but I can see where companies like IBM would be happy to offer this as a consulting service.
(Log in to post comments)
Why? Posted Dec 10, 2009 14:00 UTC (Thu) by Baylink (subscriber, #755) [Link]
> A shim is much less flexible and may need to be changed (and have its security audited) every time the application needs to change how it accesses the database.
Correct.
But that's not a bug, it's a feature!<tm>
A shim can be expected, generally, to be *much* smaller than the code on either side of it -- by 2 or 3 orders of magnitude if not more, unless someone's done something horribly wrong -- and should therefore be *much* easier to prove correct.
|
|||||||||||||