Re: Extension Templates S03E11

* Dimitri Fontaine (dimitri(at)2ndQuadrant(dot)fr) wrote:
> Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> writes:
> > Yes, exactly. What's more, you're going to face huge push-back from
> > vendors who are concerned about security (which is most of them).
>
> Last time I talked with vendors, they were working in the Open Shift
> team at Red Hat, and they actually asked me to offer them the ability
> you're refusing, to let them enable a better security model.
>
> The way they use cgroups and SELinux means that they want to be able to
> load shared binaries from system user places.

As I've pointed out before, I'd really like to hear exactly how these
individuals are using SELinux and why they feel this is an acceptable
approach. The only use-case that this model fits is where you don't
have *any* access control in the database itself and everyone might as
well be a superuser. Then, sure, SELinux can prevent your personal PG
environment from destroying the others on the system in much the same
way that a chroot can help there, but most folks who are looking at MAC
would view *any* database as an independent object system which needs to
*hook into* an SELinux or similar.

In other words, I really don't think we should be encouraging this
approach and certainly not without more understanding of what they're
doing here. Perhaps they have a use-case for it, but it might be better
done through 'adminpack' or something similar than what we support in
core.

Thanks,

Stephen