Posted Sep 23, 2004 1:24 UTC (Thu) by elanthis
Parent article: An introduction to SELinux
My problem with SELinux is that it is far, far too complex to configure. Even the designers of the system haven't gotten perfect, functioning setups for many common server setups, and those they do have are not yet tested to ensure they are perfectly secure.
The reason why this is is that the configuration language is a very complex beast. In the *vast* majority of cases, you want to make very simple configurations for individual programs. "Bind can only read files in /var/bind and /etc/bind, and can only write to /var/log/named.log, can only listen on ports 53, can only make outgoing connections on port 53. all other permissions are denied." To actually configure that, though, you need to make several "types" for the files, define the bind system role, and then write all the rules and interactions between these objects. It's complex and a pain in the arse. And complexity and tediousness makes it much, much more likely for mistakes to creep in.
If the configuration just let you explicitly say what you wanted the app to do, and not do, and the configuration compiler (yes, you must compile configurations, retag your filesystem on changes, and insert the compiled policy into the running kernel in order to make changes) could generate the necessary roles and types and such, then you could whip up *perfect* configuration for the majority of both server and user applications with little effort and a far lower chance of error. The full complex syntax could be kept around for the more intricate configurations.
The SELinux folks don't seem to like the change because "that's not how a TE security admin thinks." That's great. Here's a hint: 99% of the actual admins implementing and using SELinux aren't TE security experts; they're normal people that think in terms of what they want done, and not the TE implementation details of how to do it.
to post comments)