LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Complexity

Complexity

Posted Sep 23, 2004 13:44 UTC (Thu) by walters (subscriber, #7396)
In reply to: Complexity by rwmj
Parent article: An introduction to SELinux

So why can't the "compiler" work all this stuff out for me? That's what computers are good at: automating all the grunt-work.

How can the compiler know what will later happen on your system? If some attacker gains privileges to bind mount /foo to /, then all of a sudden you have a whole other set of access points.

(Log in to post comments)

Complexity

Posted Sep 23, 2004 14:15 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

I think what he meant is that you specify your rules with file paths, and the compiler figures out what device/inode that path references. The final compiled version that actually gets used doesn't have path references. Then you just have to make sure that all of your old path specifications are still correct the next time you compile.

Complexity

Posted Sep 23, 2004 16:24 UTC (Thu) by walters (subscriber, #7396) [Link]

The files ultimately still need to have types assigned to them. No compiler can figure out what a program is actually doing with all of its files and figure out the best way to assign types to the files in order to achieve least privilege. Having a tool that looked at the file paths the application referenced and guesses types for them while constructing a policy would be somewhat useful. But it would be no substitute for a human.

In a number of cases, SELinux has revealed application bugs like the kerberos libraries trying to open /etc/krb5.conf with write permissions.

Complexity

Posted Sep 23, 2004 17:09 UTC (Thu) by mmarsh (subscriber, #17029) [Link]

That's not how I read the comment, but then I'm also not familiar with SELinux, so this may just be an incorrect reading. My impression was that Rich wanted to assign a type to a file by name and let the rules compiler figure out what the actual object is.

After poking through the documentation, it looks like I might just have been off. There are examples of specifying objects by path, and wildcards to assign a type to everything not otherwise specified.

Complexity

Posted Sep 23, 2004 19:14 UTC (Thu) by walters (subscriber, #7396) [Link]

Oh, I guess I misunderstood what you were saying. There is a mapping from file names to contexts that SELinux uses to initialize the system. Defining this mapping is part of writing a security policy for a program.

However Rich and elanthis seemed to want to do away with types entirely and have them somehow automagically created; that doesn't make sense.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds