Posted Sep 23, 2004 18:46 UTC (Thu) by pimlott
In reply to: Complexity
Parent article: An introduction to SELinux
The Linux uid-based access control is discretionary, meaning if you own an object you can do whatever you like to it. That makes restricting programs to least privilege much more difficult.
I am skeptical about the value of mandatory access control outside of super-high security (think NSA) environments. I've read "The Inevitability of Failure", and I'm largely unconvinced. Regardless, I think you can achieve most of the goals of MAC in a system based on uids. The obvious way is to allow centralized mandatory policies, expressed in terms of uids instead of roles and types (or whatever else SELinux has): deny access for bob to anything in /home outside of /home/bob, or any file owned by alice. This has some of the same problems as SELinux in confusing users and existing tools, but at least it introduces fewer new concepts. Another approach would make use of filesystem namespaces (the part I forgot in my original message): when bob logs in, he gets his own /tmp and only /home/bob in home. What you can't name, you can't access (the tenet behind what security researchers--not Linux developers--call capabilities).
Fundamentally, you need a new system.
I call cop-out. I don't think the unix security model is beautiful, but it's familiar and workable, and at the core has some pretty powerful concepts. You certainly can do much better with it than we do today, which to me means that we should at least push it and see if we can take it far enough. Also remember that there's not a lot of evidence that security is a technological problem (aside from the widespread use of archaic programming languages).
to post comments)