Posted Sep 23, 2004 20:29 UTC (Thu) by pimlott
In reply to: Complexity
Parent article: An introduction to SELinux
Strong, mandatory access control helps contain a lot of the problems that we see every day on LWN's daily security advisory summary.
Of course I agree that we need better compartmentalization. But you're begging the question with the assumption that MAC is the only way to do it. You can do a lot with uids. It seems perfectly plausible to me that mozilla court run under a uid that has access to a subset of my files. (It probably needs some extensions to the unix model, but relatively modest ones.) BTW, what if the user wants to send his .gnupg config file in a gpg bug report? Does he have to edit a policy that even SELinux advocates seem to acknowledge can only be understood by experts? Or does he just change permissions on the file?
The NSA aren't the only ones who need this kind of strong security.
When I said only the NSA needs this, I was thinking about controlling information leaks, not compartmentalization. Preventing intentional leaks is extremely hard, even with MAC. You can't really do it; at best, you can slow it down or make it detectable. And it's not practical at all without a lot of resources.
As for extending the uid system - I'm very doubtful that you can get a system that approaches the security and flexibility that SELinux provides, and that also doesn't break existing software.
I wish we had a test to find out! And I'm not necessarily aiming for all the flexibility you get with SELinux. (BTW, I consider the statement that any system "provides security" to be sloppy.) And considering how difficult it has proven to deploy SELinux at all, I'm fairly sure that a less radical change would cause less breakage.
to post comments)