Posted Sep 24, 2004 19:27 UTC (Fri) by pimlott
In reply to: Complexity
Parent article: An introduction to SELinux
You didn't try to explain transitioning.
Oh, I didn't get what you meant by transitioning before. You mean switching to a new uid? What's difficult about that? You can write your own setuid wrappers, or call a system setuid root program that lets you drop to any sub-user.
But really there are so many problems with this scheme it's hard to know where to start.
I don't think that's a fair way of arguing, and I don't think this discussion has supported that position. Look, we already use uids and namespaces (chroot) to good effect (though not nearly enough) for isolating system services. Bringing this technique to ordinary users seems both plausible and natural to me.
And even if it all sort of worked, it wouldn't be good enough for me.
I think your view on security is too absolutist. You use a computer today, right, even knowing how crappy our security is? Getting to nirvana should not be the goal, making significant improvements should. (And no, I am not ceding that SELinux is ultimately more secure than my system could be. There are way too many factors that go into security to say that SELinux is more secure just because it has a nice design.)
For one thing, it's still totally screwed if there's an exploitable setuid root program.
This statement is equivalent to saying, it's screwed if there's a vulnerability in the trusted base. This is true of any system. BTW, there's no reason you can't write all the setuid root programs in a safe language (which is not practical for in-kernel code).
to post comments)