| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Book review: SELinux
Book review: SELinux
Posted Nov 20, 2004 23:50 UTC (Sat) by Method (guest, #26150)Parent article: Book review: SELinux
There is something to be said for this comment, "A topic which is missing entirely is how one might design a security policy from the beginning."..
This topic could be a literal book by itself and very few people in the world would be qualified to write it. Very much thought has to go into deciding high level security goals. The problem with most people writing policies now is that they want to merely 'encapsulate' the status quo of their system in policy form. This is what systems with 'learning mode' do, and what pretty much every vendor SELinux policy does at the moment.
(Log in to post comments)
Just an SELinux DTE Policy
Posted Dec 5, 2004 3:25 UTC (Sun) by AnswerGuy (subscriber, #1256) [Link]
I believe that comment was referring specifically to an SELinux DTE (domain type enforcement) policy and not to an enterprise policy for an entire organization.
My problem with SELinux in general is the complexity of these policies. They might provide a workable solution for organizations that can devote whole teams of qualified developers and other personnel to developing, testing, and maintaining these policy files. However, they are not practical for the lone sysadmins at smaller organizations, nor even for small systems administration teams and most mid-sized installations and that serve the departments of some of the larger decentralized enterprises.
I still say that systrace offers the right balance of features and simplicity for most of us, and provides features that I haven't seen from any of the many other security enhancement patches and packages for Linux.
Jim Dennis