LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Civilizing SELinux

Civilizing SELinux

Posted Nov 26, 2004 5:55 UTC (Fri) by spender (subscriber, #23067)
In reply to: Civilizing SELinux by Method
Parent article: Civilizing SELinux

Again, the same old "granularity = security" argument, which is basically the only position SELinux users can have. As we all know, inserting data into message queues (a HUGE attack vector, from all the evidence I've seen on the Internet) is much more important than preventing kernel exploits. Clearly, the best security solution is one that focuses on these WIDELY used attack vectors like using gettimeofday() and semaphores, and ignores things like kernel exploits, keeping X from writing outside of necessary regions in /dev/mem, preventing arbitrary data writes to /etc/shadow, etc.

Nothing keeps someone from running PaX with SELinux indeed, but that doesn't mean SELinux does the things PaX needs to be used in production. SELinux does none of this other than using the PaX MAC hooks. So sure, someone can use PaX with SELinux, and they'll have a system wherein PaX can be easily bypassed, almost as bad as Exec-Shield.

I don't think you understand at all the userbase you're trying to force SELinux upon (I can tell you, they don't even know what IPC stands for, let alone know what its security implications are), and that is why SELinux will never be sucessful, no matter how much hype you continue to generate about it.

(Log in to post comments)

Civilizing SELinux

Posted Nov 26, 2004 6:30 UTC (Fri) by bluefoxicy (guest, #25366) [Link]

SELinux CAN be deployed with PaX, as method said. As I said in an earlier post, we don't need SELinux to end all security holes; we need SELinux (or RSBAC or GRSec or something), PaX, the IBM SSP patch, heavy code auditing (mudflap?), and several other things. We also need administrators who are awake and paying attention, despite the impenetrable fortress they live in; holes are only useful until someone sees them and fixes them, and if you're not looking, neither of those happen.

I cannot comment on which MAC system is "best," but I will say that based on the arguments given here, it seems that SELinux and GRSec both have components that eachother do not have. Now I suggest you both stop slapping at eachother and screaming like two geeks from Revenge of the Nerds fighting over a girlfriend and start taking serious looks at what each system is missing. Both of you are claiming the other system is lacking; fix both. We don't stop l33t h4x0rz skr1pt1k1dd13z by standing around seeing who can urinate the longest off the side of a building.

Civilizing SELinux

Posted Nov 26, 2004 7:06 UTC (Fri) by spender (subscriber, #23067) [Link]

Apparently you didn't grasp the content of my post, as noted by your comment: "SELinux CAN be deployed with PaX." If hearing it from me that slapping PaX onto an SELinux machine does not constitute production usage of PaX, ask the PaX team. They'll tell you the same thing. But of course, you know better than I do. But if that's your belief, please do continue using PaX and SELinux together (since Method is such an expert on all things security-related and is such close friends with the PaX team), and enjoy your false sense of security.

Civilizing SELinux

Posted Nov 26, 2004 7:26 UTC (Fri) by bluefoxicy (guest, #25366) [Link]

How about:

PaX & SELinux & whatever from GRSecurity is useful & Forkbomb Protector & IBM Stack Smash Protector & Stateful Firewalling (netfilter) & Packet filter firewalling (netfilter) & Dan's Guardian & ClamAV (after adding heuristics) & snort-inline & DigSig & UML & Discressionary Netfilter (non-existant hack that could be done using iptables, sudo, and some scripts)

SE isn't everything. PaX isn't everything. GR isn't everything. Firewalls aren't everything. Stack smash protection isn't everything. You need to combine everything to get everything.

Again, I won't say either of you is right; I'm just concerned that this argument is a poor way to convey your points, and that you are dwelling on defending your egos far too much more than you are on discerning what's wrong on each side and fixing those.

Civilizing SELinux

Posted Nov 26, 2004 7:56 UTC (Fri) by spender (subscriber, #23067) [Link]

Nope. You missed the point again. I'm not talking about having a complete security system. I'm saying that there are things that are discussed in the PaX documents that someone implementing PaX in production environments must handle. PaX itself does not handle these things because they may be implemented differently by different integrators. SELinux does not implement any of these things. The only thing PaX-related that SELinux implements is the MAC hook, which is more of a useful feature than a necessary component of the PaX model.

All this bragging about "information flow graphs" is ridiculous. The assumption involved (that at no point was a kernel exploit used) in such graphs is one that no security-conscious person can hold. These graphs are a guarantee of nothing (despite claims we've seen to the contrary already). Ask yourself what's more probable: that someone owns the system by finding some app on the system that uses message queues, then sends some specific data to it that causes a system compromise...eventually...somehow, or that the attacker owns the system by using a kernel exploit and bypassing SELinux completely? I don't know what world Method lives in (though I surmise it's an idiot's ivory tower) or what kind of attackers exist in this world, but any real world experience should certainly give one pause when one hears this kind of propoganda from SELinux proponents.

Civilizing SELinux

Posted Nov 26, 2004 16:51 UTC (Fri) by bluefoxicy (guest, #25366) [Link]

I'm not missing the point. I'm saying that we need to focus on more important things, like correcting these issues. I'm fairly sure Method is only concerned with GR vs SE in the context of the ACL, and is irritated by your trying to justify your own MAC system's shortcomings with (valid) points about the extra restrictions GR brings along.

Perhaps reimplement the GR protections around SELinux and try to get them into mainline?

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds