LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc5

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Rule set based access control

[Posted September 27, 2005 by corbet]

SELinux has become, to many, the mechanism for high-security Linux deployments. The SELinux framework is considered sufficiently powerful, flexible, and universal that some developers have contemplated removing the Linux security module (LSM) interface altogether. When SELinux does everything, why have hooks for anything else? The fact of the matter, however, is that SELinux is not the only high-security approach out there. On September 27, version 1.2.5 of the Rule Set Based Access Control (RSBAC) patch was released. RSBAC has been around for several years, but it has never quite achieved the prominence of SELinux.

Like SELinux, RSBAC inserts hooks throughout the kernel source. RSBAC does not use the LSM framework, however. This page explains why; in short, the RSBAC developer (Amon Ott) does not like how LSM exposes kernel internals to security modules, and the LSM hooks are not nearly extensive enough for RSBAC. In fact, RSBAC adds hooks in many places (individual device drivers, for example) where LSM does not tread. RSBAC hooks can also change system state in ways not allowed with the LSM framework.

With the hooks in place, RSBAC allows for several different access control regimes, all of which can be mixed and matched as desired. Available options include:

  • Authenticated user: essentially a list of user IDs which may be assumed by each process on the system. This module is required by most other RSBAC security schemes.

  • User management: a replacement for the PAM and shadow mechanisms which moves most of the user and group management tasks into the kernel.

  • Role compatibility: assigns roles to users and programs, and ensures that they match at run time.

  • Access control lists: a variant of file ACLs which can take additional RSBAC features (such as roles) into account.

  • Mandatory access control: assigns security levels to processes and objects, and prevents access between different levels.

  • Dazuko: a specialized interface for virus scanning applications. Dazuko creates a special purpose device which can be used to intercept file accesses; malware scans can then be performed before the access is allowed to succeed. There is a ClamAV interface to Dazuko.

There are several other models available, see the RSBAC models page for the full list. One thing that should be clear is that the RSBAC framework has been used to implement a wide variety of access control mechanisms. The project's long history suggests a stable user base, and RSBAC has been adopted by some distributions (including the Adamantix (formerly "Trusted Debian") and Hardened Gentoo projects). The non-LSM approach seems likely to keep RSBAC out of the mainline kernel indefinitely (nobody is even proposing merging it), but RSBAC appears to be a viable option regardless.

(Log in to post comments)

Easier than SELinux

Posted Sep 30, 2005 7:51 UTC (Fri) by skarkkai (subscriber, #4128) [Link]

I have used RSBAC in past, and I find it vastly easier to use than SELinux. SELinux has the major advantage of being in the standard kernel and especially, for Redhat/Fedora users, being configured to work out of box with those distributions. However if you need serious security and will be changing the configuration of your systems any significant amount, you will also need to be making changes to the security system configuration, be it SELinux or RSBAC. In such a situation, the easier configurability of RSBAC could be very important.

When it comes to features and achieveable level of security, I'd be inclined to say RSBAC has the upper hand, but I don't remember the details well enough to say anything much concrete about this.

I think it's unfortunate that the LSM framework is the one security framework accepted into the standard kernel. I find Amon Ott's arguments about why RSBAC can't work with LSM concinving, and it's sad that RSBAC, a very high quality, well maintained secury system, is effectively kept out of the standard kernel forever for this reason.

SELinux is Atrociously Complicated

Posted Oct 11, 2005 20:10 UTC (Tue) by AnswerGuy (guest, #1256) [Link]

Ever read the docs for it? Ever try to write a policy file?

For those who have: my condolences, I feel your pain.

For the rest: be glad. Be very glad!

I prefer systrace. It's elegant, simple and effective. I wish the kernel community would merge it into the mainstream! JDennis

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds