Recent Features
| |||||||||||||
SystraceSystracePosted Apr 20, 2006 14:43 UTC (Thu) by mheily (guest, #27123)Parent article: Quotes of the week SELinux is an interesting idea in theory but is not practical for common use. Besides, it was developed by the NSA for use within the U.S. Government to keep information secret even from system administrators; the FAQ states that it "enables a single system to be used by users with differing security authorizations to access multiple kinds of information with differing security requirements without compromising those security requirements." Unless you are in an organization that needs to keep top-secret information away from the 'root' user, SELinux is overkill. Besides, killing off the 'root' user is very uncool and not the UNIX way. Thanks to excellent work by Marius Erikson, Systrace has been updated to work with recent 2.6 and 2.4 kernels under Linux. It has been a standard feature of the OpenBSD and NetBSD kernels for years, but the Linux port was not maintained. I hope the major Linux distributors will take note and start packaging and distributing Systrace again.
(Log in to post comments)
Systrace Posted Apr 20, 2006 15:13 UTC (Thu) by jamesm (guest, #2273) [Link] Many (perhaps millions) of people are using SELinux in common use.
SELinux was in fact developed specifically for integration into general use operating systems (although it is also suitable for protecting highly sensitive information). One of the fundamental principles is policy flexibility, allowing SELinux to be deployed in a wide variety of different security scenarios by loading different policies.
For a good basic introduction to the design goals of SELinux and its implementation, see this OLS 2005 presentation:
http://www.nsa.gov/selinux/papers/selsymp2005-abs.cfm
Systrace Posted Apr 20, 2006 15:15 UTC (Thu) by jamesm (guest, #2273) [Link] (actually, it's not an OLS presentation, but SELinux Symposium)
Systrace Posted Apr 20, 2006 15:58 UTC (Thu) by shahms (subscriber, #8877) [Link] That "it was developed by the NSA for use within the U.S. Government to keep information secret even from system administrators" is simply not true. It is stated on the AppArmor FAQ and is just as incorrect there as well (along with a number of other assertions on that page). While MAC security systems in general can do this, with the exception of MLS (Multi-Level Security), most of the security models in SELinux are more focused on integrity than confidentiality.
SELinux is practical for common use. It is, however, new, different, and not particularly well documented at the sys admin level. There are a lot of recent developments making it far easier to use and significantly more modular that should help a lot with the perceived complexity. That perception has far more to do with the necessarily comprehensive nature of the policy and the general lack of familiarity with MAC.
Systrace Posted Apr 20, 2006 19:21 UTC (Thu) by mheily (guest, #27123) [Link]
For the record, I have never used AppArmor or looked at their FAQ; my assertions were based on reading the SELinux FAQ and asking myself 'Who built this, and why would anyone want something like this?'.
SELinux was a research project within the NSA. The defensive mission of the NSA is to "[protect] all classified and sensitive information that is stored or sent through U.S. government equipment". Therefore it is safe to assume that the rationale for SELinux was to enable MLS for sensitive government data; the only way to do MLS correctly on a single system image is to have MAC on all system objects.
When you look at the front page of the SELinux site, the second paragraph supports my hypothesis:
"End systems must be able to enforce the separation of information based on confidentiality and integrity requirements to provide system security. Operating system security mechanisms are the foundation for ensuring such separation. Unfortunately, existing mainstream operating systems lack the critical security feature required for enforcing separation: mandatory access control. As a consequence, application security mechanisms are vulnerable to tampering and bypass, and malicious or flawed applications can easily cause failures in system security."
So it seems that MAC is a means to achieve the end goal of MLS. To most non-government organizations, MLS is unnecessary, so the "pain" of architecting a complete security solution around MAC is not worth the "gain".
I'm not trying to say that SELinux will never become pratical and useful for the 'common admin'; over time, and given the enormous momentum behind it, I'm sure it will become the most successful and commonly deployed MAC system.
All I am saying is that right now we have pretty good cross-platform security mechanisms like chroot(2), privilege revocation, privilege separation, Sudo, and Systrace. Virtualization using Xen is another portable approach. You can also address buffer overflows using stack protection a la ProPolice or GCC's upcoming Mudflaps-based stack protector. Combine all these automated mechanisms with good coding practices, such as using Safestr or a similar string library instead of strncpy(3), and peer review of open and freely available source code, and you get a "layering effect" where flaws in one layer are caught in another layer.
SELinux is a comprehensive, radical approach to system security that has destabilizing effects on the entire software ecosystem. I prefer simpler incremental improvements to security, such as Systrace.
Systrace Posted Apr 20, 2006 19:44 UTC (Thu) by jamesm (guest, #2273) [Link] Your conclusions are incorrect, and I suggest reading the document I linked in reply to your initial comment.
|
|||||||||||||