Weekly Edition
Return to the Kernel page
| |||||||||||||
SMACK meets the One True Security Module
The Simplified Mandatory Access Control Kernel is a security module
designed to harden Linux systems through the addition of mandatory access
control policies; it was covered here last August. Like
SELinux, SMACK works by attaching labels to processes, files, and other
system objects and implementing rules describing what kinds of access are
allowed by specific combinations of labels. Unlike SELinux, though, SMACK
was designed specifically for simplicity of administration.
The posting of version 3 of the SMACK patch inspired a certain amount of discussion. Andrew Morton's take led things off:
I don't know enough about security even to be dangerous. I went
back and reviewed the August thread from your version 1 submission
and the message I take away is that the code has been well-received
and looks good when considered on its own merits, but selinux could
probably be configured to do something sufficiently similar.
I'd have trouble declaring that "but" to be a reason to not merge smack. I'm more thinking "let's merge it and see if people use it". Andrew concluded by suggesting that the SMACK patch should be merged for 2.6.24. There was some discussion about specific pieces of the patch (some developers are more impressed by CIPSO network labels than others), but there does not seem to be a whole lot of opposition to merging the SMACK security module. It is generally seen as being well-written code which makes sense from a security point of view. There was one predictable exception, though: whenever a new security module is considered for merging the SELinux developers tend to oppose it. This time, James Morris voiced a more general complaint: SMACK would become the second in-kernel user of the Linux security module (LSM) framework. That, in turn, would make it almost impossible to remove LSM from the kernel. James claims:
If LSM remains, security will never be a first class citizen of the
kernel. Application developers will see multiple security schemes,
and either burn themselves trying to support them, or more likely,
ignore them. Core kernel developers will continue to not have
enough information to understand what the LSM hooks in their code
are supposed to be doing, leading to long term maintenance issues
and potential security problems.
The SELinux programmers, it seems, would rather that SELinux became the one security framework supported by Linux, with all development effort going into making SELinux better. The problem, of course, is that, even after a few years with only SELinux in the kernel, there has not been a glut of application developers working to support it. The vision of each application shipping with an SELinux policy file has not come to be. Some progress has been made in the creation of higher-level tools for the management of SELinux policies, and the Fedora and Red Hat developers have come a long way toward making a general-purpose distribution work with a limited set of SELinux policies, but SELinux simply remains too complex for most people to deal with. SELinux may work out of the box on an RHEL system, but as soon as the system administrator runs into something which breaks, chances are that SELinux will be turned off. The SELinux developers would presumably argue that the way to address these problems is to focus on a single security framework within the kernel. Rather than create competing, simplified frameworks, it would be better to implement approaches like AppArmor or SMACK within SELinux and, in the process, make SELinux better. Those developers argue that pluggable security modules, like pluggable schedulers, succeed only in splitting development effort and preventing the creation of a truly general solution:
Do you really want to encourage people to roll their own security
module rather than working toward a common security architecture
and a single balanced solution (which doesn't necessarily mean
SELinux, mind you, but certainly could draw from parts of it)? As
with pluggable schedulers, the LSM approach prevents cross
pollination and forces users to make poor choices.
The answering argument is that there are many security environments and differing sets of user needs; there is no sign that a single security approach can ever work in all situations. And, even if such a unified approach were possible, getting security developers to agree on it would still be a major challenge. Ted Ts'o writes:
The real problem with security is that there are no "hard numbers",
as Linus puts it. Instead, there are different sets of
requirements in terms of what is a valid threat model --- which
will very depending on the environment and how the servers are
deployed, and what the capabilities are of the adversary trying to
penetrate said system --- and how end users are willing to
compromise between security and convenience.
The LSM architecture was a result of the very first kernel summit, where Linus stated that he had no wish to choose between the various security ideas in circulation and, instead, wanted the kernel to be able to support all of them. He has not changed his mind since; he still doesn't see any imminent consensus on security approaches, and still wants Linux to be flexible in this regard. So his pronouncement was:
So LSM stays in. No ifs, buts, maybes or anything else.
When I see the security people making sane arguments and agreeing on something, that will change. Quite frankly, I expect hell to freeze over before that happens, and pigs will be nesting in trees. But hey, I can hope. So it looks like the way is clear for a merger of SMACK in 2.6.24. Once that happens, it would not be surprising to see another push made by the developers of security modules like AppArmor and TOMOYO Linux; in fact, the TOMOYO Linux patches have just been reposted. In the end, SELinux will, despite the apparent wishes of its developers, have to compete with other security approaches for attention from developers, distributors, and users. There will be no One True Security Module for Linux in the foreseeable future. (Log in to post comments)
SMACK meets the One True Security Module Posted Oct 2, 2007 17:36 UTC (Tue) by bronson (subscriber, #4806) [Link] It seems like the SELinux guys are still looking to userspace tools to bail them out of their usability nightmare. I'm guessing most Linux admins enter iptables commands by hand (or by script), and iptables is *way* simpler than SELinux. The ALSA guys leaned on userspace to bail them out of their complexity nightmare and look at where it got them.
As long as it takes *days* for a good admin to learn and provision a nontrivial SELinux server, SELinux is a non-starter (in my workshop anyway). Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.
I'm excited about SMACK. I hope it gets merged. And I hope SELinux guys start taking learnability and usability seriously.
SMACK meets the One True Security Module Posted Oct 2, 2007 20:43 UTC (Tue) by danieldk (guest, #27876) [Link] It depends on what policy you use. For example, the Simplified Policy Description Language is quite easy to grok:
http://seedit.sourceforge.net/
It's policy language looks a lot like AppArmor's, but it does use file contexts underneath.
SMACK meets the One True Security Module Posted Oct 4, 2007 14:53 UTC (Thu) by jengelh (subscriber, #33263) [Link] >Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.
So, interestingly, is not *Novell* to blame (rather than SELinux or the casual user) to not have AppArmor designed to use SELinux as LSM? Just a thought...
SMACK meets the One True Security Module Posted Oct 4, 2007 21:04 UTC (Thu) by nix (subscriber, #2304) [Link] AppArmor predates SELinux, and does things that SELinux can't do withoutinsane delays (mass-relabelling of potentially every file in a very deep subdirectory whenever you rename it springs to mind; even crazier mass-relabellings of everything on the disk to implement some changes of policy, unless I miss my guess).
(Equally, AppArmor can't efficiently imitate a TE system --- but nobody's
SMACK meets the One True Security Module Posted Oct 2, 2007 18:20 UTC (Tue) by flewellyn (subscriber, #5047) [Link] I think the problem here is, we're getting conflicting messages from the SELinux folks. On the one hand, they insist that SELinux is a security architecture, and can be used to create higher-level, more abstract security tools. On the other hand, they insist that SELinux should be usable as-is from userspace, by ordinary administrators.
I don't see these positions as compatible at all. And while I am no expert with SELinux (aside from the developers, does such a thing exist?), from what I understand about it, it IS more suited as an architecture for building security tools, than as a security tool in its own right. So perhaps the SELinux folks should work on making its interface more of a "programmatic" one, and stop emphasizing the userspace tools as security solutions on their own. In other words, to compare to another Linux subsystem, SELinux would be Netfilter to other tools' iptables or shorewall.
SMACK meets the One True Security Module Posted Oct 3, 2007 0:29 UTC (Wed) by drag (subscriber, #31333) [Link] Well I think the point behind Eclispe is that it's a framework for building IDEs and what IDE you get when you try it out is only going to have a tiny fraction of it's capabilties.
Er, something like that.
Personally I'm happy with Vim and Python. No need for intellesense or anything like that for a language that is designed to be easy to remember and I am not working in a formal corporate environment. (I'll probably just program in C or pyrex or something like that if I need speed)
SMACK meets the One True Security Module Posted Oct 3, 2007 3:23 UTC (Wed) by drag (subscriber, #31333) [Link] OMG, I can't beleive I posted the above to teh wrong article.WTF was I thinking.
:(
SMACK meets the One True Security Module Posted Oct 4, 2007 0:09 UTC (Thu) by jamesm (guest, #2273) [Link] Oddly enough, it still makes sense here :-)
Thanks to Drag replying to wrong article, I just had a bright idea Posted Oct 5, 2007 9:18 UTC (Fri) by pr1268 (subscriber, #24648) [Link] Agreed! Drag's comment about his "IDE" of vim and python vs. Eclipse did indeed bear some resemblance to the discussion about SELinux vs. AppArmour. What a pleasantly surreal experience! Thanks to Drag's misplaced comment, I just had a bright idea: Eclipse IDE for SELinux!! Use all the features you've come to expect with using Eclipse to develop Java, C, or C++... and now you can build your own security framework! Testing your framework is simply a few mouse clicks away via the "build/debug" menu. </end silliness> ;-)
Thanks to Drag replying to wrong article, I just had a bright idea Posted Oct 5, 2007 14:07 UTC (Fri) by nix (subscriber, #2304) [Link] Obviously the *right* approach is an Emacs specialized entirely for writing SELinux configurations. There's even an XEmacs fork with the right name: SXEmacs. Just reuse the name, write a new selinux mode, rip out all that boring stuff nobody uses like text-mode, cc-mode, vm and gnus, and you're home free! :)
Thanks to Drag replying to wrong article, I just had a bright idea Posted Dec 11, 2008 18:22 UTC (Thu) by SEJeff (subscriber, #51588) [Link]
Does it have vim bindings? *runs and hides*
SMACK meets the One True Security Module Posted Oct 11, 2007 6:43 UTC (Thu) by ury (guest, #47805) [Link] what about GRSecurity ? or some similar,maybe just ask security-patch authors about they vision?
http://www.grsecurity.net/lsm.php
ps: selinux i think toooooo blooooated to use
|
|||||||||||||