Posted Oct 10, 2009 15:46 UTC (Sat) by kleptog
In reply to: SELinux
Parent article: LPC: Three sessions from the security track
Compare and contrast with:
I am coming to the conclusion that the UNIX permission model is not a tool with a single clear-cut purpose (other than, as I said "security"), but rather tries to be a single solution for a number of vaguely related problems. And I am also wondering whether it is the best solution for some of them.
The basic idea of UNIX permissions is simple, but gets hairy once you start including setid bits, setgid on directories and the sticky bit. It's used for everything from protecting home directories to providing controlled priveledge escalation to stopping people from deleting other people's temp files and ensuring new files are readable by certain groups. However, it does have the advantage that most people understand it, which is not true for SELinux.
At its lowest level, subjects (programs,users) and objects (files,sockets,etc) have labels and there's a policy that determines what a subject with label X is allowed to do with an object with label Y. What makes it mandatory access control is that the owner of the object doesn't get to say what happens, the policy is decided elsewhere.
I think what makes it hard is that UNIX permissions have a fairly simple policy, while the policy of SELinux is flexible and therefore not obvious to the casual user. And like the UNIX permission model, can probably be expanded to create effects beyond what people initially thought of.
to post comments)