LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The isolate utility

The isolate utility

Posted Jan 5, 2010 21:18 UTC (Tue) by drag (subscriber, #31333)
In reply to: The isolate utility by dpquigl
Parent article: The isolate utility

SELinux depends on the specific configuration of the server and what you want to do with it. You can give a generic SELinux configuration, which is what Fedora and Redhat do.. but the downside of the trade offs are obvious. (Most people don't care enough to learn how to use it so they just turn it off and for people that leave it running the additional restrictions are not really that good at enhancing security).

But for the government contracts and high-security folks that Redhat (and friends) are targeting then SELinux is worth it since those additional security enhancements are things they can justify the time and expense it takes to get it done correctly for their specific needs.

All in all his post is a bit bizarre. BSD Jails is not really comparable with SELinux except to state that they are both designed to protect the system from buggy services. Other then that simularities end. Does BSD Jails provide Mandatory access controls? Role based controls? Multi level Security? No of course not. So it's a nonsensical comparison. If he wants to complain he can point out differences in how Jails work versus LXC and how traditional containers for Linux (Linux-vserver/openvz) required lots of patching and other things. Then he can go on and complain about how Solaris is using their own container virtualization and not using Jails and then complain about it with OS X and then with Windows.

That is something that would probably make sense here. But then it would be pretty simple to poke holes in it.

The reality is that if you want BSD-Jail like functionality in Linux you can have it. Easily. I've been able to get it by using 'apt-get' in Debian for probably most of the last decade (or more). People have been using stuff like that for web hosting for years and years now. Of course with LXC it's now built into the kernel and is generic enough to be used by lots of different things for different purposes.

Maybe somebody should point out the effort to get SELinux ported to FreeBSD... Wait; TrustedBSD there you go. If the FreeBSD-Jail was the all-singing and all-dancing solution to everything then why would anybody care to use anything else?

And, from a security stand point, Chroot is very bad. The worst thing about it is that administrators/developers end up trusting it to do stuff it never was intended to do.. like securing your BIND server and stuff like that. It can be done, but it's actually really difficult to do correctly since it is so fragile.

(Log in to post comments)

The isolate utility

Posted Jan 7, 2010 10:58 UTC (Thu) by trasz (guest, #45786) [Link]

It's worth noting that everything you mentioned - various kinds of MAC policies - are already available in FreeBSD; the main difference compared to SELinux is that the FreeBSD implementation is modular, simple to understand and to maintain. That's the reason that porting SELinux to FreeBSD is stalled, I guess.

The isolate utility

Posted Jan 7, 2010 15:13 UTC (Thu) by drag (subscriber, #31333) [Link]

The only mention of MAC stuff in FreeBSD's documentation is this
'TrustedBSD' stuff

http://www.freebsd.org/doc/en/books/arch-handbook/mac.html

Which is the port of Flask/SELinux from Linux to Darwin to FreeBSD.

What am I missing here?

----------------

Also the above people mis characterized SELinux as being the 'one true
framework' or whatever. There is, of course, SMACK (in since 2.6.25) and
Tomoyo, which is in since 2.6.30. Both of which are designed to be much
simpler for administrators and such to deal with.

Redhat and Fedora, of course, still focus on SeLinux, of course. Probably
because it's the most full featured solution so far and they want to meet
the requirements for a certain subset of Redhat's customers.

The isolate utility

Posted Jan 7, 2010 21:21 UTC (Thu) by martinko (guest, #62862) [Link]

MAC is no Flask/SELinux -- please read better!

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook...

Also you may want to educate yourself what really TrustedBSD is and about it's affiliation with FreebBSD.

;-)

The isolate utility

Posted Jan 18, 2010 11:26 UTC (Mon) by trasz (guest, #45786) [Link]

FreeBSD MAC, implemented as part of TrustedBSD and ported to Darwin/MacOS X,, is not a port of SELinux - it's a MAC framework and a set of modules implementing policies. Port of SELinux would be just another policy module.

The isolate utility

Posted Jan 7, 2010 21:10 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

SELinux was already ported to BSD in the form of SE-BSD which is where the MAC framework that BSD currently enjoys came from. The issue with having the SE-BSD code in the core BSD code is because of licensing issues. Some of the code needed from SELinux for SEBSD is GPL licensed which prevents it from being incorporated into the areas of FreeBSD where it is needed. I haven't looked into this very much but when considering reviving the SEBSD code for use with a BSD Labeled NFS prototype I was told the stumbling block for getting SEBSD integrated into the BSD core was to do with the license on the code.

The isolate utility

Posted Jan 18, 2010 11:31 UTC (Mon) by trasz (guest, #45786) [Link]

Again, not true. Port of SELinux would be just another policy enforcement module. Existing policies work fine without it - and they have an advantage of being simple to understand.

The isolate utility

Posted Jan 7, 2010 21:15 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

Also another thing worth noting is none of the MAC modules in BSD are considered "production ready". I was looking at using the MLS module to showcase label translation in Labeled NFS and when I spoke with Robert Watson (MAC Framework/SEBSD developer) he said that the MLS implementation isn't very full featured and it is there as an example for vendors to take and extend into a more full featured implementation. Also not until FreeBSD 8.0 was the MAC framework enabled in their kernel by default. It was present in the source tree but from what I understand you needed to rebuild your kernel to enable it (mainly due to overhead concerns).

The isolate utility

Posted Jan 7, 2010 21:34 UTC (Thu) by dpquigl (subscriber, #52852) [Link]

I should probably rephrase this. The MLS and Biba modules weren't adequate for use without further enhancements. I didn't realize there were so many BSD MAC modules so some of them are probably production ready.

The isolate utility

Posted Jan 8, 2010 0:02 UTC (Fri) by drag (subscriber, #31333) [Link]

I guess it's like Linux were you have the pluggable security module
framework were Selinux is just one of many possible frameworks.

It'll be interesting to see what evolves out of this approach.

The isolate utility

Posted Jan 8, 2010 0:43 UTC (Fri) by dpquigl (subscriber, #52852) [Link]

They model is different than the LSM. Historically the LSM framework has been anti stacking and for some pretty good reasons. The BSD framework has every model as a separate module that can be loaded in. They have quite a few modules for a variety of functions. They have one MLS module, two integrity modules, a module to place programs in selective jail like separations called partitions, a module to protect ports, some modules for disabling network access and "firewalling" the file system. The soundness of some of the models are up for debate but they are there none the less.

The isolate utility

Posted Jan 18, 2010 11:29 UTC (Mon) by trasz (guest, #45786) [Link]

When was that, exactly? Among several things that happened in FreeBSD last year was inclusion of MAC in the default kernel and removing the "experimental" status.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds