First SELinux impressions [LWN.net]

First SELinux impressions

Posted Apr 12, 2004 15:48 UTC (Mon) by elanthis (subscriber, #6227)
In reply to: First SELinux impressions by dac
Parent article: First SELinux impressions

The problem is that it's too hard to manage those security attributes. A much better configuration system could hide most of that complexity. Similar to how a desktop like GNOME or KDE hides much of the underlying UNIX complexity. If all I want to do is say that /usr/sbin/apache can't access anything outside of /svr/www, I should be able to say that and have it work. Yes, that would mean a new configuration file format and a much more intelligent "compiler" than m4, but that's what is needed. Imagine being able to open up /etc/security/access.d/apache and putting in:

binary /usr/sbin/apache {
path / deny all
path /etc/apache allow read
path /svr/www/html allow read
path /svr/www/cgi-bin allow read
path /svr/www/tmp allow read,write
}
binary /usr/sbin/apacheconf {
path / deny all
path /etc/apache allow read,write
}

That would generate automatically any domains/types needed, tag files, etc. Very simple configuration input, very easy to read, easy to understand, etc. If you need more than "read" and "write" support, just say so. "read" may well just be a meta-privilege that is an alias for several lower-level capabilities.

(Log in to post comments)

First SELinux impressions

Posted Apr 17, 2004 3:25 UTC (Sat) by dotpeople (guest, #20635) [Link]

What happened with the SE Linux patent dispute from a while back?

Have you tried LIDS? It supports a configuration syntax similar to your suggestion.

LIDS + grsecurity (minus the ACL features, which overlap with LIDS) is competitive with SE Linux. Especially in the usability (and therefore practical security) arena. At the least, it's a good sandbox to learn about isolation.

The combination will work in a live linux CD for firewalls, etc.

--
Rich Persaud