First SELinux impressions [LWN.net]

First SELinux impressions

Posted Apr 8, 2004 21:26 UTC (Thu) by Klavs (guest, #10563)
Parent article: First SELinux impressions

Anybody know why systrace is no used, atleast as an alternative? - see http://www.onlamp.com/pub/a/bsd/2003/02/27/Big_Scary_Daemons.html - its used on both OpenBSD and Linux - in exactly the same way, with the same config format (nice :)

it also seems much more intuitive - although I haven't had the time to use it yet.

to post comments

First SELinux impressions

Posted Apr 9, 2004 15:12 UTC (Fri) by dac (guest, #9260) [Link]

I haven't looked at systrace, except for the url you cited. Based on that, I'd say one big difference is that a systrace policy controls how a particular program acts. SE Linux dictates how that program may act when run in a specific domain. An SE Linux policy may define the same set of controls for a program, but it may also define a subset of those permissions for a less trusted domain (for simplicity assume that a domain is a user or set of users).

The article also indicates that systrace is invoked only if the program is run with systrace. It also says that an administrator may grant access that is denied by the policy while the program is running. In SE Linux the security check is always invoked for all process/object interactions and there is no choice; access is granted or denied by the kernel.

I get the feeling that there are some very nice features that systrace might offer an SE Linux policy writer. It seems like it might be especially useful in generating a first cut policy for SE Linux.