First SELinux impressions

First SELinux impressions

I haven't looked at systrace, except for the url you cited. Based on that, I'd say one big difference is that a systrace policy controls how a particular program acts. SE Linux dictates how that program may act when run in a specific domain. An SE Linux policy may define the same set of controls for a program, but it may also define a subset of those permissions for a less trusted domain (for simplicity assume that a domain is a user or set of users).

The article also indicates that systrace is invoked only if the program is run with systrace. It also says that an administrator may grant access that is denied by the policy while the program is running. In SE Linux the security check is always invoked for all process/object interactions and there is no choice; access is granted or denied by the kernel.

I get the feeling that there are some very nice features that systrace might offer an SE Linux policy writer. It seems like it might be especially useful in generating a first cut policy for SE Linux.