Stephen Smalley wrote:
Actually, the SELinux model (or more generally, flexible mandatory
access control) is precisely what one needs in order to contain
malicious and flawed applications. And SELinux can also help reinforce
mehcanisms like exec-shield by providing policy control over what
applications can generate runtime code.
Well, I'll believe it after we've had a few years of experience
with it.
Windows NT has a 'richer' security model than the traditional Unix
model, but nobody uses it. Nobody knows how, and more to the point,
everything that an application has to work with in Windows NT doesn't
use the security features it has, so it's hard for one site or one
application to start doing things differently.
SELinux is going to require a whole ecosystem of tools that work
together, or it's just going to put more of Fedora in the "it just
doesn't work" category.
For all the limitation of the UNIX model, people understand it.
They're afraid of root, and raw fear is a good motivator. I remember
VMS having tens of different permissions that a process could have, and
people finding privilege escalation attacks all the time.
But with SELinux, that application (firefox or thunderbird or whatever)
can be placed in its own security domain, with its own set of
permissions that are a subset of the user's overall permissions. There
is admittedly a lot of work to do to properly secure the desktop (e.g.
security-enhanced X, which has been implemented but not yet upstreamed),
but mandatory access control is the right mechanism for dealing with
this issue.
Yeah, but I want thunderbird to have a lot of access to my files.
I want to be able to send an arbitrary file as an attachment, and I'd
like to be able to save files from it easily. (Yeah, you might
restrict it to 'save to the desktop' but once a lot of apps are
restricted the way, everything is on the desktop.) You might block off
most network ports, but it still needs to make port 25 connections to
the outbound mail server -- which is what it needs to infect other
computers. You might lock it down so it can only talk to my official
outbound mail server, but then I can't use the GUI to configure my mail
application.
Multiply this by hundreds of desktop apps which are glitchy enough
as it is, and we've got a new slogan for Fedora: "it just doesn't work."
It's not enough to have a system which is 'tough', we need a system
that's flexible enough that people can do 'the right thing' in a way
that isn't painful. If it's painful, or even difficult to understand
for average ordinary people, people are just going to configure SELinux
in ways that are unsafe so that things 'just work', and we're back
where we started, probably worse, because people have a false sense of
security.
Finding that kind of intersection is difficult -- if you can do it,
my hats are off to you. I can SELinux being of interest for specialized
applications (desktops at the NSA? server appliances?) but i'll be hard
pressed to become an expert on SELinux so I can get my regular work done.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
http://www.redhat.com/mailman/listinfo/fedora-devel-list
