On Wed, 2005-06-22 at 14:16 -0400, Paul A Houle wrote: > Well, I'll believe it after we've had a few years of experience > with it. > > Windows NT has a 'richer' security model than the traditional Unix > model, but nobody uses it. Nobody knows how, and more to the point, > everything that an application has to work with in Windows NT doesn't > use the security features it has, so it's hard for one site or one > application to start doing things differently. 'Richer' security model doesn't equate to mandatory access control. The latter is necessary to confine malicious and flawed applications. The former often does just complicate administration with no real benefit in security. > SELinux is going to require a whole ecosystem of tools that work > together, or it's just going to put more of Fedora in the "it just > doesn't work" category. SELinux provides the infrastructure and APIs for security-aware applications, so it provides the right foundation for building such an ecosystem. Too many other kernel security enhancements try to ignore the role of applications in providing overall system security altogether. > For all the limitation of the UNIX model, people understand it. > They're afraid of root, and raw fear is a good motivator. I remember > VMS having tens of different permissions that a process could have, and > people finding privilege escalation attacks all the time. Don't confuse finer-grained security (by itself) with MAC, and don't confuse a privilege mechanism (aka POSIX/Linux capabilities) with MAC. Yes, SELinux provides a way to control the privileges defined by Linux capabilities and bind them to specific programs, but that is only a small part of what MAC enables. > Yeah, but I want thunderbird to have a lot of access to my files. > I want to be able to send an arbitrary file as an attachment, and I'd > like to be able to save files from it easily. (Yeah, you might > restrict it to 'save to the desktop' but once a lot of apps are > restricted the way, everything is on the desktop. You might block off > most network ports, but it still needs to make port 25 connections to > the outbound mail server -- which is what it needs to infect other > computers. You might lock it down so it can only talk to my official > outbound mail server, but then I can't use the GUI to configure my mail > application. Yes, what you can achieve directly via the OS controls may be limited to very coarse-grained distinctions. But you still need those OS-level controls both to even provide those coarse-grained distinctions and to support and protect higher level application security functionality. And you need the proper security labeling of the data so that higher level security functionality can make sensible decisions about how to handle the data. > It's not enough to have a system which is 'tough', we need a system > that's flexible enough that people can do 'the right thing' in a way > that isn't painful. If it's painful, or even difficult to understand > for average ordinary people, people are just going to configure SELinux > in ways that are unsafe so that things 'just work', and we're back > where we started, probably worse, because people have a false sense of > security. SELinux is flexible, and the fact that there are already strict, targeted, and mls policies for it demonstrates that flexibility. As to ease of use for "average ordinary" people, we're not there yet, but we have the right foundation on which to build, and the SELinux community is working toward that goal. > Finding that kind of intersection is difficult -- if you can do it, > my hats are off to you. I can SELinux being of interest for specialized > applications (desktops at the NSA? server appliances?) but i'll be hard > pressed to become an expert on SELinux so I can get my regular work done. And I agree that you shouldn't have to be an expert on SELinux to do your regular work. There is ongoing work to enable SELinux to be effectively deployed and used without such expertise, but we have to walk before we can run. -- Stephen Smalley National Security Agency -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-devel-list