On Wed, 2005-06-22 at 14:16 -0400, Paul A Houle wrote:
Well, I'll believe it after we've had a few years of
experience
with it.
Windows NT has a 'richer' security model than the traditional Unix
model, but nobody uses it. Nobody knows how, and more to the point,
everything that an application has to work with in Windows NT doesn't
use the security features it has, so it's hard for one site or one
application to start doing things differently.
'Richer' security model doesn't equate to mandatory access control. The
latter is necessary to confine malicious and flawed applications. The
former often does just complicate administration with no real benefit in
security.
SELinux is going to require a whole ecosystem of tools that work
together, or it's just going to put more of Fedora in the "it just
doesn't work" category.
SELinux provides the infrastructure and APIs for security-aware
applications, so it provides the right foundation for building such an
ecosystem. Too many other kernel security enhancements try to ignore
the role of applications in providing overall system security
altogether.
For all the limitation of the UNIX model, people understand it.
They're afraid of root, and raw fear is a good motivator. I remember
VMS having tens of different permissions that a process could have, and
people finding privilege escalation attacks all the time.
Don't confuse finer-grained security (by itself) with MAC, and don't
confuse a privilege mechanism (aka POSIX/Linux capabilities) with MAC.
Yes, SELinux provides a way to control the privileges defined by Linux
capabilities and bind them to specific programs, but that is only a
small part of what MAC enables.
Yeah, but I want thunderbird to have a lot of access to my
files.
I want to be able to send an arbitrary file as an attachment, and I'd
like to be able to save files from it easily. (Yeah, you might
restrict it to 'save to the desktop' but once a lot of apps are
restricted the way, everything is on the desktop. You might block off
most network ports, but it still needs to make port 25 connections to
the outbound mail server -- which is what it needs to infect other
computers. You might lock it down so it can only talk to my official
outbound mail server, but then I can't use the GUI to configure my mail
application.
Yes, what you can achieve directly via the OS controls may be limited to
very coarse-grained distinctions. But you still need those OS-level
controls both to even provide those coarse-grained distinctions and to
support and protect higher level application security functionality.
And you need the proper security labeling of the data so that higher
level security functionality can make sensible decisions about how to
handle the data.
It's not enough to have a system which is 'tough',
we need a system
that's flexible enough that people can do 'the right thing' in a way
that isn't painful. If it's painful, or even difficult to understand
for average ordinary people, people are just going to configure SELinux
in ways that are unsafe so that things 'just work', and we're back
where we started, probably worse, because people have a false sense of
security.
SELinux is flexible, and the fact that there are already strict,
targeted, and mls policies for it demonstrates that flexibility. As to
ease of use for "average ordinary" people, we're not there yet, but we
have the right foundation on which to build, and the SELinux community
is working toward that goal.
Finding that kind of intersection is difficult -- if you can do
it,
my hats are off to you. I can SELinux being of interest for specialized
applications (desktops at the NSA? server appliances?) but i'll be hard
pressed to become an expert on SELinux so I can get my regular work done.
And I agree that you shouldn't have to be an expert on SELinux to do
your regular work. There is ongoing work to enable SELinux to be
effectively deployed and used without such expertise, but we have to
walk before we can run.
--
Stephen Smalley
National Security Agency