FC4 kernel performance

Paul A Houle ph18 at cornell.edu
Wed Jun 22 18:16:02 UTC 2005 

Stephen Smalley wrote:

>
>Actually, the SELinux model (or more generally, flexible mandatory
>access control) is precisely what one needs in order to contain
>malicious and flawed applications.  And SELinux can also help reinforce
>mehcanisms like exec-shield by providing policy control over what
>applications can generate runtime code.
>
>  
>
    Well,  I'll believe it after we've had a few years of experience 
with it.

    Windows NT has a 'richer' security model than the traditional Unix 
model,  but nobody uses it.  Nobody knows how,  and more to the point,  
everything that an application has to work with in Windows NT doesn't 
use the security features it has,  so it's hard for one site or one 
application to start doing things differently.

    SELinux is going to require a whole ecosystem of tools that work 
together,  or it's just going to put more of Fedora in the "it just 
doesn't work" category.

    For all the limitation of the UNIX model,  people understand it.  
They're afraid of root,  and raw fear is a good motivator.  I remember 
VMS having tens of different permissions that a process could have,  and 
people finding privilege escalation attacks all the time.

>But with SELinux, that application (firefox or thunderbird or whatever)
>can be placed in its own security domain, with its own set of
>permissions that are a subset of the user's overall permissions.  There
>is admittedly a lot of work to do to properly secure the desktop (e.g.
>security-enhanced X, which has been implemented but not yet upstreamed),
>but mandatory access control is the right mechanism for dealing with
>this issue.
>
>  
>
    Yeah,  but I want thunderbird to have a lot of access to my files.  
I want to be able to send an arbitrary file as an attachment,  and I'd 
like to be able to save files from it easily.  (Yeah,  you might 
restrict it to 'save to the desktop' but once a lot of apps are 
restricted the way,  everything is on the desktop.)  You might block off 
most network ports,  but it still needs to make port 25 connections to 
the outbound mail server -- which is what it needs to infect other 
computers.  You might lock it down so it can only talk to my official 
outbound mail server,  but then I can't use the GUI to configure my mail 
application.

    Multiply this by hundreds of desktop apps which are glitchy enough 
as it is,  and we've got a new slogan for Fedora:  "it just doesn't work."

    It's not enough to have a system which is 'tough',  we need a system 
that's flexible enough that people can do 'the right thing' in a way 
that isn't painful.  If it's painful,  or even difficult to understand 
for average ordinary people,  people are just going to configure SELinux 
in ways that are unsafe so that things 'just work',  and we're back 
where we started,  probably worse,  because people have a false sense of 
security.

    Finding that kind of intersection is difficult -- if you can do it,  
my hats are off to you.  I can SELinux being of interest for specialized 
applications (desktops at the NSA?  server appliances?) but i'll be hard 
pressed to become an expert on SELinux so I can get my regular work done.

More information about the devel mailing list