[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

[Linas Vepstas]

On Tue, Aug 31, 2004 at 08:18:10PM +0100, Luke Kenneth Casson Leighton was heard to remark:
>  dude, the entire selinux thing is disliked by stacks of debian
>  maintainers because of the knock-on implications it has.

Totally off-topic remark, unrelated to anything, but I'm waiting 
for somethig to compile :)  

Every now and then, I look at SELinux, and I get scared away by its
complexity.  This complexity makes it very hard to audit, and assure
oneself that its actually providing any real security, as opposed to
the illusion of security.  During this email thread, there are 
references to mysterious rules that neither party in the conversation 
fully understands; this scares me. 

Compare this to less complex security provided by e.g. the Linux 
VServer project.  VServer is intended to allow an ISP to pretend they
have a rack of 100 cpu's all running linux, when in fact they have just
one.  The fact that it provides security is a side-effect; but its 
far simpler, far easier to audit, and allows me to sleep at night.

Another example: Way back in the kernel-2.2 timeframe, I hacked on 
something neat: 'LOMAC': if you came in from a network connection, 
you lost permission to do almost anything, other than to e.g. webserve. 
The system was simple, worked well, the kernel patches were easy to audit, 
you could go home without worrying about priveledge escalation.  

Compare that to this thread, where we are talking about atomic vs.
non-atomic restoration of context for udev-mounted temp file systems.
Shudder. This seems to be begging for an exploit to be discovered.
Are we sure that SELinux is really on the right track here?

--linas