not installing SELinux with Fedora

Mon Jun 20 14:10:36 UTC 2005

On Sun, 2005-06-19 at 11:22 -0700, stewartetcie at canada.com wrote:
> The point is that SELinux is: (1) so complex as to be
> unmanageable; (2) inappropriate for all cases,
> virtualization being a case in point. By the way, sHype
> is available as a patch for Xen, which is distributed
> with Fedora Core 4.

SELinux doesn't create complexity; it just reveals the existing
complexity of what is already occurring on your computing system and
provides you with a mechanism that allows to control that complexity.
In the absence of such a mechanism, you have no chance of knowing what
is occurring on your system or being able to control it, and thus no way
to counter the risk posed by malicious and flawed applications.
Virtualization gives you a way to confine/isolate at very coarse
granularity with very strong isolation guarantees (which can indeed be
useful, and can be used in combination with SELinux), but doesn't really
solve the problem of fine-grained controlled sharing and confinement of
malicious/flawed applications on the OS.

> On a more general note Steve, take a look at Ken
> Thompson's 1984 ACM Turing Award lecture, "Reflections
> on Trusting Trust" wherein the author of the UNIX
> operating system illustrates why you shouldn't trust
> sneaky folks like him. By extension, I'm a little
> suspicious of the NSA's motives in distributing a
> system for mandatory access control that is needlessly
> complex and, essentially, unmanageable at a time when
> snort and tripwire, for example, are widely available
> and a stateful firewall is built into the Linux kernel.

None of what you list above is a mechanism for mandatory access control,
and all of them can be used in combination with SELinux just fine.
SELinux is the right foundation for mandatory access control - its
generality and comprehensiveness are exactly what one needs for a
general purpose OS that needs to deal with a wide range of security
requirements, and it provides an extensible infrastructure for
applications so that the same kinds of controls can be easily applied to
application abstractions as well.

> Fedora is
> the only widely used Linux distribution to incorporate
> SELinux in such a manner that it cannot be removed. If
> its so important, how come everybody else can get along
> without it? Perhaps we might consider an alternative
> Fedora Core 4 distro that is free of this one-stop
> security panacea?

I'm not sure what you mean by "cannot be removed".  As stated, Fedora
certainly allows you to disable SELinux.  Other 2.6-based distributions
include the SELinux code as well, although they may disable it by
default.  Most distributions don't want to have to ship multiple
variations of the kernel and userland, so they naturally don't want to
have to ship a SELinux and non-SELinux variant of kernel, coreutils,
etc.

And as far as I know, no one (and certainly not the NSA) has suggested
that SELinux is a one-stop security panacea - we have always been
careful to note the limitations of SELinux.

-- 
Stephen Smalley
National Security Agency