SELinux - a call for end-of-life.
Marko Vojinovic
vvmarko at gmail.com
Wed Sep 1 18:21:12 UTC 2010
On Wednesday, September 01, 2010 18:29:13 JB wrote:
> Please feel free to add some thoughts to my modest idea of the future
> concept of security.
Since you are apparently serious about this, let me try to help a little
(remember, you asked for it! :-) ...):
> This is my idea of the new security concept:
> - it should be real-time (operating in a background)
SELinux provides protection in realtime and operates in background.
> - it should be modular in the sense of traditional small, single function,
> and stand-alone UNIX utilities
SELinux is as modular as the traditional UNIX permissions system and firewall
system. Noone can really ask for more than that.
> - it has to be simple to be acceptable and understandable by all sys admins
> and users of UNIX/Linux systems
SELinux is as simple as standard permissions system. All sysadmins and Linux
users are already familiar with this concept, and should have no trouble
understanding and accepting SELinux.
> - it should be configurable:
> - by sys admin and user (selectively)
Any system-wide configuration is done by root, or delegated by sudo. SELinux is
not different here than any other security system in Linux.
> - at any time
SELinux is configurable in realtime, as much as it is running in realtime.
> - dynamically
I am not sure what you mean by this, because "dynamics" in general refers to
"changing in time", which is already covered above.
> - it should show various diagnostics (alarms) in real-time, but never
> interfere with or prevent a program from execution.
SELinux shows alarms and diagnostics in realtime, and can be configured to run
in permissive mode, thereby never interfering with anything.
That said, I must comment that "never interfering" idea is very stupid,
because the very first thing a successful attacker would do is to shut down all
alarms and delete all previous ones. So, if your system is not compromised,
you see no alarms. If your system gets compromised, again you see no alarms.
In this state it is quite useless. The idea of a security system is to
*actively* prevent intrusion, not just to detect it and inform the user.
Detection-only system just doesn't make much sense.
> - it should not interfere with / try to undo any present and standard
> UNIX/Linux system security measures
SELinux doesn't interfere with any existing security restrictions, it just
adds new ones.
> - it should be supplementary to existing UNIX/Linux system security
SELinux is supplementary to all previous Linux system security, and also
complementary, because it introduces security measures in places which were
not under control before.
> - it should be self-contained, installable and removable at any time,
> without influencing the system
No serious security system can run entirely in userspace, they are all
implemented in the kernel. Standard UNIX permissions, firewall, SELinux, you
name it. That said, SELinux and firewall can be enabled/disabled by root in a
whim, while with the permissions system it is far from easy (to disable it one
would need to do a filesystem-wide chmod and chown, while reenabling it
afterwards is almost impossible).
Bottomline --- as far as I can tell, SELinux satisfies all your requirements,
and has an added benefit that it already exists, so no need to recreate it.
My 2 cents. :-)
HTH, :-)
Marko
More information about the users
mailing list