SELinux

Alan Cox alan at lxorguk.ukuu.org.uk
Sat Jan 22 18:10:36 UTC 2011


> I think the Law of Requisite Variety does not apply here.

Feel free to think that, but I would suggest Beer's analysis of the US
tax system is a direct match for the symptoms in SELinux, if you simply
swap crackers in for tax specialists.

> The model of a "control system" could be utilized in that system's "security"
> model.

Your security model is a control system. It's complexity depends upon the
state you manage. In the case of file permissions systems you manage
fairly small amounts of state - and most importantly with limited
interconnectedness. That said people often get it wrong as early tools
like Satan show.

You have a lot of state in the controlled system you don't manage because
they are not states you need to distinguish.

Simple example is a heating system - to control a system that can do
anything between 0 and 100C stably is more states than controlling the
same system to do a single temperature where it only needs to worry about
"too hot" and "too cold".

> The same "control"/"security" model, however useful to analyze security, would
> not be subjected to that Law's statement if we decided that only one of them,
> namely networking component, is *required* to have (worth of) a corresponding
> security component, namely iptables.

The same laws still apply, but the system you are looking at is different.

> Perhaps because we are on an internal network that we consider secure. So why
> would we need SELinux on that machine ? We would like not to have it, but we

If you consider your internal network secure and that all data
passing through it is safe you could use telnet and get rid of all your
passwords. In practice you'd question the assumption pretty hard.

> are not allowed to. We could disable it ..., but suddenly perhaps not ! What
> if SELinux becomes an object of a hacker attack ? We know that in order to
> remove SELinux to disinfect the system you have to remove everything else

Actually you don't. You can just turn it off. The ability to do that or
to use multiple different security plugins and models is part of the
kernel. The user space libraries cope just fine with no SELinux present.

Alan


More information about the users mailing list