Re: OBSD's perspective on SELinux

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
To: Douglas A. Tutty <dtutty@...>
Cc: <misc@...>
Date: Monday, September 24, 2007 - 11:09 pm

On Sat, 22 Sep 2007, Douglas A. Tutty wrote:

> Hello all,

In terms of mandatory access controls, OpenBSD only has systrace.

Every medium to large Linux deployment that I am aware off has switched
SELinux off. Once you stray from the default configurations that the
system distributors ship with the default policies no longer work and
things start to break. In my admittedly limited experience, this happens
very quickly.

If the policy language was halfway sane then this wouldn't be so bad -
a skilled administrator could adjust the policy. Unfortunately:

1) skilled administrators are hard to come by, and their time is usually
better spent *not* tweaking brittle mandatory access control policies

2) the SELinux policy language is nowhere near sane.

OpenBSD's systrace suffers from #1 - it is a generic problem with these
sorts of access control mechanisms, and it is one reason why it has never
been enabled by default. The brittleness is a real problem - I use
systrace for a few things and often need to update my policies because
of software upgrades or libc changes. Oh, and "skilled administrator"
means someone deeply familiar with the Unix system interface - not a
just a graduate of certification course de jour.

The Linux solution to #2 seems to be to add various wizards and other
abstraction between the administrator and the policy, rather than tossing
the horrid mess and replacing it with something more comprehensible.

I'm sure you could use SELinux to improve the security of a system but
it would require quite a bit of time and effort, both initial and ongoing.

-d

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:
OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 11:34 am)
Re: OBSD's perspective on SELinux, Damien Miller, (Mon Sep 24, 11:09 pm)
Re: OBSD's perspective on SELinux, Chris Kuethe, (Mon Sep 24, 10:52 am)
Re: OBSD's perspective on SELinux, Marco Peereboom, (Sat Sep 22, 11:27 pm)
Re: OBSD's perspective on SELinux, L. V. Lammert, (Sat Sep 22, 7:47 pm)
Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Sun Sep 23, 5:54 pm)
Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 1:29 pm)
Re: OBSD's perspective on SELinux, Jacob Yocom-Piatt, (Mon Sep 24, 2:17 pm)
Re: OBSD's perspective on SELinux, Ted Unangst, (Mon Sep 24, 3:14 pm)
Re: OBSD's perspective on SELinux, Brian Candler, (Mon Sep 24, 11:31 am)
Re: OBSD's perspective on SELinux, Rui Miguel Silva Seabra, (Mon Sep 24, 11:59 am)
Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 6:06 am)
Re: OBSD's perspective on SELinux, Marc Espie, (Tue Sep 25, 8:34 am)
Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 11:18 am)
Re: digitally signed distribution (was: OBSD's perspective o..., Martin Schröder, (Mon Sep 24, 12:02 pm)
Re: digitally signed distribution (was: OBSD's perspective o..., Rui Miguel Silva Seabra, (Sun Sep 23, 6:38 pm)
Re: OBSD's perspective on SELinux, Ted Unangst, (Sat Sep 22, 2:50 pm)
Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 4:21 pm)
Re: OBSD's perspective on SELinux, , (Sat Sep 22, 7:20 pm)
Re: OBSD's perspective on SELinux, Stuart Henderson, (Sat Sep 22, 4:00 pm)
Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 12:29 pm)
Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 12:45 pm)
Re: OBSD's perspective on SELinux, Joachim Schipper, (Sat Sep 22, 4:39 pm)
Re: OBSD's perspective on SELinux, Darrin Chandler, (Sat Sep 22, 12:00 pm)
Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 12:52 pm)
Re: OBSD's perspective on SELinux, Jason Dixon, (Sat Sep 22, 12:20 pm)
Re: OBSD's perspective on SELinux, Douglas A. Tutty, (Sat Sep 22, 1:21 pm)
Re: OBSD's perspective on SELinux, Ihar Hrachyshka, (Sat Sep 22, 1:38 pm)
Re: OBSD's perspective on SELinux, David Gwynne, (Mon Sep 24, 10:08 am)
Re: OBSD's perspective on SELinux, Jason Dixon, (Mon Sep 24, 10:25 am)
Re: OBSD's perspective on SELinux, , (Mon Sep 24, 2:28 pm)
Re: OBSD's perspective on SELinux, Brian Candler, (Sun Sep 23, 3:25 pm)
Re: OBSD's perspective on SELinux, Eduardo Tongson, (Sat Sep 22, 2:00 pm)
Re: OBSD's perspective on SELinux, Jeffrey 'jf' Lim, (Sat Sep 22, 12:26 pm)