From: Douglas A. Tutty <dtutty@...>
Subject: OBSD's perspective on SELinux
 [5]Date: Sep 22, 11:34 am 2007

Hello all,

I'm running OBSD on my older boxes but still Debian on my big box (not
ready yet).

Linux has SELinux in its 2.6 kernel and debian has gone ahead and
compiled SELinux into the libraries, although the SELinux policies
aren't ready on debian yet.  The whole focus seems to be to make Linux
"more secure".  I'm not sure what to make of it.  I figure that if you
want secure, you switch to OBSD.

Could someone who knows both the details of OBSDs security enhancements
and the details of SELinux comment?

Please note:  this is _not_ a troll, flame-ware-tinder-box, whatever.
I'm genuinly interested.  

Thanks,

Doug.


From: Damien Miller <djm@...>
Subject: Re: OBSD's perspective on SELinux
 [5]Date: Sep 24, 11:09 pm 2007

On Sat, 22 Sep 2007, Douglas A. Tutty wrote:

> Hello all,
> 
> I'm running OBSD on my older boxes but still Debian on my big box (not
> ready yet).
> 
> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
> compiled SELinux into the libraries, although the SELinux policies
> aren't ready on debian yet.  The whole focus seems to be to make Linux
> "more secure".  I'm not sure what to make of it.  I figure that if you
> want secure, you switch to OBSD.
>
> Could someone who knows both the details of OBSDs security enhancements
> and the details of SELinux comment?

In terms of mandatory access controls, OpenBSD only has systrace.

Every medium to large Linux deployment that I am aware off has switched
SELinux off. Once you stray from the default configurations that the
system distributors ship with the default policies no longer work and
things start to break. In my admittedly limited experience, this happens
very quickly.

If the policy language was halfway sane then this wouldn't be so bad - 
a skilled administrator could adjust the policy. Unfortunately:

1) skilled administrators are hard to come by, and their time is usually
   better spent *not* tweaking brittle mandatory access control policies

2) the SELinux policy language is nowhere near sane.

OpenBSD's systrace suffers from #1 - it is a generic problem with these
sorts of access control mechanisms, and it is one reason why it has never
been enabled by default. The brittleness is a real problem - I use
systrace for a few things and often need to update my policies because
of software upgrades or libc changes. Oh, and "skilled administrator"
means someone deeply familiar with the Unix system interface - not a
just a graduate of certification course de jour.

The Linux solution to #2 seems to be to add various wizards and other
abstraction between the administrator and the policy, rather than tossing
the horrid mess and replacing it with something more comprehensible.

I'm sure you could use SELinux to improve the security of a system but
it would require quite a bit of time and effort, both initial and ongoing.

-d


From: Chris Kuethe <chris.kuethe@...>
Subject: Re: OBSD's perspective on SELinux
 [5]Date: Sep 24, 10:52 am 2007

On 9/22/07, Douglas A. Tutty <dtutty@porchlight.ca> wrote:
> Could someone who knows both the details of OBSDs security enhancements
> and the details of SELinux comment?

A capsule summary of the situation is:

OpenBSD aims to improve security by taking advantage of easy-to-use,
hard-to-disable, low-overhead technologies.

yes, you can disable propolice if you need to, but you have to know how.
yes, you can disable random library mappings, but you have to know how.
yes, you can disable W^X, but you have to try.

you could turn off the security features, but why would you, since
they don't get in your way, and they don't slow you down all that
much. i've not seen SELinux installations (or similar technologies)
that are easy to use correctly...

-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?


From: Ted Unangst <ted.unangst@...>
Subject: Re: OBSD's perspective on SELinux
 [5]Date: Sep 22, 2:50 pm 2007

On 9/22/07, Douglas A. Tutty <dtutty@porchlight.ca> wrote:
> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
> compiled SELinux into the libraries, although the SELinux policies
> aren't ready on debian yet.

rhetorical question: why aren't the policies ready?

the problem with security by policy is that the policy is always wrong.

exercise for the reader: find somebody using SELinux.  ask them to
describe their policy over the phone.  then repeat it back to them.
did you get it right?


From: Darrin Chandler <dwchandler@...>
Subject: Re: OBSD's perspective on SELinux
 [5]Date: Sep 22, 12:00 pm 2007

On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
> compiled SELinux into the libraries, although the SELinux policies
> aren't ready on debian yet.  The whole focus seems to be to make Linux
> "more secure".  I'm not sure what to make of it.  I figure that if you
> want secure, you switch to OBSD.
> 
> Could someone who knows both the details of OBSDs security enhancements
> and the details of SELinux comment?

I don't know all the details, and especially not the SELinux details,
but that won't stop me from commenting.

Not long ago I was talking with a Linux person about security, and they
pointed me to a set of patches that did a lot of nifty stuff. Good
stuff, like the things you find OpenBSD doing. But it's not in the
mainline kernel, it's a set of patches.

Security should not be grafted on, it should be integrated into the
main development process. I'm sure the patch maintainers are doing their
best, but this doesn't change the fundamental flaw in the process. It's
not a flaw of their making, it's inherent in the situation. But it's
still a flaw.

Compare that to a complete operating system (OpenBSD) where security is part of
code quality, and part of the normal mainline development.

-- 
Darrin Chandler            |  Phoenix BSD User Group  |  MetaBUG
dwchandler@stilyagin.com [6]   |  http://phxbug.org/ [7]      |  http://metabug.org/ [8]
http://www.stilyagin.com/ [9]  |  Daemons in the Desert   |  Global BUG Federation


From: Jason Dixon <jason@...>
Subject: Re: OBSD's perspective on SELinux
 [9]Date: Sep 22, 12:20 pm 2007

On Sep 22, 2007, at 12:00 PM, Darrin Chandler wrote:

> On Sat, Sep 22, 2007 at 11:34:33AM -0400, Douglas A. Tutty wrote:
>> Linux has SELinux in its 2.6 kernel and debian has gone ahead and
>> compiled SELinux into the libraries, although the SELinux policies
>> aren't ready on debian yet.  The whole focus seems to be to make  
>> Linux
>> "more secure".  I'm not sure what to make of it.  I figure that if  
>> you
>> want secure, you switch to OBSD.
>>
>> Could someone who knows both the details of OBSDs security  
>> enhancements
>> and the details of SELinux comment?
>
> I don't know all the details, and especially not the SELinux details,
> but that won't stop me from commenting.
>
> Not long ago I was talking with a Linux person about security, and  
> they
> pointed me to a set of patches that did a lot of nifty stuff. Good
> stuff, like the things you find OpenBSD doing. But it's not in the
> mainline kernel, it's a set of patches.
>
> Security should not be grafted on, it should be integrated into the
> main development process. I'm sure the patch maintainers are doing  
> their
> best, but this doesn't change the fundamental flaw in the process.  
> It's
> not a flaw of their making, it's inherent in the situation. But it's
> still a flaw.
>
> Compare that to a complete operating system (OpenBSD) where  
> security is part of
> code quality, and part of the normal mainline development.

If I could add one thing to Darrin's comment (of which I agree  
completely), it would be this:

SELinux is a button.  Buttons are easy to turn off.


---
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net [10]