[Security_sig] 10/14 Conf. call minutes

Stephen Smalley sds at epoch.ncsc.mil
Fri Oct 22 09:02:30 PDT 2004 

On Wed, 2004-10-20 at 20:49, Ed Reed wrote:
> The huge disconnect I've had with the SELinux project has been, as
> we've discussed, Stephen, the awkward reality that the benefit you
> offer (fine-grained MAC via TE), does not map to the benefit that is 
> available from sales to agencies coming under MLS policy acquisition 
> guidelines.  At least, not that has been shown to be the case, yet.
> 
> In other words - there's a ready market for MLS solutions, and 'til
> recently, no one working on them in the SELinux space.  
> 
> I'm grateful and excited to know that is now changing.  

Thanks for your comments.  The reason that no one has worked on MLS
solutions based on SELinux until recently is that MLS is not a
motivating example for getting MAC technology into mainstream operating
systems.  With SELinux, we provided an architecture and mechanism that
was capable of supporting MLS requirements while focusing initially on
security models that were viewed as useful not only to MLS systems but
also to a wider user base.  And, as you say, someone is now working on a
MLS solution based on SELinux.  What other Linux MAC solution can
support this range of security requirements?
   
> Whether MLS or TE presents a better security policy framework
> is the subject for another discussion.

They don't have to exclude one another; TE was originally developed to
fill in the gaps of MLS systems, not to replace MLS.  TE is more general
and better suited to providing least privilege, integrity, and
separation of duty than MLS.  In any event, the SELinux framework can
support them both.

> Whether TE is ready for specification as an industry agreed, concensus
> driven security framework is, however, an appropriate topic for this
> group.  Until it has had the chance to be reviewed, accepted, and
> adopted by the security professionals in the industry, it seems premature
> to put it forward for widespread deployment.

Are you applying this same criteria to every security solution that this
group will consider putting forward?  Does LIDS meet this criteria?  How
about SubDomain?  Who exactly are these security professionals in the
industry?  When do they agree on anything?  If your group is only going
to follow and never lead, what is your purpose?

> What is concensus today is that:
> 
> 1) root has too many privileges for all the various administrators who 
> have need to use some of them to do their limited jobs;  This, by the
> way is ONLY recognized to be generally true in large enterprise, raised
> floor high availability data center deployments - there's much less 
> concensus for other scenarios; and
> 2) it's hard to get people to change
>
> Tackling those two realities will break a lot of ice, and will pave the way
> for much more nuanced security policies in the future.

How is this counter to deploying SELinux, which can support #1 without
imposing the complexity you fear via alternative policy configurations?

> As it stands now, you can't even get people to agree whether
> three spaces or four is the right translation of the ascii tab character
> in their favorite text editor - the systems management console of
> choice by a lot of the hard-liners.

8 spaces.

> I expect that the next couple of years in the commercial software
> deployment space will deal, for the first time, with wide spread
> adoption and experimentation with MAC of all varieties.  The
> community has new tools, enabled by the invaluable work done
> by the SELinux team, to explore these areas, and to experiment
> with what does and doesn't work.  We're likely to see every
> mistake of the past 30 years recreated, and hopefully a whole
> batch of new ones.
> 
> But if we're lucky, there'll be some that put 2 and 2 together
> to create something unexpected and really useful.  Simply
> because we'll have more eyes working the problem, and
> more perspective on what's worked in the past and what's
> not.

That way lies madness, and much wasted time and resources.  You can
deploy a sound framework and mechanism now, and play with all different
flavors of policy configurations if you like, but leave radical
experimentation with MAC modules to researchers, please, it has no place
in production deployment.

> Think of me as working on the same problem, but just in
> a different area, that I really hope will converge with your
> own efforts - over the next 30 years or so.

30 years?  RHEL4 systems will be shipping with SELinux early next year. 
TCS' press release indicated that they will be offering their Trusted
Linux platform based on SELinux in spring 2005.   As above, 30 year
horizon might be fine for your researchers, but not what I would expect
from this group.

> How do we get these chuckleheads to realize they
> not only need MAC, but that they actually want it?

By applying resources to address their useability concerns, so that the
security benefits can sell themselves without that obstacle.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency

More information about the security_sig mailing list