[Security_sig] 10/14 Conf. call minutes
Ge.Weijers at Sun.COM
Tue Oct 19 10:26:14 PDT 2004
Stephen Smalley wrote:
> It is unfortunate that several people in this group seem to have
>concluded that SELinux is too complex to deploy in this manner. I would
>ask whether this assumption is truly justified. One can certainly
>construct a SELinux policy that is specifically tailored to protecting
>the audit infrastructure and nothing else if desired, thereby avoiding
>the complexity associated with fine-grained least privilege.
As I am one of the people who have expressed that sentiment I feel the
need to explain myself :-)
As is stands right now SELinux is far removed from something I would
want to deploy in the field. There are a couple of reasons, which in the
end all boil down to one thing: complexity, and the resulting high cost
of ownership. It requires highly skilled people to correctly configure
SELinux, and it is exceedingly difficult to 'prove' that the
configuration actually meets your goals and policies. In the current
marketplace we need to improve security and lower cost of deployment at
the same time, and hiring $200/hour consultants does not help us to
achieve that goal.
What would it require to change this? A couple of things:
* policies need to be expressed in a way that "mere mortals" such as
busy sysadmins can understand.
* baseline policies should ideally come with the software you're
installing, and should be easy to modify to meet local requirements.
* policy violations should be reported in terms of the high level
policy specification, not in terms of lower-level abstractions.
None of the above is impossible, but it needs to be done. Given the
deafening silence we usually get when we ask security-related questions
I doubt that people will be standing in line to work on this. I wish it
Businesses need 'good enough' security at a low enough cost. As it
stands the cost of deploying SELinux outweighs the risk in many cases..
As an aside: another thing that worries me is code complexity (this is
not limited to SELinux, but extends to all of Linux, and *BSD, Solaris,
.....). The linux-220.127.116.11/security/selinux tree contains almost 16000
lines of code. The Biba module in FreeBSD 5.2.1 contains about 2900. The
latter is much easier to read and verify, and because it implements the
security model directly the error messages directly relate to the
security model. Complexity is our enemy.
>Perhaps this is the wrong venue for this discussion; if so, then I
>apologize. But I find it troubling that this group and discussion have
>been ongoing for some time with no representation from SELinux AFAIK,
>and I thought I should set the record straight on these issues. Thanks
This is exactly the right forum as far as I am concerned. Thanks for
>security_sig mailing list
>security_sig at lists.osdl.org
Gé Weijers mailto:ge.weijers at sun.com
Linux Software Engineering Tel: (877)240-7611 x69536
Sun Microsystems, Inc. Fax: (877)240-7611
=== Expressed opinions are my own, I do not speak for Sun ===
More information about the security_sig