[Security_sig] 10/14 Conf. call minutes

Gé Weijers Ge.Weijers at Sun.COM
Tue Oct 19 10:26:14 PDT 2004


Stephen Smalley wrote:

> It is unfortunate that several people in this group seem to have
>
>concluded that SELinux is too complex to deploy in this manner.  I would
>ask whether this assumption is truly justified.  One can certainly
>construct a SELinux policy that is specifically tailored to protecting
>the audit infrastructure and nothing else if desired, thereby avoiding
>the complexity associated with fine-grained least privilege.
>  
>
As I am one of the people who have expressed that sentiment I feel the 
need to explain myself :-)

As is stands right now SELinux is far removed from something I would 
want to deploy in the field. There are a couple of reasons, which in the 
end all boil down to one thing: complexity, and the resulting high cost 
of ownership. It requires highly skilled people to correctly configure 
SELinux, and it is exceedingly difficult to 'prove' that the 
configuration actually meets your goals and policies. In the current 
marketplace we need to improve security and lower cost of deployment at 
the same time, and hiring $200/hour consultants does not help us to 
achieve that goal.

What would it require to change this? A couple of things:

    * policies need to be expressed in a way that "mere mortals" such as
      busy sysadmins can understand.
    * baseline policies should ideally come with the software you're
      installing, and should be easy to modify to meet local requirements.
    * policy violations should be reported in terms of the high level
      policy specification, not in terms of lower-level abstractions.

None of the above is impossible, but it needs to be done. Given the 
deafening silence we usually get when we ask security-related questions 
I doubt that people will be standing in line to work on this. I wish it 
were different.

Businesses need 'good enough' security at a low enough cost. As it 
stands the cost of deploying SELinux outweighs the risk in many cases..

<soapbox>
As an aside: another thing that worries me is code complexity (this is 
not limited to SELinux, but extends to all of Linux, and *BSD, Solaris, 
.....). The linux-2.6.8.1/security/selinux tree contains almost 16000 
lines of code. The Biba module in FreeBSD 5.2.1 contains about 2900. The 
latter is much easier to read and verify, and because it implements the 
security model directly the error messages directly relate to the 
security model. Complexity is our enemy.
</soapbox>

>Perhaps this is the wrong venue for this discussion; if so, then I
>apologize.  But I find it troubling that this group and discussion have
>been ongoing for some time with no representation from SELinux AFAIK,
>and I thought I should set the record straight on these issues.  Thanks
>for listening...
>  
>
This is exactly the right forum as far as I am concerned. Thanks for 
jumping in.

Ge'

>  
>
>------------------------------------------------------------------------
>
>_______________________________________________
>security_sig mailing list
>security_sig at lists.osdl.org
>http://lists.osdl.org/mailman/listinfo/security_sig
>  
>


-- 
Gé Weijers                          mailto:ge.weijers at sun.com
Linux Software Engineering          Tel: (877)240-7611 x69536
Sun Microsystems, Inc.              Fax: (877)240-7611
=== Expressed opinions are my own, I do not speak for Sun ===






More information about the security_sig mailing list