[Security_sig] 10/14 Conf. call minutes

slav at vogon.net slav at vogon.net
Thu Oct 21 14:16:00 PDT 2004

> As I am one of the people who have expressed that sentiment I feel the
> need to explain myself :-)
> As is stands right now SELinux is far removed from something I would
> want to deploy in the field. There are a couple of reasons, which in the
> end all boil down to one thing: complexity, and the resulting high cost
> of ownership. It requires highly skilled people to correctly configure
> SELinux, and it is exceedingly difficult to 'prove' that the
> configuration actually meets your goals and policies. In the current
> marketplace we need to improve security and lower cost of deployment at
> the same time, and hiring $200/hour consultants does not help us to
> achieve that goal.

I've been away (no I wasn't ducking ;-), and came back to this very lively
and interesting thread.  Welcome Stephen; being a new member myself, I
didn't realize the NSA wasn't part of this group, glad to see the
oversight has been corrected.  I have read the arguments going both ways,
and I find myself still siding with Ge's logic regarding business value. 
For business entities, it ultimately comes down to how much protection can
be afforded given a certain threat level and the corresponding price tag
adjusted for the scale of deployment.  Our preliminary conclusion after
having tested SELinux was that it would be impractical to roll it out as a
generic security solution on a large scale, given the administrative costs
involved at the threat level we wanted to address.  IMO today SELinux is a
good niche solution where fine-grained control does matter, however it's
an overkill for someone who needs a generic tool to address a generic
problem, with little deviation from baseline, in many places at once, with
minimum cost.  There are several higher-level tools already out there that
take the administrative overhead problem into account (like LIDS and
SEOS/eTrust Access Control), neither of which are part of the Linux kernel
(last I checked LIDS wasn't).  Seeing a tool as powerful as SELinux be
part of the kernel is a good first step, a good second step would be to
make the tool useful to the masses, while preserving its low-level
features for those who really need them.

Thanks for listening.

More information about the security_sig mailing list