Re: SELinux talk

[Dominick Grift <dac.override@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 3083 bytes --]

On Tue, May 12, 2015 at 04:42:41PM +0200, Andrew Holway wrote:
> Hello,
> 
> I'm giving a talk on SELinux at a little conference here in Berlin in a
> couple of days. I was going to do the following items.
> 
> IEEE 1003.1e/2c - A withdrawn draft standard.
> Linux ACLS - Hacked together from IEEE 1003.1e/2c
> SELinux -> An opensource solution for the US military.
> DAC 1997 -> 2015 - The elephant in the room.
> 
> I was wondering if anyone could provide me with specific bulletpoint
> examples of the problems inherent with the current ACL system and how
> SELinux can mitigate these problems.

Here is one i somehow find compelling:

Centralized governed (MAC) versus De-centralized goverened (DAC) security

Back in the days of 1997 the privilege of computer environments was pretty much limited to academic use.

I think there was an filosophy of trust. Were all academics we know what we do and we're all good (we dont make mistakes)

(Some still believe in that)

To others, things changed since then.

Computer environments are no longer limited to academics and everyone and their mother are now wielding a computer with a 100 mbit+ uplink to the rest of the connected world.

Also we're now pretty much all connected. That means that we can in theory now all affect eachothers´ experience.

For example some could in theory send your site into a black hole by packeting it to death.
(some user with access to your system may decide to use your assets to ruin the fun for someone else on the network by udp flooding or whatever) 

Also these days the stakes are much higher in general (some businesses depend for their lively hood on computer environment)

Those three changes are basically a pretty compelling reason to calibrate the security model to the new requirements and threats.

SELinux and MAC in general, allows the owner of a computer system or environment to take control back into his own hands by overriding traditional DAC

SELinux enables one to not necessarily trust individual processes and/or users on a system. It allows owners to enforce what
indidivual processes and users can do thereby enforcing integrity

Some other advantages of SELinux over other MAC systems are that SELinux is customizable, flexible and allows for finer-grained access control.

> 
> Can anyone tell me about the relationship between IEEE 1003.1e/2c and
> SELinux?
> 
> Any other interesting nuggets to keep a technical but non security focussed
> audience interested?
> 
> Ta
> 
> Andrew
> 
> 
> 
> -- 
> Otter Networks UG
> http://otternetworks.de
> fon: +49 30 54 88 5197
> Gotenstraße 17
> 10829 Berlin

> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.


-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift

[-- Attachment #2: Type: application/pgp-signature, Size: 648 bytes --]