The honest answer is that it has been over a year since I looked at the SELinux
stuff.  It is on my to-do list to review what's there.

However, modulo that disclaimer, I believe what we are doing can readily become
part of a larger strategy, indeed as you point out, it must to truely promote security.
This doesn't bother me in the slightest.  I will feel that the time was worthwhile if
our implementation becomes a standard part of a larger security apparatus, e.g.,
because we proved that file system masks could scale to multi-terabyte repositories.

I will take a gander at the paper you reference this weekend.


Valdis.Kletnieks@vt.edu wrote:
On Fri, 20 Aug 2004 07:23:24 -0000, David Dabbs said:

  
Hans and George, what did you find lacking in currently-available Linux security
module frameworks such as LIDS or LSM? They provide system function hooks
in which module writers may control object access. LSM-based work is on-going. See 
http://sic.iaik.tugraz.at/Best%20Paper%20Award/2004/LSM_quaritsch_winkler.pdf
for details of their addition of module stacking (multiple policies) and hooks into
the TCP layer. I'm going to read up on these frameworks.
    

Amen to that - while reading through Hans' summary, I was having a hard time
figuring out what this was buying us that SELinux doesn't provide. Thanks for the
pointer to the Quartisch&Winkler paper, as module stacking seems to be heating up.
The "usual scenario" for what people seem to want with LSM is a MAC system
like SELinux or LIDS, then zero or more "pathological case" handlers (for
instance, the 'BSD Securelevels' LSM, or some variant of the OpenWall mods, or
a chroot/jail module) to harden a specific aspect of the system, and then the
Capabilities LSM.

The biggest reason for wanting to do security at the LSM level rather than the
filesystem level is because that way you can *really* secure things (hint -
your filesystem can be as secure as you want, but if you don't also secure
stuff like unix-domain sockets or SYSV shared memory segments, 2 cooperating
processes can end-run an MLS trying to prevent it....)

If there's a specific need that you can't think of how to implement via SELinux
or the low-level LSM calls, please feel free to ask - if the exact nature of
the problem is itself sensitive, I can vector you to people over on the spook
side of the fence who should be able to either help you out or redirect you to
even spookier people.. ;)