From: Karl MacMillan <kmacmillan@mentalrootkit.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Joshua Brindle <jbrindle@tresys.com>,
Eric Paris <eparis@redhat.com>,
Chad Sellers <csellers@tresys.com>,
selinux@tycho.nsa.gov
Subject: Re: [RFC] Ability to allow undefined permissions and classes -v2
Date: Thu, 15 Feb 2007 14:03:39 -0500 [thread overview]
Message-ID: <45D4AE8B.1080902@mentalrootkit.com> (raw)
In-Reply-To: <1171564421.32574.36.camel@moss-spartans.epoch.ncsc.mil>
Stephen Smalley wrote:
> On Wed, 2007-02-14 at 14:22 -0500, Joshua Brindle wrote:
>>> From: Eric Paris [mailto:eparis@redhat.com]
>>> That is my point of question and lack of understanding. Will
>>> the policy which is passed to the kernel have all of the
>>> policy for all of the system or only that for the kernel?
>>> The way I see both cases:
>>>
>> Only for the kernel.
>
> Actually, I thought you had found that the userspace security server
> isn't much of a win (and a definite cost) for current usage by e.g. the
> X server. Which would suggest that we aren't likely to evict userspace
> policy from the kernel any time soon.
>
And the cost is not just performance (which is a large cost - the number
of context switches will always make it lose). There are:
- Problems synchronizing policy change (which is particularly bad when
contexts are invalidated). This includes boolean changes.
- Increased user-visible complexity in libselinux (including a new
configuration file for routing).
- Potentially overlapping object classes (e.g., for something like
samba, should answers about "file" come from the kernel or the userspace
security server).
- Potential for the death of the userspace security server (including
things like the OOM killer) or extreme performance problems under heavy
swapping.
The only potential win is reduced kernel memory usage for policy, but
the total memory footprint for kernel + userspace security server is
likely much higher and it is not clear that the ability to swap portions
of the userspace security server is desirable. I think we will get
further by reducing the kernel policy memory footprint.
Even when you want to disable kernel enforcement for some object classes
I think that the userspace security server loses (this is something I
have suggested to allow userspace apps like DBUS to rely entirely on
SELinux policy instead of SELinux + custom security policy). In those
scenarios you are likely still going to want labeling to happen for
processes, files, etc. even if many of the access checks are disabled.
That means there will still need to be a policy loaded into the kernel.
I don't see any compelling use for the userspace security server and
don't think we should make kernel changes with the assumption that it
will be present in the future.
Karl
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next prev parent reply other threads:[~2007-02-15 19:03 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-02-12 19:43 [RFC] Ability to allow undefined permissions and classes -v2 Eric Paris
2007-02-13 12:27 ` Stephen Smalley
2007-02-13 17:28 ` Eric Paris
2007-02-13 17:40 ` Stephen Smalley
2007-02-13 17:41 ` Stephen Smalley
2007-02-13 17:49 ` Stephen Smalley
2007-02-13 17:57 ` Stephen Smalley
2007-02-13 19:36 ` Eric Paris
2007-02-14 18:10 ` Chad Sellers
2007-02-14 18:49 ` Eric Paris
2007-02-14 19:22 ` Joshua Brindle
2007-02-14 19:40 ` Eric Paris
2007-02-15 18:33 ` Stephen Smalley
2007-02-15 18:46 ` Stephen Smalley
2007-02-15 19:05 ` Eric Paris
2007-02-15 19:12 ` Chad Sellers
2007-02-15 19:27 ` Stephen Smalley
2007-02-15 19:42 ` Stephen Smalley
2007-02-15 19:44 ` Eric Paris
2007-02-15 19:49 ` Stephen Smalley
2007-02-15 19:03 ` Karl MacMillan [this message]
2007-02-15 19:19 ` Stephen Smalley
2007-02-14 18:12 ` Joshua Brindle
2007-02-15 18:30 ` Eamon Walsh
2007-02-15 20:51 ` Stephen Smalley
2007-02-15 18:05 ` Stephen Smalley
2007-02-14 17:38 ` Chad Sellers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=45D4AE8B.1080902@mentalrootkit.com \
--to=kmacmillan@mentalrootkit.com \
--cc=csellers@tresys.com \
--cc=eparis@redhat.com \
--cc=jbrindle@tresys.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.