Re: Current/Future Plans to Support Stacking LSM Modules

[Casey Schaufler <casey@schaufler-ca.com>]

--- Karl MacMillan <kmacmill@redhat.com> wrote:

> > There are others who would argue that SELinux
> > has abandoned the Linux privilege model and
> > thus disrupted the unity of the existing
> > security model.
> > 
> 
> No clue what this means.

Pre-SE Linux has a rational and well
established security model that includes
DAC and Privilege. The capability scheme
is designed to fit that model, adding the
logical extention from the POSIX statements
of "appropruate privilege" to defining what
those privileges would be.

SELinux does not use capabilities to identify
where "policy" is excepted, rather it defines
policy in such a way as to make the notion of
exception unnecessary. Many people think this
is good. I personally like the traditional
scheme, and would be happier with SELinux if
it held to it.

> > I don't understand why the SELinux crew seems
> > so intent on making it difficult to implement
> > alternatives. Last year it was "let's ditch LSM".
> > Now it's "Everyone hates stacking". Give it a
> > rest already.
> > 
> 
> 1) Stacking is possible now, just not arbitrary
> stacking by an admin.

True enough, although I have to say that it
isn't a pleasant exercise.

> 2) Not having arbitrary stacking in no way limits
> alternatives. It just 
> forces the use of a single alternative at a time or
> explicit development 
> to make alternatives work together.

Funny thing is that I would agree with you 100%
if LSM implemented authoritative hooks. Since
LSM implements a scheme that is supposed to
provide strictly for additional restrictions
it should be simple to stack modules safely.
 
> 3) The objections, if you read them, are about
> whether the correctness 
> of arbitrarily stacked modules can be reasonably
> expected or verified. 
> It is not an effort to limit alternatives.

Restictive LSM modules ought to be completely
stackable if they are in fact strictly
restrictive. That there are issues says that
the scheme may not be being used correctly.
I honestly don't know if that's worth the
trouble of fixing.

> There are real disagreements here, but please stop
> overstating the 
> differences and misconstruing (willfully?) peoples
> positions.

SELinux is a Good Thing for any number of
reasons. There are also other schemes that
have merit. Just as I encouraged the NSA to
adopt Linux and do their own security work
back in the late 20th century I hope to
encourage newcomers to LSM to follow through
with their ideas and come up with the next
great thing. Assimilation into SELinux can
come later if it's of value. Maybe you can
do a bunch of this stuff using SELinux as
a framework instead of LSM, but I think
that if someone wants to use LSM as a base
that is their call, and I personally would
like to see what they do because I don't
believe for a minute that the "problem"
of system security is solved.


Casey Schaufler
casey@schaufler-ca.com

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.