Re: Announce: SELinux conditional policy extensions

All of lore.kernel.org
 help / color / mirror / Atom feed

From: ramsdell@mitre.org (John D. Ramsdell)
To: russell@coker.com.au
Cc: <mayerf@tresys.com>,
	"'Joshua D. Guttman disp: current'" <guttman@mitre.org>,
	"'Karl MacMillan'" <kmacmillan@tresys.com>,
	"'SELinux List'" <SELinux@tycho.nsa.gov>,
	"'Stephen D. Smalley'" <sds@epoch.ncsc.mil>,
	"'Amy L. Herzog'" <aherzog@mitre.org>,
	"'Galen B. Williamson'" <gwilliam@mitre.org>,
	"'Grant M. Wagner'" <gmw@tycho.ncsc.mil>,
	"'David Caplan'" <dac@tresys.com>,
	ramsdell@mitre.org
Subject: Re: Announce: SELinux conditional policy extensions
Date: 20 Feb 2004 08:05:53 -0500	[thread overview]
Message-ID: <ogtu11lyk7i.fsf@divan.mitre.org> (raw)
In-Reply-To: <200402141451.08044.russell@coker.com.au>

Russell Coker <russell@coker.com.au> writes:

> On Sat, 14 Feb 2004 06:14, "Frank Mayer" <mayerf@tresys.com> wrote:

> > 2) Because SE Linux introduced "pragmatic" mandatory security to
> > the world, and it seems to be having success after our decades of
> > failure of finding a means to introduce strong mandatory security
> > to the "mainstream."  My observations to date are very few are
> > concerned (rightly or wrongly) with rigorous policy analysis, and
> > are more concerned with a practical mechanism to provide greater
> > least privilege and system hardening.
> 
> Yes, this is an issue that can not be under-estimated.
> 
> Currently my work is tending towards providing less protection so
> that it is more acceptable to the majority of users.  My personal
> preference of the trade-off between security and usability is to
> have more security than most people will be prepared to accept.  But
> we have to do what's necessary to get the user-base.

In my opinion, adding more complexity to the policy enforcement
mechanism is likely to drive away new users.  Why should people be
interested in an operating system that provides mandatory access
control if they find its access control policy incomprehensible?

SE Linux policies are difficult to understand even with policies that
make no use of the conditional policy extension.  Consider the
situation surrounding information flow analysis.  Both MITRE and
Tresys have produced tools that perform an information flow analysis.
In a comprehensible system, it would be obvious how the two flow
analyses relate.  I have yet to see a plausible account of the two
flow analyses in a common framework.

I have one suggestion for making SE Linux policies more
comprehensible.  Suppose the semantics of a class is defined by
binding it to one or more LSM hook functions that perform access
control.  In this way, the author of a policy file would know that an
allow statement that refers to, say, the file class is making a
statement about permissions associated with the LSM file access
control hooks, and statements that refer to the inode class is making
a statement about permissions associated with the LSM inode access
control hooks.

Of course, the SE Linux Security Module implements a binding of
classes to access control hooks, but documentation available to policy
writers I've seen does not encourage the writers to rely on any
particular binding.

John

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

next prev parent reply	other threads:[~2004-02-20 13:05 UTC|newest]

Thread overview: 14+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2003-12-22 22:47 Announce: SELinux conditional policy extensions Karl MacMillan
2004-02-13  1:22 ` Joshua D. Guttman
2004-02-13  5:19   ` Colin Walters
2004-02-13 14:43     ` Stephen Smalley
2004-02-13 19:24     ` Frank Mayer
2004-02-13 19:14   ` Frank Mayer
2004-02-14  3:51     ` Russell Coker
2004-02-20 13:05       ` John D. Ramsdell [this message]
2004-02-20 13:23         ` Stephen Smalley
2004-02-20 14:46         ` Frank Mayer
2004-02-20 15:14           ` John D. Ramsdell
2004-02-16 21:20     ` Joshua D. Guttman
2004-02-17  1:50       ` Frank Mayer
2004-02-20 11:21     ` Announce: Slat 1.1.0 with policy deconditionalizer John D. Ramsdell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ogtu11lyk7i.fsf@divan.mitre.org \
    --to=ramsdell@mitre.org \
    --cc=SELinux@tycho.nsa.gov \
    --cc=aherzog@mitre.org \
    --cc=dac@tresys.com \
    --cc=gmw@tycho.ncsc.mil \
    --cc=guttman@mitre.org \
    --cc=gwilliam@mitre.org \
    --cc=kmacmillan@tresys.com \
    --cc=mayerf@tresys.com \
    --cc=russell@coker.com.au \
    --cc=sds@epoch.ncsc.mil \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.