From: Casey Schaufler <casey@schaufler-ca.com>
To: Kyle Moffett <mrmacman_g4@mac.com>, Valdis.Kletnieks@vt.edu
Cc: casey@schaufler-ca.com, Pavel Machek <pavel@ucw.cz>,
linux-security-module@vger.kernel.org,
LKML Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] Smack: Simplified Mandatory Access Control Kernel
Date: Tue, 21 Aug 2007 08:50:48 -0700 (PDT) [thread overview]
Message-ID: <583405.53562.qm@web36609.mail.mud.yahoo.com> (raw)
In-Reply-To: <09E2BAC3-B26D-41BD-AE7B-51A59BC21CE4@mac.com>
--- Kyle Moffett <mrmacman_g4@mac.com> wrote:
> On Aug 19, 2007, at 17:12:41, Valdis.Kletnieks@vt.edu wrote:
> > On Sat, 18 Aug 2007 01:29:58 EDT, Kyle Moffett said:
> >> If you can show me a security system other than SELinux which is
> >> sufficiently flexible to secure those 2 million lines of code
> >> along with the other 50 million lines of code found in various
> >> pieces of software on my Debian box then I'll go put on my dunce
> >> hat and sit in the corner.
> >
> > /me hands Kyle a dunce cap. :)
> >
> > Unfortunately, I have to agree that both AppArmor and Smack have at
> > least the potential of qualifying as "securing the 2M lines of code".
> >
> > The part that Kyle forgot was what most evals these days call the
> > "protection profile" - What's the threat model, who are you
> > defending against, and just how good a job does it have to do?
> > I'll posit that for a computer that is (a) not networked, (b)
> > doesn't process sensitive information, and (c) has reasonable
> > physical security, a security policy of "return(permitted);" for
> > everything may be quite sufficient.
>
> Well, in this case the "box" I want to secure will eventually be
> running multi-user X on a multi-level-with-IPsec network. For that
> kind of protection profile, there is presently no substitute for
> SELinux with some X11 patches. AppArmor certainly doesn't meet the
> confidentiality requirements (no data labelling), and SMACK has no
> way of doing the very tight per-syscall security requirements we have
> to meet.
And what requirements would those be? Seriously, I've done
Common Criteria and TCSEC evaluations on systems with less
flexibility and granularity than Smack that included X, NFSv3,
NIS, clusters, and all sorts of spiffy stuff. I mean, if the
requirement is anything short of "runs SELinux" I have good
reason to believe that a Smack based system is up to it.
> I didn't make this clear initially but that is the kind of
> system I'm talking about wanting to secure some 50 million lines of
> code on.
Cool. SELinux provides one approach to dealing with that, and the
huge multiuser general purpose machine chuck full of legacy software
hits the SELinux sweet spot.
> > (Of course, I also have boxes where "the SELinux reference policy
> > with all the MCS extensions plus all the LSPP work" is someplace
> > I'm trying to get to).
>
> Well, for some of the systems we distribute, "all the MCS extensions
> plus all the LSPP work" is nowhere near enough security; we need full-
> fledged multi-level-security, role-based-access-control, and specific
> per-daemon MAC restrictions.
Sounds like more of what SELinux is good for.
Casey Schaufler
casey@schaufler-ca.com
next prev parent reply other threads:[~2007-08-21 15:51 UTC|newest]
Thread overview: 43+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-08-11 17:57 [PATCH] Smack: Simplified Mandatory Access Control Kernel Casey Schaufler
2007-08-11 19:12 ` Arjan van de Ven
2007-08-11 19:56 ` Casey Schaufler
2007-08-12 3:39 ` Keith Owens
2007-08-11 19:18 ` Kyle Moffett
2007-08-11 21:01 ` Casey Schaufler
2007-08-11 21:47 ` Kyle Moffett
2007-08-12 1:21 ` Casey Schaufler
2007-08-12 4:32 ` Kyle Moffett
2007-08-12 19:41 ` Casey Schaufler
2007-08-12 23:18 ` Crispin Cowan
2007-08-13 1:38 ` Kyle Moffett
2007-08-13 2:36 ` Joshua Brindle
2007-08-13 2:45 ` Kyle Moffett
2007-08-13 4:23 ` Casey Schaufler
2007-08-16 20:58 ` Pavel Machek
2007-08-17 4:56 ` Casey Schaufler
2007-08-17 9:46 ` Miguel Ojeda
2007-08-18 5:29 ` Kyle Moffett
2007-08-19 21:12 ` Valdis.Kletnieks
2007-08-21 13:16 ` Kyle Moffett
2007-08-21 15:50 ` Casey Schaufler [this message]
2007-08-22 3:43 ` Kyle Moffett
2007-08-22 4:08 ` Casey Schaufler
2007-09-07 16:02 ` Casey Schaufler
2007-08-20 14:29 ` Casey Schaufler
2007-08-21 7:37 ` Pavel Machek
2007-08-21 15:35 ` Casey Schaufler
2007-08-22 8:05 ` Pavel Machek
2007-08-22 18:47 ` Casey Schaufler
2007-08-23 7:14 ` Jan Engelhardt
2007-08-11 20:26 ` Jan Engelhardt
2007-08-11 23:22 ` Casey Schaufler
2007-08-12 11:16 ` Jan Engelhardt
2007-08-12 19:50 ` Casey Schaufler
2007-08-11 23:14 ` Andi Kleen
2007-08-12 1:36 ` Casey Schaufler
2007-08-12 11:49 ` Andi Kleen
2007-08-12 17:48 ` Casey Schaufler
2007-08-12 21:36 ` Andi Kleen
2007-08-12 21:46 ` Casey Schaufler
2007-08-12 3:45 ` Keith Owens
2007-08-12 17:16 ` Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=583405.53562.qm@web36609.mail.mud.yahoo.com \
--to=casey@schaufler-ca.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
--cc=pavel@ucw.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox