Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: MCS/Targeted Policy...
From: Casey Schaufler <casey_at_schaufler-ca.com>
Date: Wed, 13 Jul 2005 20:34:14 -0700 (PDT)
> On Wed, 13 Jul 2005, Casey Schaufler wrote: In this context I would suggest that superior means that if Linux were only going to support one general purpose DAC mechanism it would be the superior one.
> MCS categories, as initially envisioned, are
Yes, I can see that. They are based on
> There are some fundamental differences between the
Discretionary Type Enforcement? Is that
> ACLs impose a specific set of access rights (rwx) POSIX ACLs are carefully designed to allow for extension beyond rwx. While existing implementations may not make this obvious, the spec has no restrictions.
> For example, TE provides a Perhaps not the adjective I'd have chosen, but fundamentally true...
> which MCS can readily constrain.
Right. I get that. Given the richness
> MCS can also operate on TE attributes.
Giving users descretionary control over
> ACL labeling semantics are fixed. Examples: Well yeah. It's nice to know how the facility is going to work in advance!
> - If a user has newgrp'd to a supplementary group, File system semantics permitting. Again, I feel secure when I know what's going to happen!
> We don't necessarily want these things to always
OKay. Gosh, it would have helped to have
you around when we were doing the initial
work on LSM. Maybe we could have gotten
> MCS labeling semantics could be
Of course. On the other hand, you could
> ACLs are limited to a small set of file type OS ACLs on sockets have been done in the past, you know, just as has MLS.
> Down the track, MCS could be useful for The problem with network service applications is the transmission of attributes, not the implementation of policy upon the attributes. MCS will be no more or less useful to these environments than the existing TE scheme or a good B&L.
> MCS seems to provide far
Yes, it does seem a somewhat obvious
> MCS may not always be as simple DAC mechanism. This Yeah. Additional sophistication.
> Note that MCS is merely a simplified MLS policy (but
Yes, I can see that. While it may help
> MCS would be more closely integrated with both Which still won't help with a mode bit failure.
> An ACL failure, by default, will not be audited. It would be on all the audit systems I ever worked on!
> An MCS failure will be That's good.
> Auditing can be further enhanced if necessary with
That's a bug in the audit system, not
> If ACLs were to be considered as an alternative to ANy time you have two ways to do the same thing each camp can come up with scenarios that are easier using their mechanism.
> It's simpler just to use MCS directly. If you understand the domains and privileges involved and can be trusted to set your MCS attributes appropriately, yes. There's a reason that the traditional Unix policy is limited in what the user is allowed to specify.
> - What happens if SELinux is disabled on the system? What! This you've got to explain.
> In the Ah. The POSIX ACL group made sure that adding an ACL to a file would not interfere with the mode bits, nor encourage users to set them "wide open" and count on the ACL alone. Imagine a system with MCS. If everything and everyone used MCS, all the mode bits could be 777, and you might do that so they would not interfere with the desired MCS activity. Bring that up without SELinux.
> - Re-using ACLs for this purpose may also clash with Well, enhancing is the positive way to put it. And yes, you would have to convince the ACL maintainers it's a good thing. In review, MCS is a logical extension to SELinux. I expect you'll have to put more limits on its flexibility than you think. I expect to enjoy watching the experiment.
Casey Schaufler
Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 13 Jul 2005 - 23:37:44 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |