Re: [RESEND][RFC][PATCH 2/7] implementation of LSM hooks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



James Morris wrote:
> On Tue, 18 Apr 2006, Crispin Cowan wrote:
>   
>> SELinux has NSA legacy, and that is reflected in their inode design: it
>> is much better at protecting secrecy, which is the NSA's historic
>> mission.
>>     
> No.  The inode design is simply correct.
>   
"Correct" for what? inode access control is correct if data secrecy is
your number one objective. It is not necessarily correct for other purposes.

> Consider the following:
>
> What if Unix DAC security was implemented via pathnames, using a 
> configuration file and regexp matching enginer in the kernel, invoked 
> during file access, rather than the existing scheme of checking inode 
> ownership and permission attributes?
>   
What of it? That sounds very close to the AppArmor design, except for
the "discretionary" part. Just what is wrong with it? If your main
complaint is that you would miss having chmod and umask, then I agree:
we are not proposing to remove classic DAC. So what's your point?

> SELinux labels objects directly because it's the right thing to do.
>   
Security design by Wilford Brimley: emphatic assertion :)

AppArmor is a fully functional access control system that works on
pathname-based access controls. I'm sorry if it violates your religion
for it to exist and work. Claiming that pathname-based access control is
"broken" or "wrong" is about as useful as standing at Kitty Hawk in 1903
exclaiming that heavier-than-air flight is impossible. You don't have to
like it, but denying its existence is nonsense.

> To also clarify: the legacy of SELinux is in the decades of research 
> performed into providing more comprehensive security than the original 
> secrecy-oriented TCSEC schemes.  And conflating a highly loaded term such 
> as "NSA's historic mission" with an implementation specific aspect of 
> SELinux is useless in a technical discussion and IMHO totally 
> inappropriate.
>   
It is totally appropriate because it goes to the core reason for the
design difference between AppArmor and SELinux. The NSA, and indeed all
intelligence agencies, have secrecy as their #1 security need. inode
labels is absolutely the right way to achieve that.

However, I assert (emphatically :) that the broader user community has
integrity and availability as higher priorities than secrecy, and that
pathname-based access control is a better way to achieve that. I want to
offer Linux users the choice of pathname-based access control if they
want it. Why do you want to prevent them from having that choice?

Crispin
-- 
Crispin Cowan, Ph.D.                      http://crispincowan.com/~crispin/
Director of Software Engineering, Novell  http://novell.com

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]
  Powered by Linux