On Sun, Mar 07, 2004 at 03:54:35PM -0500, Jim Cornette wrote:
....
> think that the goal of the project is to change the way that
> administration is performed on an operating system. Instead of one
> super-user having all the powers to change something on an operating
> system.
As I read it the goal is not administration but the content that users
manage. This also includes administrators who are after all, users too.
They manage the meta data of users and services for users.
> Any way that the Security Linux is put into place is a bit alarming. It
> sounds like the project is set to change the way that a system is setup.
Do not be alarmed. It is more interesting and productive than that.
> Documentation is pretty much confusing to me as of present date.
Yes.
> If I haven't a clue to what SELinux is really about. I am sorry that
> nothing sunk into me with my prior exposure to the project goals.
We live in a world that mirrors security enhanced goals. Doors and
windows can have locks, you may or may not have a key, the door may or
may not be locked. Doors can be solid or have windows. Doors and
rooms with doors can be behind doors.
"End systems must be able to enforce the separation of information
based on confidentiality and integrity requirements to provide
system security."
....
"The system provides a mechanism to enforce the separation of
information based on confidentiality and integrity requirements."
If you drive up to a good restaurant and the valet offers to park your
car. Do you:
A. give him your entire key ring: car, house, shed, office, safe deposit box.
B. give him only the ignition key.
C. drive past and self park.
If you are shopping do you place packages in the trunk or on the seat
where they are visible the entire time you are in the next store.
If you lock the front door to your house do you latch the back door;
windows?
The key is that the system must be able to separate things.
Not that we will but we can.
For most folks SELinux is going to be _overkill_ but the analysis of
the OS and ability to enforce mandatory access control are important.
Just as many cities have code requirements for walls and external doors
this can be a good thing.
Of interest WinNT (RIP, out of support in ???) has a good framework
for security but over worked administrators, lack of open
documentation and source, and yes the lame folk at MS, never took it
to a useful place. In part this quality of WinNT is a 'secret'
because most important applications and tools were not security aware.
I expect that 1% of Linux users will install SELinux layers. 100%
will profit from the effort.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
mitch48-at-sbcglobal-dot-net
