Re: SELinux - a call for end-of-life.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wednesday, September 01, 2010 20:54:47 JB wrote:
> Thanks. It was my intention to induce a reaction to my post.
> Your opinion is appreciated, regardless of whether friendly or not :-)

My opinion is always intended to be friendly, otherwise I would keep it to 
myself. :-)

> > > - it should be configurable:
> > >     - by sys admin and user (selectively)
> > 
> > Any system-wide configuration is done by root, or delegated by sudo.
> > SELinux is not different here than any other security system in Linux.
> 
> I meant an option for a user to be able to select granularity of
> diagnostics. There could be more user customization - we would let the
> users speak.

There is always room for improvement in any piece of software, especially new 
things like SELinux. That said, I am not entirely sure how much customization 
abilities should an ordinary user be allowed to have, when it comes to 
security software. The main mantra of security is "trust noone", which really 
means to trust an absolute minimum amount of people (ideally only the root). 
An ordinary user has no business tampering with security stuff on the machine.

And this is not news. Try to change the ownership of a file as an ordinary user 
(to "disown" your own file), for example. The chown simply won't allow you to 
do it, it is a serious security hole. There is a very strong limit to what is 
an ordinary user allowed to configure with security software. And there are 
good reasons for that. Usually you don't want to allow non-root users to get 
anywhere near security settings, with a very few exceptions I guess.

> > >     - dynamically
> > 
> > I am not sure what you mean by this, because "dynamics" in general refers
> > to "changing in time", which is already covered above.
> 
> Not exactly.
> I meant like changing config on demand (in the spirit of on-demand/dynamic
> loading of config modules, libraries, etc), with an immediate effect, w/o
> additional steps (daemon restarts to reread config files, etc).

This is probably possible to implement, if there is a need for such 
functionality. But there is a long way to go. Mind you, the today's SELinux 
implementation is still not completely operational as it is theoretically 
intended. Most of the labels are still ignored (as far as I know, only the 
"type" field from the context is being checked by the current policy, but I may 
be out of date on this). As time goes by, the functionality of SELinux will 
increase further. If there ever comes a need for dynamic loading of some 
modules and such, I am sure people will implement it.

> > > - it should be self-contained, installable and removable at any time,
> > > without influencing the system
> > 
> > No serious security system can run entirely in userspace, they are all
> > implemented in the kernel. Standard UNIX permissions, firewall, SELinux,
> > you name it. That said, SELinux and firewall can be enabled/disabled by
> > root in a whim, while with the permissions system it is far from easy
> > (to disable it one would need to do a filesystem-wide chmod and chown,
> > while reenabling it afterwards is almost impossible).
> 
> Have you seen how many people asked about it (hint: search Google) ?

This has been debated to death on a lot of places, including this list. In a 
nutshell, in all those debates I never saw anyone provide a reasonable 
argument for wanting to completely remove SELinux.

Have you asked any of those people *why* do they want to remove it? It is 
equally "smart" as completely removing a firewall from a system, and equally 
impossible --- you have to tweak the kernel at compilation time and on source 
code level in order to achieve something like that. And to what purpose?

If you disable SELinux, the appropriate code in the kernel (and also in 
userspace) will simply never get executed, and it is as good as absent from 
the system. Whatever the reasons might be for not having SELinux active, 
removing the actual code from the kernel is really an overkill.

OTOH, there are some very valid (security and functionality) reasons why that 
code should be an integral part of the kernel, and not in userspace.

> Btw, you omitted other reasons people feel funny about this software. They
> expressed their feelings in various posts here. I doubt it very much you
> can change people's opinion (however irrational it may be) when it is based
> on their ideological/philosophical grounds.

Well, I would roughly classify those feelings and opinions into two major 
groups:

* the "SELinux just gets in my way" group, and 
* the "I don't trust anything from NSA" group.

Fighting old habits is always hard, because people are reluctant to change 
them until they gain new experience (ie. until they get rooted and lose a huge 
amount of data and/or money). And if some of those habits are bad, people take 
offense when a machine tries to protect them from themselves (the typical 
"don't-you-try-to-stop-me-from-shooting-myself-in-the-foot" behavior). It is 
natural, but I guess those people will eventually swallow their "pride" and 
learn to do things in a safer way.

As for the paranoia about the NSA, I actually find it rather amusing. This 
behavior appears to be limited mainly to US citizens, since for the rest of us 
the NSA seems as important as some government institution in, say, Zimbabwe 
would be important to a typical US citizen. Without getting into politics, 
it's just some government agency relevant to some people living halfway across 
the globe, from my POV. And I don't see a problem with this institution (or 
any other, for that matter) engaging into research of computer security.

That said, I do understand that there is some animosity among people living in 
USA related to the "Big Brother"-type agency and such. But I look at it this 
way --- it is a Good Thing that NSA is the main creator of this software. 
First, they have a lot of funding to invest into the research. Second, given 
that all SELinux code is open source, there will be quite enough paranoid 
people to dig through that code inside-out looking for any backdoor NSA folks 
might put there. This actually adds to the quality of the code, since it gets 
scrutinized more than anything else running on your computer.

Overall, I am actually thankful that a very serious institution like the NSA 
is the major player behind SELinux. :-) That may sound weird to some people, 
but is actually quite natural.

Ok, now, why do I have a feeling that this is going to turn into yet another  
very very long thread? ;-)

HTH, :-)
Marko


-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux