[buug] selinux?

Rob Helmer robert at namodn.com
Sat Sep 28 17:59:43 PDT 2002 

Hello,


I find SELinux interesting and useful, because I've already explored 
User Mode Linux, firewalls, and intrusion detection systems and I don't
feel that this is enough ( I've been pretty impressed with User Mode
Linux though as far as compartmentalization goes... I'll probably end
up using SELinux in addition to the above ).

Mandatory Access Controls are pretty cool. 
MACs can remove the need to have an all-powerful super-user 
by segmenting access to various system calls ( among other things ). 
Trusted Solaris doesn't have an accessable root account IIRC ( not
sure if the kernel doesn't support a superuser, or if the account
is disabled. I hope it's the former ).

That's much better than the current "user vs. root" security model 
people rely on. Usually, root is too powerful and the user is not
powerful enough, so people circumvent the system using SetUID scripts
or sudo.

Here are some comparisons and contrasts between SELinux and TrustedBSD
( and other systems ) : http://www.nsa.gov/selinux/doc/freenix01/node19.html

Small example - if I want to start a webserver on port 80 in a Unix
system, I need to start the app as root, as root can bind to ports lower
than 1024 but can also do things like load/remove kernel modules and
tamper with all areas of the file system.

I usually use "sudo" nowadays when I want to give scripts or users
access to perform actions like this, but it becomes cumbersome when
you have a large enough multi-user system and dangerous if you
aren't careful about the scripts you write for users ( see all
the security exploits on badly written Perl CGIs for instance,
same concept. 

Of course, if you don't run your webserver as root
and don't allow the webserver user to write to the files it is
serving, someone exploiting a CGI isn't so bad, but not using the 
available security mechanisms is a different ( and more permanent )
problem.

SELinux is alot better than sudo in that it puts the restrictions
directly between user space and the system calls, rather than the
admittedly roundabout way you have to go with sudo.

I'll leave it as an exercize to the reader to compare and contrast 
starting Apache as root ( via sudo ) or doing it this way :

http://www.nsa.gov/selinux/list-archive/2559.html



HTH,
Rob Helmer

P.S. -  if you are running Debian, there's a quick way to get
up and running on SELinux in Woody or Sid -

http://lists.debian.org/debian-devel/2002/debian-devel-200209/msg01568.html


On Wed, Sep 25, 2002 at 05:31:41PM -0700, f.johan.beisser wrote:
> On Wed, 25 Sep 2002, Mark Hedges wrote:
> 
> > Just wondering if anyone dug into NSA's selinux mandatory
> > access control system yet and whether or not anyone thinks it's
> > worthwhile, better served by other packages, a vast conspiracy,
> > or what.  --m--
> 
> selinux isn't to bad. if you need ACLs, and compartmentalisation. outside
> of that, it's not all that interesting or useful. on the other hand, it's
> a good implementation of a compartmentalised OS, insuring that one user
> can't abuse another, nor access information they're not supposed to.. and
> this includes root (root is a user, after all).
> 
> a related project that i know of, is TrustedBSD[0] (some of the features
> are included in FreeBSD-CURRENT). It's not exactly the same as NSA's
> SELinux, and doesn't intend to be.
> 
> [0] http://www.trustedbsd.org
> 
> -------/ f. johan beisser /--------------------------------------+
>   http://caustic.org/~jan                      jan at caustic.org
>     "John Ashcroft is really just the reanimated corpse
>          of J. Edgar Hoover." -- Tim Triche
> 
> _______________________________________________
> Buug mailing list
> Buug at weak.org
> http://www.weak.org/mailman/listinfo/buug
>

More information about the buug mailing list