Securing FC 4

Stephen Smalley sds at tycho.nsa.gov
Mon Aug 22 13:04:38 UTC 2005 

On Sun, 2005-08-21 at 14:57 -0400, AragonX wrote:
> Well, since SELinux and LIDS both provide ACLs, they offer basically the
> same type of security.  I do not believe it's possible or even reasonable
> to have two ACL systems at the same time.

With regard to LIDS vs. SELinux, LIDS meets the
"administratively-defined security policy" property of mandatory access
control but (last I looked) it lacked the ability to control all
processes and objects and to base its security decisions on all
security-relevant information.  Thus, it couldn't enforce strong
confidentiality or integrity properties on the system.  It doesn't
appear to have been designed to provide a general access control
solution suitable for a general purpose OS.  SELinux was designed and
implemented to be suitable for a general purpose OS and to meet a wide
range of security requirements, including the ability to enforce such
confidentiality and integrity guarantees.

LIDS isn't upstream (i.e. in the mainline kernel), which has
implications for peer review, widespread testing, maintainability, and
inclusion in major distros.  It has been ported to LSM, which is
certainly helpful, but the module itself is still not upstream.  SELinux
is upstream and has benefited from the wider peer review, testing,
in-tree maintenance, and inclusion in distros as a result.

LIDS lacks an extensible security framework for applications, so it
doesn't provide the right foundation for building an overall secure
system.  Failing to consider application security needs is a classic
fatal flaw of secure OSes of the past.  SELinux provides such a
framework, and this framework is already being used by applications in
Fedora as well as upstream work on d-bus and X.

LIDS is easier to configure.  But what it can provide is much less.
SELinux does not yet provide as easy of a user interface as LIDS.  But
don't confuse the user interface with the mechanism.  SELinux provides
the right mechanism for building a secure system, and one can construct
better UIs on top of that mechanism (and work is ongoing in that space).
The trick there is providing better UIs without sacrificing the ability
to truly leverage the mechanism to its full potential.

-- 
Stephen Smalley
National Security Agency

More information about the fedora-list mailing list