Selinux and Compiz: A SELinux rant

John Morris jmorris at beau.org
Mon Oct 27 23:55:38 UTC 2008 

On Sun, 2008-10-26 at 16:29, David Nalley wrote:

> I wish I could remember who to attribute this to, but someone on
> -devel suggested that the same arguments occurred when firewalls were
> really starting to become commonplace - a lack of knowledge of how to
> manipulate and handle them caused repeated calls for their removal.
> Mandatory Access Control isn't going away, and is really one of the
> shining examples of Fedora leading the way with something and making
> it far easier to use than it was.

Wish I could be as optimistic but I'm not.  SELinux has been trying to
get to a truly useful state since FC2 and still causes more problems
than it solves for too many end users.  Are we expected to believe that
it is about to finally 'just work?'

Yes it is great for a locked down server, and it's something any sane
admin should try to use where a server is exposed to the wild Internet. 
On a very basic desktop that doesn't change much or run many different
applications it doesn't do much harm... but also doesn't do much good
either.  On a more power user desktop it will almost always blow enough
stuff up to end up getting disabled in frustration.

Compare and contrast to your example of enabling the firewall by
default.  That caused problems because it was done before good graphical
tools to control the thing were ready so end users had problems.  But
any admin worthy of the name could deal with iptables wuth a manpage, vi
(or emacs) and perhaps some Googling.  The number of people who can
write SELinux policy is still in the hundreds (at most) after five plus
years of Red Hat pushing the technology as hard as it can.

And this new idea of using log scraping tools to automatically generate
policy is simply an admission of that lack of skilled humans.  Anybody
who thinks automatically generated policy is going to produce a secure
system is delusional.  If enough humans who deeply understand SELinux
existed to be able to double check these auto generated policies they
could probably have written the darned things themselves.

Finally, the biggest objection is that it acts like alien technology
bolted onto UNIX's security model as a totally different and parallel
system.  And like alien tech humans can't understand it, they are
expected to treat it as a big black box and to just trust that it works
and doesn't hose them at unexpected times.  I can teach somebody the
UNIX permission model in less than an hour.  Learning the admin arcana
of sticky bits, SUID, noexec mounts and such takes a few more hours.  I
read the O'Reilly book on SELinux and still don't think I understand it
enough to write a sound policy.  It is hard to trust things that one
can't understand, especially a security system that I'm supposed to
somehow administer.

-- 
John M.      http://www.beau.org/~jmorris     This post is 100% M$Free!
Geekcode 3.1:GCS C+++ UL++++$ P++ L+++ W++ w--- Y++ b++ 5+++ R tv- e* r

More information about the fedora-test-list mailing list