SMACK meets the One True Security Module
The posting of version 3 of the SMACK patch inspired a certain amount of discussion. Andrew Morton's take led things off:
I'd have trouble declaring that "but" to be a reason to not merge smack. I'm more thinking "let's merge it and see if people use it".
Andrew concluded by suggesting that the SMACK patch should be merged for 2.6.24. There was some discussion about specific pieces of the patch (some developers are more impressed by CIPSO network labels than others), but there does not seem to be a whole lot of opposition to merging the SMACK security module. It is generally seen as being well-written code which makes sense from a security point of view.
There was one predictable exception, though: whenever a new security module is considered for merging the SELinux developers tend to oppose it. This time, James Morris voiced a more general complaint: SMACK would become the second in-kernel user of the Linux security module (LSM) framework. That, in turn, would make it almost impossible to remove LSM from the kernel. James claims:
The SELinux programmers, it seems, would rather that SELinux became the one security framework supported by Linux, with all development effort going into making SELinux better.
The problem, of course, is that, even after a few years with only SELinux in the kernel, there has not been a glut of application developers working to support it. The vision of each application shipping with an SELinux policy file has not come to be. Some progress has been made in the creation of higher-level tools for the management of SELinux policies, and the Fedora and Red Hat developers have come a long way toward making a general-purpose distribution work with a limited set of SELinux policies, but SELinux simply remains too complex for most people to deal with. SELinux may work out of the box on an RHEL system, but as soon as the system administrator runs into something which breaks, chances are that SELinux will be turned off.
The SELinux developers would presumably argue that the way to address these problems is to focus on a single security framework within the kernel. Rather than create competing, simplified frameworks, it would be better to implement approaches like AppArmor or SMACK within SELinux and, in the process, make SELinux better. Those developers argue that pluggable security modules, like pluggable schedulers, succeed only in splitting development effort and preventing the creation of a truly general solution:
The answering argument is that there are many security environments and differing sets of user needs; there is no sign that a single security approach can ever work in all situations. And, even if such a unified approach were possible, getting security developers to agree on it would still be a major challenge. Ted Ts'o writes:
The LSM architecture was a result of the very first kernel summit, where Linus stated that he had no wish to choose between the various security ideas in circulation and, instead, wanted the kernel to be able to support all of them. He has not changed his mind since; he still doesn't see any imminent consensus on security approaches, and still wants Linux to be flexible in this regard. So his pronouncement was:
When I see the security people making sane arguments and agreeing on something, that will change. Quite frankly, I expect hell to freeze over before that happens, and pigs will be nesting in trees. But hey, I can hope.
So it looks like the way is clear for a merger of SMACK in 2.6.24. Once
that happens, it would not be surprising to see another push made by the
developers of security modules like AppArmor and TOMOYO Linux; in fact, the
TOMOYO Linux patches have just been
reposted. In the end, SELinux will, despite the apparent wishes of its
developers, have to compete with other security approaches for attention
from developers, distributors, and users. There will be no One True
Security Module for Linux in the foreseeable future.
| Index entries for this article | |
|---|---|
| Kernel | Security/Security modules |
| Security | Linux Security Modules (LSM) |
Posted Oct 2, 2007 17:36 UTC (Tue)
by bronson (subscriber, #4806)
[Link] (3 responses)
As long as it takes *days* for a good admin to learn and provision a nontrivial SELinux server, SELinux is a non-starter (in my workshop anyway). Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.
I'm excited about SMACK. I hope it gets merged. And I hope SELinux guys start taking learnability and usability seriously.
Posted Oct 2, 2007 20:43 UTC (Tue)
by danieldk (subscriber, #27876)
[Link]
http://seedit.sourceforge.net/
It's policy language looks a lot like AppArmor's, but it does use file contexts underneath.
Posted Oct 4, 2007 14:53 UTC (Thu)
by jengelh (subscriber, #33263)
[Link] (1 responses)
So, interestingly, is not *Novell* to blame (rather than SELinux or the casual user) to not have AppArmor designed to use SELinux as LSM? Just a thought...
Posted Oct 4, 2007 21:04 UTC (Thu)
by nix (subscriber, #2304)
[Link]
(Equally, AppArmor can't efficiently imitate a TE system --- but nobody's
Posted Oct 2, 2007 18:20 UTC (Tue)
by flewellyn (subscriber, #5047)
[Link] (7 responses)
I don't see these positions as compatible at all. And while I am no expert with SELinux (aside from the developers, does such a thing exist?), from what I understand about it, it IS more suited as an architecture for building security tools, than as a security tool in its own right. So perhaps the SELinux folks should work on making its interface more of a "programmatic" one, and stop emphasizing the userspace tools as security solutions on their own. In other words, to compare to another Linux subsystem, SELinux would be Netfilter to other tools' iptables or shorewall.
Posted Oct 3, 2007 0:29 UTC (Wed)
by drag (guest, #31333)
[Link] (6 responses)
Er, something like that.
Personally I'm happy with Vim and Python. No need for intellesense or anything like that for a language that is designed to be easy to remember and I am not working in a formal corporate environment. (I'll probably just program in C or pyrex or something like that if I need speed)
Posted Oct 3, 2007 3:23 UTC (Wed)
by drag (guest, #31333)
[Link] (5 responses)
:(
Posted Oct 4, 2007 0:09 UTC (Thu)
by jamesm (guest, #2273)
[Link] (4 responses)
Posted Oct 5, 2007 9:18 UTC (Fri)
by pr1268 (subscriber, #24648)
[Link] (3 responses)
Agreed! Drag's comment about his "IDE" of vim and python vs. Eclipse did indeed bear some resemblance to the discussion about SELinux vs. AppArmour. What a pleasantly surreal experience! Thanks to Drag's misplaced comment, I just had a bright idea: Eclipse IDE for SELinux!! Use all the features you've come to expect with using Eclipse to develop Java, C, or C++... and now you can build your own security framework! Testing your framework is simply a few mouse clicks away via the "build/debug" menu. </end silliness> ;-)
Posted Oct 5, 2007 14:07 UTC (Fri)
by nix (subscriber, #2304)
[Link] (1 responses)
Posted Dec 11, 2008 18:22 UTC (Thu)
by SEJeff (guest, #51588)
[Link]
Posted Oct 11, 2007 6:43 UTC (Thu)
by ury (guest, #47805)
[Link]
http://www.grsecurity.net/lsm.php
ps: selinux i think toooooo blooooated to use
It seems like the SELinux guys are still looking to userspace tools to bail them out of their usability nightmare. I'm guessing most Linux admins enter iptables commands by hand (or by script), and iptables is *way* simpler than SELinux. The ALSA guys leaned on userspace to bail them out of their complexity nightmare and look at where it got them.SMACK meets the One True Security Module
It depends on what policy you use. For example, the Simplified Policy Description Language is quite easy to grok:SMACK meets the One True Security Module
>Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.SMACK meets the One True Security Module
AppArmor predates SELinux, and does things that SELinux can't do without SMACK meets the One True Security Module
insane delays (mass-relabelling of potentially every file in a very deep
subdirectory whenever you rename it springs to mind; even crazier
mass-relabellings of everything on the disk to implement some changes of
policy, unless I miss my guess).
claiming it can.)
I think the problem here is, we're getting conflicting messages from the SELinux folks. On the one hand, they insist that SELinux is a security architecture, and can be used to create higher-level, more abstract security tools. On the other hand, they insist that SELinux should be usable as-is from userspace, by ordinary administrators.SMACK meets the One True Security Module
Well I think the point behind Eclispe is that it's a framework for building IDEs and what IDE you get when you try it out is only going to have a tiny fraction of it's capabilties.SMACK meets the One True Security Module
OMG, I can't beleive I posted the above to teh wrong article.WTF was I thinking.SMACK meets the One True Security Module
Oddly enough, it still makes sense here :-)
SMACK meets the One True Security Module
Thanks to Drag replying to wrong article, I just had a bright idea
Obviously the *right* approach is an Emacs specialized entirely for writing SELinux configurations. There's even an XEmacs fork with the right name: SXEmacs. Just reuse the name, write a new selinux mode, rip out all that boring stuff nobody uses like text-mode, cc-mode, vm and gnus, and you're home free! :)Thanks to Drag replying to wrong article, I just had a bright idea
Thanks to Drag replying to wrong article, I just had a bright idea
what about GRSecurity ? or some similar,SMACK meets the One True Security Module
maybe just ask security-patch authors about they vision?
http://www.rsbac.org/documentation/why_rsbac_does_not_use...
i like grsec, and interested in making things better ;)