Re: Using fs views to isolate untrusted processes: I need anassistant architect in the USA for Phase I of a DARPA funded linux kernelproject

From: Stephen Smalley
Date: Thu Aug 26 2004 - 09:08:24 EST

Next message: Christophe Saout: "Re: reiser4 plugins (was: silent semantic changes with reiser4)"
Previous message: Chris Mason: "Re: reiser4 plugins (was: silent semantic changes with reiser4)"
In reply to: Hans Reiser: "Re: Using fs views to isolate untrusted processes: I need an assistantarchitect in the USA for Phase I of a DARPA funded linux kernel project"
Next in thread: Kyle Moffett: "Re: Using fs views to isolate untrusted processes: I need an assistant architect in the USA for Phase I of a DARPA funded linux kernel project"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 2004-08-26 at 02:31, Hans Reiser wrote:
> Everybody who takes a 3 minute read of SELinux keeps saying it has, but
> it hasn't quite, not when you look at the details. SELinux is not
> written by filesystem folks, and there are scalability details that matter.

I don't quite see the point about filesystem folks.
With regard to scalability, there is ongoing work in that area, and
patches on lkml that are being discussed even now, so that is hardly a
show stopper.

> > What is needed (if it doesn't already
> > exist) is a tool to gather these 'viewprints' automagically.
>
> It doesn't exist, and viewprints are also not stored with executables
> either, so it is not process oriented.
>
> People think the problem is allowing the OS to enact fine grained
> security. It is not. The problem is allowing the user to enact fine
> grained security, and without a lot of work to automate it, users will
> continue to be unable to bear that time cost.

Users don't want to think about fine grained security at all, and
automated schemes will inevitably generate policies that are insecure ;)

SELinux already has a significant corpus of policy that has been
developed over time, most of it contributed by external contributors,
with > 190 different program domains in the current example policy. It
has the obvious simple tool for generating policy from audit messages
produced during a run of a program, but that tool has certainly not been
a good source for secure policy. It has tools for analyzing policies,
including information flow and goal checking, although much work still
remains to be done here. Much better investment to work on improving
SELinux in these areas than re-inventing the wheel...

--
Stephen Smalley <sds@xxxxxxxxxxxxxx>
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Christophe Saout: "Re: reiser4 plugins (was: silent semantic changes with reiser4)"
Previous message: Chris Mason: "Re: reiser4 plugins (was: silent semantic changes with reiser4)"
In reply to: Hans Reiser: "Re: Using fs views to isolate untrusted processes: I need an assistantarchitect in the USA for Phase I of a DARPA funded linux kernel project"
Next in thread: Kyle Moffett: "Re: Using fs views to isolate untrusted processes: I need an assistant architect in the USA for Phase I of a DARPA funded linux kernel project"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]