tech-security: Re: The reason for securelevel

Subject: Re: The reason for securelevel
To: Travis H. <solinym@gmail.com>
From: Elad Efrat <elad@NetBSD.org>
List: tech-security
Date: 01/29/2006 12:40:58
Travis H. wrote:

> I like fine-grained control.  What do you think about it with regard
> to the access granted to processes and programs?

not sure i understand the question; are you asking "how do you build
a secure system"? :)

> ``The expressiveness of our system includes both Discretionary and
> Mandatory Access Controls (DACs) and (MACs).''  Hmmm.  Didn't you say
> you thought MAC was a waste of time?

what i said is this:

"some are for creating secure infrastructure to build on. some are
proven exploit mitigation techniques. the goal? focus on having the
implementation be able to do a large variety of things, and changing
the interface to fit the user -- where possible, of course."

> Well, I'd still like to hear the argument against MAC.

- it's easy to lock yourself out
- very few people understand it (and some people who think they
  understand it -- don't)
- i haven't seen an easy way to generate policies
- i know only one person who actually uses it correctly (and he's
  a bit.. hysteric :)

> I can see how
> the total access required by a typical application could be big enough
> that compromise could do a fair amount of damage anyway. 

exactly

> But
> certainly limiting processes or programs to the minimum access they
> need can't be an altogether bad thing? 

see below...

> I implement that for network-based security
> with packet filters, but there's no equivalent for host-based
> security, at least in NetBSD (last time I checked -- perhaps systrace
> is available now I really don't know).

it is and can be used to easily do what you want.

btw: can you identify one crucial problem with systrace and selinux?

note that you're wasting a lot of time here... instead of keeping
on-topic, you diverted the discussion to "what's wrong with MAC". right
now netbsd can't do it, and we have two choices: code that can be used
to do both DAC and MAC (among other things) based on kernel
authorization, and code that can do only MACs (which are not the
ultimate solution to the world's security problems, as you'll agree with
me).

let's keep the "what's better" arguments to when we can actually do
either.

-e.

-- 
Elad Efrat