tech-security: Re: SE Linux vs SE NetBSD !!

Subject: Re: SE Linux vs SE NetBSD !!
To: Elad Efrat <elad@netbsd.org>
From: Travis H. <solinym@gmail.com>
List: tech-security
Date: 08/25/2006 17:06:52
On 8/25/06, Elad Efrat <elad@netbsd.org> wrote:
> That's a good point -- but do we have to write a policy for every
> application users are interested in running?

No, but it would be nice!

Seriously, with the targeted policy in SELinux, they just write
policies for daemons that listen on the network.  Everything run from
the console or command line is run in an unrestricted context.

> That is exactly what I am saying. Ironically, even though SELinux exists
> for several years now, I still haven't seen a point-and-click tool for
> generating policies (is this even possible if we want Good policies?)
> for it...
> Anyway, judging
> from what I know (and you are welcome to correct me, I'm not fluent in
> Linux :) no-one has created such an "easy-layer" on-top of SELinux,
> which, IMHO, may say one thing or another about it...

Yes, they are developing them.  Fedora Core, in particular, walks you
through a point-and-click configuration when you install.  The user
doesn't have to write policies for virtually anything; I had to write
one for fetchmail->postfix->procmail->nmh, but most people don't write
any policy modules.  They are installed when you install the apps, and
you rarely need to touch them.

Tresys is writing these tools, and I believe there's a GUI editor from
Hitachi here:
http://seedit.sourceforge.net/

I think the issue is not that they aren't being developed, merely that
SELinux is just now getting widespread support (via FC) and that you
can't easily write GUI editors before you implement the policy itself.
 These sorts of things start up by implementing the infrastructure
from the bottom up.

> But it works. :)

Well, I can't argue with the fact that it prevents _accidental_ data
leakage, and I can't argue that covert channels are easy to identify
and eliminate in MLS systems.  However, I think people are just
punting out of laziness or lack of interest.  Having four computers on
your desk that are deliberately incapable of talking to each other is
a major PITA.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484