No more selinux-policy-*-sources

Arjan van de Ven arjan at fenrus.demon.nl
Tue Mar 14 16:45:42 UTC 2006 

> 
> I'm over-simplifying, but the main source of complexity in the current
> SELinux environment is its comprehensive nature.  None of the security
> models currently used in SELinux is particularly complex.  The MLS
> security model is counter-intuitive, but it's also not currently used
> ;-P  As it stands, the confusing areas of SELinux itself mostly reside
> at the intersection between the different models (i.e. how DAC identity
> and SELinux identity interact, how roles and types relate, etc.) and
> with the myriad of object classes and associated permissions.


which is because the policy design seems to keep starting from the wrong
place. That policy design is aimed for a "strict" policy. Even the so
called targeted policy tries to work in a strict way.

With this I mean it tries to be too fine grained. Far too fine grained.

But that is easy to say without having to say what it should look like
then... So maybe something like this:

Create several high level classes for binaries

* CanDoAll: no limitations at all
  (this already exists as unrestricted today)
* NormalBinary: "modern" normal but simple binary; 
  no executable stack, no dlopen allowed, no textrels, 
  no writable executable memory
* NoExec: like "NormalBinary" but doesn't do system/exec to launch 
  other applications
* NoNetworking: like NoExec but application is not doing anything
  network-ish (eg connect/bind/accept etc)

these last 2 classes I bet will cover 95% of /usr/bin already.
What is more, most of the requirements can be validated at build time
(just by looking at which glibc functions get called)

You can argue that this doesn't cover the hard cases, like ssh and
apache. And you know what, that would be right. Apache is just a really
really complex beast, given that it accepts 3rd party plugins and has a
near-turing-complete configurability. 

To me the later means that any attempt to in detail describe what the
application is allowed to do for the general population is doomed from
the start. That leaves 3 options
1) Have a policy generator that reads httpd.conf and based on that
creates the policy
2) Give apache very broad permissions
3) Work from the other angle, forbid it to do certain bad things. So
instead of enumerating all the possible things you can do, you enumerate
the things it cannot do. The traditional argument for MAC is "but you
can't enumerate all the bad things so lets say what it CAN do". My
counter argument is that you can't enumerate what it can do either, and
that telling it obvious things it can't do is at least a step forward. 

1) and 3) are not exclusive.

More information about the fedora-devel-list mailing list