SELinux and the Desktop
Steve Coleman
23e9t5t02 at sneakemail.com
Wed Oct 13 15:20:10 UTC 2004
Jerry Haltom wasabi-at-larvalstage.net |fedora| wrote:
> USERS DONT CARE! It doesn't matter that they SHOULDN"T open an
> executable their friend or co-worker sends them, they will anyways. Is
> this so bad?
In a word, yes. By your own definition they are not security experts, so
they don't know what they are supposed to do and they will gladly click
on any button that they think will show them what they think they are
supposed to see happen. If the "yes" button does not work then they will
download it again and try the "no" button instead. Trial and error is
not what SELinux is about.
> The daemon realizes that the action isn't allowed, but that it could
> be allowed if the user consents to it,
My congradulations to this user, as they are now a certified security
officer (lol), so they *must* know which is the best button to click on.
Will that be door number one, ... or door number two? Or you can trade
it all for ... a ..BRAND.. NEW.. JOB!! (ding) (ding) (ding). Oh, sorry,
got carried away for a sec. ;)
Even pavlov's dog understood the suggestive power of repetition, so if
they clicked "yes" three times in a row last week there is about a 90%
probablility they will click the "yes" button today without even reading
the text of the yes/no box. If your going to give them a choice then you
are going to have to train them how to be smart about it, or create a
*corporate policy*, but then you already said they will just ignore that.
> In the case of No, the process will probably die. ;0
I also think the desktop should have some smarts built in, but my vote
would be to have the "desktop" send a sigterm to the errant process and
put up a "don't do that!" modal dialog box for which the user has to
acknowlege in order to continue. Of course I can't ignore the
possibility that a user might actually *need* to run a binary given to
them, for which I would propose that it be 1) "signed" (just warm fuzzy
feeling, but not a true protection methodology) and 2) run in a *real*
partitioned Virtual Machine, sandbox a la VMWare/Plex86/etc. or as near
as one can get to that, such as a chrooted sandbox with a very
restrictive SE policy.
This does bring to mind a burning question I have always had reguarding
some applications such as Java where the binary itself is too open ended
and where as the compiled class files, script file, or data dictate what
the runtime will do. I assume that many desktop environments (take your
pick) will have some form of builtin scripting support. How does SELinux
deal with these VM's? Is there any good docs online that discuss the
problems and current solutions that these present? Do they get their
security context from the script or data streams?
Thanks!
More information about the fedora-selinux-list
mailing list