[OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

[Steve Coleman]

Linas Vepstas linas-at-austin.ibm.com |fedora| wrote:

> Its not obvious (to me) that there isn't a path
> through those rules that allows privledge escalation.  
> 
> Unfortunately, there are a lot
> of rules: last time I looked at one of the config files, it was
> thousands of lines long.  Thus, a short, simple audit performed by
> one person seems out of the question.  

Has anyone been working on a graphical representation to the rules and 
current labeling for visualizing a rulebase/system/runtime 
configuration? It seems to me that for Fedora/SELinux to go mainstream 
some form of a visual auditing tool would be required. Being able to 
take some entity such as a file system or running process and visually 
displaying the access permissions in the context of privileges granted 
to a user or process would go a long way towards SE's mainstream 
adoption. If such a tool were to also help the admin rewrite the rules 
based on changes to entities while walking down the directory tree it 
would put SELinux in a much better position for the average admin. Of 
course such a tool would require careful though in the design due to the 
desired separation of duties (e.g. auditing vs. administration privs) 
and the rule definition v.s. Application thereof v.s. the runtime 
contexts for a given user/process.

I have to admit that I have been merely lurking here for a while and 
have not yet installed SELinux on anything as of yet. My “lurking” 
rather than “doing” is due mostly to my time limitations, and the 
thought of making my system unusable for my real work because I would 
have no way to understand all the rules in such short order. If I could 
see the effects of making a given change (e.g. color coding, symbolic 
representation) to the system before actually applying that change 
(relabeling) then I would be much less hesitant to convert everything 
over to FC2/3 with SELinux as my primary reason for migrating.  From 
what I can see so far SELinux is great stuff, and I praise everyone 
working on it for such dedicated work! Thanks to all.