[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [OT] SELinux vs. other systems [was Re: [idea] udev + selinux]

Linas Vepstas linas-at-austin.ibm.com |fedora| wrote:

Its not obvious (to me) that there isn't a path
through those rules that allows privledge escalation.

Unfortunately, there are a lot
of rules: last time I looked at one of the config files, it was
thousands of lines long. Thus, a short, simple audit performed by
one person seems out of the question.

Has anyone been working on a graphical representation to the rules and current labeling for visualizing a rulebase/system/runtime configuration? It seems to me that for Fedora/SELinux to go mainstream some form of a visual auditing tool would be required. Being able to take some entity such as a file system or running process and visually displaying the access permissions in the context of privileges granted to a user or process would go a long way towards SE's mainstream adoption. If such a tool were to also help the admin rewrite the rules based on changes to entities while walking down the directory tree it would put SELinux in a much better position for the average admin. Of course such a tool would require careful though in the design due to the desired separation of duties (e.g. auditing vs. administration privs) and the rule definition v.s. Application thereof v.s. the runtime contexts for a given user/process.

I have to admit that I have been merely lurking here for a while and have not yet installed SELinux on anything as of yet. My “lurking” rather than “doing” is due mostly to my time limitations, and the thought of making my system unusable for my real work because I would have no way to understand all the rules in such short order. If I could see the effects of making a given change (e.g. color coding, symbolic representation) to the system before actually applying that change (relabeling) then I would be much less hesitant to convert everything over to FC2/3 with SELinux as my primary reason for migrating. From what I can see so far SELinux is great stuff, and I praise everyone working on it for such dedicated work! Thanks to all.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]