Re: Time to remove LSM (was Re: [RESEND][RFC][PATCH 2/7]implementation of LSM hooks)

From: Arjan van de Ven
Date: Mon Apr 24 2006 - 08:54:18 EST



> While that may be true[1], it gets a little annoying when broken is
> meant to be synonymous to "not the SELinux model". Especially since
> there are aspects where SELinux' security can be considered broken,
> complexity being one of them, crappy failure modes being another,
> handling of new files a third, handling of namespaces a fourth.

while I agree with the first three arguments, handling of namespaces
isn't fundamental SELinux weakness.


> Paths vs. inodes is religion, nothing else.

Actually I think you're wrong on that. Paths are more fragile, even the
AppArmor people will admit that. They just think they can get away with
it by closing a dozen+ ways of cheating with that and by limiting the
scope of the security model.

Maybe the question "is the fragility worth it" is a religious question,
but the fundamental truth is that an inodes approach is by far more
robust and beyond such "nothing else" statement.

> LSM was supposed to be inclusive of all
> beliefs, has that changed?

until last week SELinux was the only user of LSM. You can't fault LSM
for not facilitate all the unwritten code that is possible in the world.
And to some degree I would question the feasability of having ONE model
for all such things in the first place. In fact, we already know that to
do auditing, LSM is the wrong thing to do (and that's why audit doesn't
use LSM). It's one of those fundamental linux truths: Trying to be
everything for everyone leads to crappy interfaces.

Now that there's a second proposed user, the real evaluation of the
value of LSM can be made in this regard, and if the consensus is that
it's fixable, the interfaces can be cleaned up to facilitate both
SELinux and AppArmor. But I don't think you can a priori say that LSM is
the right answer, given that AppArmor seems to highly struggle with it,
nor do I think it HAS to be. I rather have separate interfaces for
AppArmor and SELinux than one, bad, joint interface that everyone hates.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/