[ale] why I love windows

Jim Kinney jim.kinney at gmail.com
Tue Jan 31 10:21:26 EST 2012 

Note: I don't use PolicyKit.

SELinux was devised to solve a different set of problems than PolicyKit
apparently was. The default model in selinux is NO! Then judicious tears in
the fabric of NO! are made to allow very specific functionality.

As selinux is a kernel level security layer, it provides system security
model that is incredibly robust. As soon as the kernel is loaded, selinux
is started and _then_ the device drivers are loaded and other services
begin after that. So a compromised driver or service startup will not break
fundamental system security.

PolicyKit works at the application layer and appears to provide a mechanism
of customizable wrappers to allow non-admins to do admin tasks.

I'm an admin. I have the responsibility to make Linux systems do my
bidding. Thanks to the design of *NIX (Thanks to Dennis Ritchie!!), there
is very good separation between users and administrators. As a
professional, I _really_ want that to not change much. I don't see a good
outcome for Fred the receptionist formatting a disk or changing any
password but his own. I certainly don't see any good reason for non-admins
to add software to a system. They can add software to their own user-space
already. SELinux will block them, by default, from using their space
applications to further access system controls they are not authorized to
have. PolicyKit will not stop a user compiled binary from accessing areas
they should not have if they exploit a privilege-escalation hole. SELinux
does.

Because of what SELinux does, it's hard. Very damn hard to wrap the head
around. An admin doesn't need to know 300+ rules to be good with selinux.
But the admin does need to know what tools to use and how to use them when
issues arise.

I may have to do a training class in selinux policy manipulation for an ale
meeting for all of this to make some sense. That will take several months
for me to prepare so it can't happen soon.

On Tue, Jan 31, 2012 at 9:02 AM, mike at trausch.us <mike at trausch.us> wrote:

> On 01/30/2012 10:12 PM, Jim Kinney wrote:
> > The capability you seek is in selinux not a hodgepodge of userland
> > config libraries.
>
> I don’t like SELinux.
>
> No, that’s actually incorrect.  I *HATE* SELinux.  It is backwards from
> the way things should be controlled, though it is necessary when you
> have to control legacy applications with the kinds of access controls
> that SELinux provides.
>
> There are better ways to skin the cat, though.
>
> For example, with SELinux, you run unmodified software and you
> essentially tell it, “these are the files you’re allowed to touch, and
> that’s it”.  You have to craft these rules for every process (or every
> user ID) on the system.  The result is more rules than a single
> administrator can remember on a network of three nodes, and forget about
> 300 nodes.
>
> Here is the intro to PolicyKit, from its Web site at freedesktop.org:
>
> > PolicyKit is an application-level toolkit for defining and handling
> > the policy that allows unprivileged processes to speak to privileged
> > processes: It is a framework for centralizing the decision making
> > process with respect to granting access to privileged operations for
> > unprivileged applications. PolicyKit is specifically targeting
> > applications in rich desktop environments on multi-user UNIX-like
> > operating systems. It does not imply or rely on any exotic kernel
> > features.
>
> Now, the interesting part is that it is portable (runs on multiple
> kernels).  It needs nothing unusual to get its work done, it is simply
> an intermediary between the privileged and the unprivileged.
>
> Furthermore, instead of the user having to possess a root password or
> whatever, they can authenticate to PolicyKit in whatever way the
> administrator sees fit.  Often this means that the user needs to enter
> their own password, as if they were using the sudo program.  However,
> the user never actually spawns the privileged process, and the user
> doesn’t actually directly interact with the spawned privileged process,
> either, as I understand it.
>
> Why is this better than, say, SELinux’s way of doing things?  Because
> the application must be broken into components: the user interface, and
> a trusted, privileged component that can be easily audited and is not
> tied to the rest of the application.  For example, the user has a
> workstation and is allowed to installed packages, but only if those
> packages are signed by an authority that the system considers to be
> trusted (e.g., the system administrator).
>
> Guess what?  You can’t do that with SELinux.
>
> But you can with PolicyKit.  Because you write a small program which
> PolicyKit can invoke over D-Bus.  That program can authenticate the
> package before then calling the system’s package manager to install the
> package.  This is a different type of access control altogether from the
> SELinux model.
>
> The SELinux model is concerned with MAC on files and devices coupled
> with copious amounts of auditing, in order to be able to fry anyone who
> didn’t have the administrative authority to do something but for
> whatever reason had the technical authority to do it.
>
> The PolicyKit model is concerned with very granular bits of, well,
> policy.  Not, “Can Jim Kinney format /dev/sda1?” but instead “When is
> Jim Kinney allowed to format /dev/sda1?”.  The answer to that is
> probably something along the lines of “When /dev/sda1 is not mounted,
> and /dev/sda1 is not listed as a system mount, and when /dev/sda1 is not
> otherwise in use.”
>
> They can probably even play together, if necessary in an environment.
>
> That said, I can see PolicyKit becoming something that I use regularly
> in my programming.  It increases the auditability of code and it
> increases the confidence that I have that there are no coupling
> interdependencies, and it ensures that privileged code is separated by
> process and hardware protection boundaries.  Plus it makes the
> privileged component simpler and easier to understand, and easier to
> make “obviously correct”.  Seems to me that it is a good idea all the
> way around.  Besides, who would rally against more clear design for
> programs?
>
> PolicyKit has been around for a little while now, but I only really got
> to be familiar with it about maybe six months ago.  I have been wanting
> some system like it in Linux systems for ages.  Really, the idea
> simplifies things and makes them more secure by default---which is the
> way to be, if you ask me.
>
>        --- Mike
>
> --
> A man who reasons deliberately, manages it better after studying Logic
> than he could before, if he is sincere about it and has common sense.
>                                   --- Carveth Read, “Logic”
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
-- 
James P. Kinney III

As long as the general population is passive, apathetic, diverted to
consumerism or hatred of the vulnerable, then the powerful can do as they
please, and those who survive will be left to contemplate the outcome.
- *2011 Noam Chomsky

http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20120131/d8966280/attachment-0001.html

More information about the Ale mailing list