Forwarded from: Russell Coker <russellat_private> Cc: timothy_dyckat_private Timothy Dyck wrote in a review of OpenBSD: > However, while mandatory access controls do make systems harder to > administer, we've found the approach a very powerful defense in > tests and would welcome the option to use these techniques with > OpenBSD. One point you may use to strengthen your arguements for MAC in discussions with BSD people is their use in testing software. When you write MAC policy for an application using a system such as SE Linux that has fine grained controls you get a good knowledge of the details of it's operation. I have discovered many bugs in Linux programs through writing SE Linux policy and observing which programs try to violate the policy. One of the most common bugs I find is applications and libraries which fail to close file handles before executing other programs. I have found this in LDAP library code, the PCMCIA cardmgr process, many other programs, and even in the kernel itself! Some of these bugs have been fixed because of my work alone, and might otherwise still be present and unknown in Linux systems. My work on SE Linux is providing benefits for people who will never use it though getting some of these bugs fixed. Another thing to note is that although administering a system with MAC involves more work (and more skill) than a regular Unix system, you are not compelled to use it. Having a MAC system as an option for those who want it does not seem to offer any cost. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 04:01:05 PDT