Re: New stacker performance results

From: Stephen Smalley (sds@private)
Date: Thu May 26 2005 - 05:27:35 PDT

On Wed, 2005-05-25 at 21:39 -0500, Serge E. Hallyn wrote:
> A few years ago, while I was still working on DTE, I was contacted by
> someone who ran a large web-cgi farm.  He wanted to know whether DTE
> could be used to satisfy his security goals.  In particular, he had 100k
> users who could use a few global cgi scripts, but once they ran cgi
> scripts under their own directory, those scripts should only be able to
> access files under their own home directory, with a few predefined
> exceptions.  In addition it shouldn't be "hard" to add or remove users.
> To express this in TE would require a very large policy, with policy
> reloads for user add/remove.

I'm not clear I understand why.  SELinux constraints on the user
identities or DAC could cover the user-based restrictions, with just a
few types and TE rules to deal with the notions of global cgi scripts
vs. others.  As far as adding and removing users goes, policy reload is
necessary, but adding/removing users has become much simpler in FC4
via /etc/selinux/strict/users/local.users; you no longer need to rebuild
the binary policy file.  And the binary policy module work will allow
other kinds of customizations more easily on end systems.

> To take away this kind of flexibility from people actually trying to
> install real systems should not be done lightly.

I think this is a misunderstanding; there is no loss in freedom; you are
still free to patch the kernel to do what you wish, and in fact, you
could just as easily patch SELinux to call your own hooks on entry to
its hook functions if you wanted to avoid trying to track the core
kernel changes.  It is just a question of whether the core kernel itself
needs to directly provide support for out-of-tree LSMs.

Stephen Smalley
National Security Agency

This archive was generated by hypermail 2.1.3 : Thu May 26 2005 - 06:40:06 PDT