Glenn Faden's Blog

  • April 1, 2007

Comments about Trusted Operating Systems

Guest Author

Karl MacMillan has written a detailed response to my article comparing the MLS policies of Trusted Extensions and SELinux. Although I don't agree with many of his assertions, I think this is a healthy discussion. I've posted comments on his blog, but I have one other point to make here.

Despite the fact that my article was about the MLS policies in TX and SELinux, Mr. MacMillan generally played down MLS as a viable security technology. He states:

The problem, in my view, is that the separation offered by MLS systems
is more severe than most commercial customers can tolerate and there is
no secure way to relax those restrictions. That is where type
enforcement really shines. It is possible to clearly and securely
specify how information can flow to allow limited flow of data in
certain circumstances through specific, trusted processes. The
inflexibility of MLS doesn’t offer this: process are either confined by
the policy or are trusted to circumvent it in coarse-grained ways.
Relaxing the policy to make it useful essentially destroys any security

I disagree that relaxing the MLS policy destroys any security benefit. In Trusted Extensions, the MLS policy for labeled zones is always enforced, even for privileged processes. The policy can be relaxed to permit specific trusted processes to request that individual files are upgraded or downgraded, but such relabeling is still subject to review by TCB processes in the global zone. Multilevel ports can be configured for use by trusted processes, but they are still constrained to communicate at specific levels.

Type Enforcement has a lot of potential, but MLS, as implemented in Trusted Extensions, provides unique advantages. I am pleased to see a growing awareness in the secure OS community.

Join the discussion

Comments ( 2 )
  • Curt Vogue Monday, April 6, 2009

    Hey Glenn, is it possible to launch processes from one zone to run in a different zone? Ideally we'd want to do this from one labeled zone whose label will dominate the zone where we'd like to launch the process... but if necessary we could do it from the global zone.

    Thanks for any insight.


    P.S. I work for Rob Peabody on the CDS program here at NG

  • Glenn Faden Saturday, September 26, 2009

    It is not possible for a process in a labeled zone to launch a process in other zone. Only an all-privileged global zone process can do this. So you need to provide a trusted path facility to proxy the request into the global zone.

    This technique is already used in a few places. The GNOME panel and the Trusted Path menu provide a cross-zone parent-child pipe for communication with the global zone. Similarly, the labeld service with a rendezvous file in /var/tsol/doors acts as proxy for relabeling.

    It is possible to send a message on a named pipe from a lower to higher level zone. The message could request execution at the higher level.

Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.