Critiquing the Criticism about SELinux in Wikipedia


The SELinux entry in Wikipedia has a section called Criticism which I found very interesting. The first paragraph is simply a matter of opinion, and I am certainly among those who believe that SELinux is more complicated than it needs to be. That's why Trusted Extensions took a different tack. But the second paragraph is filled with misinformation. Having just posted a new thread Relabeling large files without copying them , I found this pretty funny. Here's the quote:

"Some have criticized SELinux for its use of inode labeling rather than pathnames as the basis for its access control. Such criticism represents a misunderstanding of Unix heritage and internals; the access control enforcement mechanisms of Unix kernels have never relied upon pathnames as their basis, as paths are ambiguous identifiers in Unix systems and do not identify the real objects (the inodes)."


A casual user of Trusted Extensions will surely notice that you can derive labels from pathnames in an unambiguous fashion. The reasons we can do this are a bit complex, but the bottom line is that it works. Among the factors that make it possible are:


  1.  Zones root pathnames are special-cased throughout the kernel.
  2. Zones have unique labels.
  3. Zones cannot create ambigouous pathnames (such has hardlinks between files in different zones).
  4. Mount policy is always consistent with respect to labeling policy.
  5. The Solaris 10 kernel can lookup pathnames by vnode.
  6. The label of a file is invarient regardless of its local pathname.

The last item needs some more explanation. It is a bit like Einsteinian Relativity: The label of a file is invarient regardless of the reference frame (zone) from which it is being observed.


While it is true that two zones may use different pathnames for the same underlying file, the kernel can always determine which zone is the ultimate owner of the object. This may require unwinding symbolic links, loopback mounts, and NFS mounts, but it's quite deterministic. The fact that Trusted Exensions does not extend any on-disk file system structures, such as inodes, means that the mandatory access policy works properly and consistently with all known file systems.

Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About

This blog explores some of the security features of Oracle Solaris. In particular, topics such as Role-Based Access Control and Labeled Security are my special interests.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Bookmarks