SMACK meets the One True Security Module
| This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible. |
The Simplified Mandatory Access Control Kernel is a security module designed to harden Linux systems through the addition of mandatory access control policies; it was covered here last August. Like SELinux, SMACK works by attaching labels to processes, files, and other system objects and implementing rules describing what kinds of access are allowed by specific combinations of labels. Unlike SELinux, though, SMACK was designed specifically for simplicity of administration.
The posting of version 3 of the SMACK patch inspired a certain amount of discussion. Andrew Morton's take led things off:
I'd have trouble declaring that "but" to be a reason to not merge smack. I'm more thinking "let's merge it and see if people use it".
Andrew concluded by suggesting that the SMACK patch should be merged for 2.6.24. There was some discussion about specific pieces of the patch (some developers are more impressed by CIPSO network labels than others), but there does not seem to be a whole lot of opposition to merging the SMACK security module. It is generally seen as being well-written code which makes sense from a security point of view.
There was one predictable exception, though: whenever a new security module is considered for merging the SELinux developers tend to oppose it. This time, James Morris voiced a more general complaint: SMACK would become the second in-kernel user of the Linux security module (LSM) framework. That, in turn, would make it almost impossible to remove LSM from the kernel. James claims:
The SELinux programmers, it seems, would rather that SELinux became the one security framework supported by Linux, with all development effort going into making SELinux better.
The problem, of course, is that, even after a few years with only SELinux in the kernel, there has not been a glut of application developers working to support it. The vision of each application shipping with an SELinux policy file has not come to be. Some progress has been made in the creation of higher-level tools for the management of SELinux policies, and the Fedora and Red Hat developers have come a long way toward making a general-purpose distribution work with a limited set of SELinux policies, but SELinux simply remains too complex for most people to deal with. SELinux may work out of the box on an RHEL system, but as soon as the system administrator runs into something which breaks, chances are that SELinux will be turned off.
The SELinux developers would presumably argue that the way to address these problems is to focus on a single security framework within the kernel. Rather than create competing, simplified frameworks, it would be better to implement approaches like AppArmor or SMACK within SELinux and, in the process, make SELinux better. Those developers argue that pluggable security modules, like pluggable schedulers, succeed only in splitting development effort and preventing the creation of a truly general solution:
The answering argument is that there are many security environments and differing sets of user needs; there is no sign that a single security approach can ever work in all situations. And, even if such a unified approach were possible, getting security developers to agree on it would still be a major challenge. Ted Ts'o writes:
The LSM architecture was a result of the very first kernel summit, where Linus stated that he had no wish to choose between the various security ideas in circulation and, instead, wanted the kernel to be able to support all of them. He has not changed his mind since; he still doesn't see any imminent consensus on security approaches, and still wants Linux to be flexible in this regard. So his pronouncement was:
When I see the security people making sane arguments and agreeing on something, that will change. Quite frankly, I expect hell to freeze over before that happens, and pigs will be nesting in trees. But hey, I can hope.
So it looks like the way is clear for a merger of SMACK in 2.6.24. Once
that happens, it would not be surprising to see another push made by the
developers of security modules like AppArmor and TOMOYO Linux; in fact, the
TOMOYO Linux patches have just been
reposted. In the end, SELinux will, despite the apparent wishes of its
developers, have to compete with other security approaches for attention
from developers, distributors, and users. There will be no One True
Security Module for Linux in the foreseeable future.
| Index entries for this article | |
|---|---|
| Kernel | Security/Security modules |
| Security | Linux Security Modules (LSM) |
(Log in to post comments)
SMACK meets the One True Security Module
Posted Oct 2, 2007 17:36 UTC (Tue) by bronson (subscriber, #4806) [Link]
It seems like the SELinux guys are still looking to userspace tools to bail them out of their usability nightmare. I'm guessing most Linux admins enter iptables commands by hand (or by script), and iptables is *way* simpler than SELinux. The ALSA guys leaned on userspace to bail them out of their complexity nightmare and look at where it got them.
As long as it takes *days* for a good admin to learn and provision a nontrivial SELinux server, SELinux is a non-starter (in my workshop anyway). Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.
I'm excited about SMACK. I hope it gets merged. And I hope SELinux guys start taking learnability and usability seriously.
SMACK meets the One True Security Module
Posted Oct 2, 2007 20:43 UTC (Tue) by danieldk (guest, #27876) [Link]
It depends on what policy you use. For example, the Simplified Policy Description Language is quite easy to grok:
http://seedit.sourceforge.net/
It's policy language looks a lot like AppArmor's, but it does use file contexts underneath.
SMACK meets the One True Security Module
Posted Oct 4, 2007 14:53 UTC (Thu) by jengelh (subscriber, #33263) [Link]
>Ignore the userspace tools! Make a portion of SELinux as capable and easy to use as AppArmor or SMACK and SELinux adoption will increase tenfold.
So, interestingly, is not *Novell* to blame (rather than SELinux or the casual user) to not have AppArmor designed to use SELinux as LSM? Just a thought...
SMACK meets the One True Security Module
Posted Oct 4, 2007 21:04 UTC (Thu) by nix (subscriber, #2304) [Link]
AppArmor predates SELinux, and does things that SELinux can't do withoutinsane delays (mass-relabelling of potentially every file in a very deep
subdirectory whenever you rename it springs to mind; even crazier
mass-relabellings of everything on the disk to implement some changes of
policy, unless I miss my guess).
(Equally, AppArmor can't efficiently imitate a TE system --- but nobody's
claiming it can.)
SMACK meets the One True Security Module
Posted Oct 2, 2007 18:20 UTC (Tue) by flewellyn (subscriber, #5047) [Link]
I think the problem here is, we're getting conflicting messages from the SELinux folks. On the one hand, they insist that SELinux is a security architecture, and can be used to create higher-level, more abstract security tools. On the other hand, they insist that SELinux should be usable as-is from userspace, by ordinary administrators.
I don't see these positions as compatible at all. And while I am no expert with SELinux (aside from the developers, does such a thing exist?), from what I understand about it, it IS more suited as an architecture for building security tools, than as a security tool in its own right. So perhaps the SELinux folks should work on making its interface more of a "programmatic" one, and stop emphasizing the userspace tools as security solutions on their own. In other words, to compare to another Linux subsystem, SELinux would be Netfilter to other tools' iptables or shorewall.
SMACK meets the One True Security Module
Posted Oct 3, 2007 0:29 UTC (Wed) by drag (guest, #31333) [Link]
Well I think the point behind Eclispe is that it's a framework for building IDEs and what IDE you get when you try it out is only going to have a tiny fraction of it's capabilties.
Er, something like that.
Personally I'm happy with Vim and Python. No need for intellesense or anything like that for a language that is designed to be easy to remember and I am not working in a formal corporate environment. (I'll probably just program in C or pyrex or something like that if I need speed)
SMACK meets the One True Security Module
Posted Oct 3, 2007 3:23 UTC (Wed) by drag (guest, #31333) [Link]
OMG, I can't beleive I posted the above to teh wrong article.WTF was I thinking.
:(
SMACK meets the One True Security Module
Posted Oct 4, 2007 0:09 UTC (Thu) by jamesm (guest, #2273) [Link]
Oddly enough, it still makes sense here :-)
Thanks to Drag replying to wrong article, I just had a bright idea
Posted Oct 5, 2007 9:18 UTC (Fri) by pr1268 (subscriber, #24648) [Link]
Agreed! Drag's comment about his "IDE" of vim and python vs. Eclipse did indeed bear some resemblance to the discussion about SELinux vs. AppArmour. What a pleasantly surreal experience!
Thanks to Drag's misplaced comment, I just had a bright idea: Eclipse IDE for SELinux!! Use all the features you've come to expect with using Eclipse to develop Java, C, or C++... and now you can build your own security framework! Testing your framework is simply a few mouse clicks away via the "build/debug" menu.
</end silliness> ;-)
Thanks to Drag replying to wrong article, I just had a bright idea
Posted Oct 5, 2007 14:07 UTC (Fri) by nix (subscriber, #2304) [Link]
Obviously the *right* approach is an Emacs specialized entirely for writing SELinux configurations. There's even an XEmacs fork with the right name: SXEmacs. Just reuse the name, write a new selinux mode, rip out all that boring stuff nobody uses like text-mode, cc-mode, vm and gnus, and you're home free! :)
Thanks to Drag replying to wrong article, I just had a bright idea
Posted Dec 11, 2008 18:22 UTC (Thu) by SEJeff (guest, #51588) [Link]
SMACK meets the One True Security Module
Posted Oct 11, 2007 6:43 UTC (Thu) by ury (guest, #47805) [Link]
what about GRSecurity ? or some similar,maybe just ask security-patch authors about they vision?
http://www.grsecurity.net/lsm.php
http://www.rsbac.org/documentation/why_rsbac_does_not_use...
ps: selinux i think toooooo blooooated to use
i like grsec, and interested in making things better ;)