* Peter Dolding <[EMAIL PROTECTED]> [2007-10-22 09:54]: > Lets start with a few basic problems I have found with all LSM's I have tried. > > Number 1 they forget users might need to limit applications without > administrators approval and only locally. This is like running > Firefox locked out from seeing a particular directories choose by the > user because the user know they contain stuff that should not be seen > online. Most of the limitations a system admin can apply to > applications users need to be able to apply to there own. Of course > user should never be able to grant more permissions than what they > have.
Yes, this is an important capability, but you don't need kernel support for that. For SELinux, look at the SELinux Policy Management Server (http://oss.tresys.com/projects/policy-server). Using the Policy Management Server, you could allow your users to create an arbitrary number of confined domains, where the user decides how much access the confined domain gets, yet no domain can access anything the user cannot. I'm sure something like that could be written for other security modules. > Number 2 most are attempting to fix the suid and the guid bits defects > yet it never is attempted to be addressed kernel fault/Posix design > fault. Posix file capabilities get close. Even that these cannot be > used to replace suid and guid they should be made able to used to > provide limitation to them. I think you should more clearly explain which "defects" you mean. For SELinux, there was some discussion of granting capabilities through policy, but I'm not sure what the status of that patch is (it is certainly not in mainline yet). This would make it possible to remove almost all suid bits on a SELinux system. Not sure if that's what you mean. > This is a future one I have not seen a security containers so that > different sections of a virtual server could use different security > modules. As has already been discussed on this list, security properties are "whole machine" properties. At least for MAC systems like SELinux, I don't think partitioning a system like that is possible or sensible. If you really need different security modules, use different kernels and something like KVM. Regards, Thomas
signature.asc
Description: Digital signature
