On Mon, 24 Nov 2008, Shawn Wells wrote: > As promised, an answer to SELinux in a separate thread. ... > This gets us into a little of MAC vs DAC theory. Under historical > models privilege is granted based upon user/group settings. For > example, say I have the following:
Thanks, Shawn, for spelling out some of the function in SELinux. Since many of us are accustomed to MAC being a certain 48-bit address, here the acronym MAC here means "mandatory access controls" contrast with than "media access controller". In the latter (DAC), the D is "discretionary". The idea is that with traditional software systems certain full-access modes require DISCRETION in the code so that bad things do not happen. But if that code can be compromised or if it contains back-door functions then MANDATORY control is warranted. > 1) Apache is installed as user apache, group _system_ (yes, this > actually is common!) > 2) My DNS configuration file is owned by DNSUser, and _grouped to system_. The example doesn't clearly demonstrate the value of MAC over DAC. In this case, simply moving Apache to a different run-time group would suffice to prevent web twiddling with your DNS. If SELinux seems to present excess complexity, the traditional model may provide what you need. Just be aware. THINK about what you're trying to accomplish. Consider carefully whether your security model provides the protection and audit you need. The binary security inherent in Unix/POSIX/Linux (ie: you're root or you're not) has been challenged time and again. Developers and sysadmins usually come back to it. Why? We can only speculate. Rightly or wrongly, it's common practice at VM shops to give "alphabet soup" privileges to those IDs which need sysadmin capability and "G" to the rest. (Possibly giving further reduced rights to guest systems, but that's a whole nutha discussion thread.) DEC applied all the glory of VMS privilege bits to their implementation of the OSF/1 operating system. (OSF/1 is also Mach based, so it's not ALL bad. Heck, AIX/ESA is also OSF/1.) The stunning popularity of OSF/1 (mostly Tru64) serves as testimony to the warm embrace such fine-grained control has received in the industry. [excellent SELinux details omitted for brevity in this reply] If you're unwilling to run your web server under its own ID and in the proper POSIX group, then you might get some comfort by applying yet another control layer. Call it a security label. Call it an access right. It will hopefully cover your derier from the ooooopppsss factor. And if the scheme is complicated enough and/or if it has the blessing of a secret government agency, then your auditors will probably swallow it outright. -- R; <>< ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390