Re: security, permission models

[Ivan Gyurdiev <ivg2 cornell edu>]

> No he doesn't. He hates the Virus, but his aim is that he just doesn't
> have to care about security, i.e. security should be guaranteed
> automagically without having to deal with it.
>   
This particular discussion concerns confidentiality and information 
disclosure. I'm not sure how you suggest we address this problem without 
specific input from the user indicating what his or her confidentiality 
requirements are.

Please, let's stay focused on the specific, with emphasis on current 
capabilities, and how we can use them. Diverging into general discussion 
about how security should be automatic won't accomplish anything. In 
fact, a much better place for such a discussion is nsa-list.
> As of writing SElinux is an interesting security approach, because it
> tries to combine some of the MLA aspects with the traditional UNIX
> permission model, 
SELinux includes TE (Type Enforcement), RBAC (Role Based Access 
Control), and MLS (Multi Level Security).
It's a combination of many types of enforcement, all working together, 
in complement to Unix permissions.

> but it doesn't offer anything for the mass market,
> because it's limited to /etc foo, i.e. tied to the OS/host instead of
> also having some of the connectivity needs of people in scope.
>   
Distributed policy will be addressed by Tresys' Technologies policy 
server development. Better integration with things like LDAP is also 
planned. Remember, SELinux is an emerging technology, so many of the 
missing features will appear in due time.
> Something fundamentally new would be:
>
> I'd like to be able to tag a file as "All", and have it available
> through a sharing service to all people knowing my ID, and all people
> logged in on my system in a "Shared Resources" listing. 
This is a good time to point out that SELinux restricts additional 
access on top of Unix permissions. Its goal is not to override or 
replace the current permissions model. In fact, SELinux rules are 
applied only after standard Unix DAC, and I believe MCS rules are 
applied last (TE and RBAC taking precedence)... though I could be wrong.

In order to accomplish what you ask, you'd have to violate Unix DAC, 
since your file is most likely in your home folder, which is most likely 
private to other users. I could think of ways to accomplish this - maybe 
have a privileged daemon be notified whenever you do that kind of thing, 
and it can provide the file to clients with appropriate authorization. 
Samba would play that role in the example below (Samba integration with 
nautilus so I can right click and share folders would be very nice). 
Anyway, that's not in the scope of the SELinux project.

> Another tag
> "Family" would allow my family to authenticate themselves with their ID
> on the sharing service, on my local host or through samba and have the
> Documents right on their machine.