[Discuss] grsecurity

[Richard Pieri]

On 5/1/2012 9:53 PM, Tom Metro wrote:
> I got what you meant, but that's a UI or config layer problem. What I'm
> saying is that gsecurity could have used the SELinux (or AppArmor, or
> whatever) Linux Security Module[1] to implement their rules, and wrap it
> with their own UI or config system to make it turn key and less error prone.

No, they couldn't.  SELinux is a mandatory access control (MAC) 
mechanism.  grsecurity implements a rule-based access control (RBAC) 
mechanism.  They're actually very different things despite having so 
much functional overlap.

In the MAC model, resources are given security labels.  Users and 
processes that require access are given corresponding security 
clearances.  Adding a new user to the system entails giving that user 
all of the relevant clearances.  Adding a new resource to the access 
control system entails assigning it an appropriate security label and 
then giving all the relevant users the correct clearance.  MAC is 
granular but it requires expanding administrative overhead as more 
security labels and clearances are implemented.

In the RBAC model, access to resources is encapsulated in roles.  Users 
and processes that require access are given those roles.  Adding a new 
resource to the access control system entails adding it to the 
appropriate roles.  Users who have those roles automatically inherit the 
relevant access.  Encapsulating access control in roles simplifies 
management compared to MAC at the cost of granularity.

That's just scratching the surface.  RBAC can be very flexible in how 
rules are nested and linked.  MAC has extremely fine-grained access 
controls.  Neither is inherently better than the other; they're different.

> Hopefully someone will point out that there was a technical
> justification for not reusing an existing LSM.

LSM is a Linux API for mandatory access control.  It does not provide 
hooks for rule-based access control.  Implementing RBAC in Linux cannot 
be done through LSM.

-- 
Rich P.