SELinux sparks tussle over Linux security model
- By Joab Jackson
- Oct 18, 2007
Should Security Enhanced Linux be designated as the sole security framework for Linux?
While most security specialists would agree on the high quality of SELinux, proponents are arguing this framework is the only one that should be needed for the open-source operating system kernel. In fact, it would eliminate the need for the Linux Security Module, an open platform for outsider developers to build their own security frameworks for Linux.
And this idea has raised the ire of Linux keeper Linus Torvalds.
"Right now, I see discussions about removing LSM because `SELinux is everything.' THAT IS A PROBLEM," he wrote, the all-caps wording an indicator of his displeasure.
First developed by the National Security Agency, SELinux is a form of mandatory access control in which users on a computer are restricted to those services labeled for their use by their designated security level.
The dispute started earlier this month, when Red Hat SELinux developer James Morris proposed on the Linux kernel mailing list that SELinux should be the de facto security framework for Linux. He said it would eliminate the need for LSM, and called for its removal from the kernel tree.
Morris' complaint was that LSM is actively hindering
the security of Linux. It is a "magnet for bad ideas," he wrote.
Other Linux security frameworks, such as Novell's AppArmor and the open-source Smack, are based on the LSM.
"If LSM remains, security will never be a first-class citizen of the kernel. Application developers will see multiple security schemes, and either burn themselves trying to support them, or more likely, ignore them," Morris wrote.
Others, including Torvalds, saw no need for expelling LSM from the kernel.
Last night, another developer, Thomas Fricaccia, urged that "a free and open operating system should preserve as much freedom for the end-user as possible. ... 'Freedom' includes the power to do bad things to yourself by, for example, making poor choices in security frameworks. This possible and permitted end result shouldn't be the concern of kernel developers."
A few even labeled Morris' call as a ploy for focusing all Linux security development efforts on SELinux.
On the mailing list, Torvalds said he remained open to arguments as to why LSM should be removed, even if he doubted anyone would make a coherent argument. He chastised SELinux proponents for arguing from theoretical grounds rather than using hard data to make a case. He also noted he saw too many arguments still going on over the nature of what makes a good framework, which leads him to believe consensus in SELinux is anything but a given.
"When it comes to security, I see people making IDIOTIC arguments," he e-mailed
. "For example, you security guys still debate 'inodes' vs 'pathnames', as if that was an either-or issue ... a person who says that it has to be one or the other is incompetent."
Joab Jackson is the senior technology editor for Government Computer News.