On Sat, 26 Aug 2006, Elad Efrat wrote:

> I'm hardly nit-picking on the specific example, but am still curious if a 
> SELinux-like environment solves these problems in ways kauth(9) can't.

FWIW, I think comparing kauth(9) and SELinux is somewhat silly.  :-)

kauth(9) is a kernel programming interface to write pluggable security policy 
modules.  SELinux is a security module that plugs into a similar (but 
different) kernel programming interface, LSM, and provides a comprehensive 
policy language.  If you want to compare programming interfaces, compare 
kauth(9), the MAC Framework, LSM, and FLASK, which all sit in similar places 
in the programming stack.  You can implement a TE-like language on top of 
kauth(9), sans complete type expression due to lack of labels, and have all 
the complexity (although not necessarily the flexibility) of SELinux.  In 
fact, this is likely the first thing someone might do with kauth(9) -- add a 
text-based policy language to control the rights assigned to users.

Now you can argue about whether the lack of ability to specify labels 
independent from the traditional uid/gid model is useful, which is probably 
the better comparison.  That can then drive a decision about whether you need 
a more capable framework, or for that matter extensions to kauth(9), in order 
to support those requirements.  The design decisions behind LSM and the MAC 
Framework reflect the labeling requirements of more comprehensive system 
policies with information labeling requirements, whereas kauth(9) doesn't. 
If you don't need the labeling capability, then kauth(9) meets your needs, but 
if you do need the labeling capability, then kauth(9) doesn't.  Nothing 
precludes having multiple frameworks, for that matter -- kauth(9) to provide a 
simpler programming interface for simple policies, and a more comprehensive 
framework for more comprehensive policies.  Or providing one interface using 
another -- this is what SELinux does, btw.  FLASK is a more constrained 
security interface layered on top of LSM, which deals with a "sid" labeling 
abstraction, rather than kernel data structures for objects.  Likewise with 
SEBSD -- FLASK is layered over the MAC Framework on FreeBSD and Mac OS X.

Robert N M Watson
Computer Laboratory
University of Cambridge