:: Re: [Dng] vdev update and design do…
Kezdőlap
Delete this message
Reply to this message
Szerző: Martijn Dekkers
Dátum:  
Címzett: Enrico Weigelt, metux IT consult
CC: dng
Tárgy: Re: [Dng] vdev update and design document
On 5 January 2015 at 07:47, Enrico Weigelt, metux IT consult <
enrico.weigelt@???> wrote:

> On 05.01.2015 00:40, Jude Nelson wrote:
>
> >> In VAX/VMS there was a feature that could in theory be useful,
> >> though I've never seen it actually used. Fila permissions could
> >> forbid the root user from reading the file. This might be useful
> >> for dire secrets. Even the sysadmin couldn't back up that file.
> >
> > I think for some applications (like dealing with medical records), this
> > is a legal requirement.
>
> No, certainly not (I'm currently working in than area) - that's just
> misinterpretation. Instead you'll need clear access control rules,
> mich might have to prevent _operators_ from accessing certain data.
> In that case, operators wont have root access.
>


That answer is just plain wrong. There are several areas where there are
significant legal requirements around disallowing the concept of a root /
UID 0 user to have overriding access. Please be advised that SELinux was
built by the NSA *specifically* to be able to meet these legal
requirements. Think Government, Finance, Defense, Intelligence, Law
Enforcement, Medical. Yes, this is first-hand, practical knowledge. Stating
that there is no legal requirement anywhere for restricting access to
information only to a certain group of users is .... funny ....

On Unix/Linux, root / pid 0 can do everything, by definition. (not even
> capabilities / selinux really can stop this).



Again, this is incorrect. It is not only possible to do this with SELinux,
it is one of the stated design goals. A good example is here:
http://www.coker.com.au/selinux/play.html read the FAQ. Note that there are
even stricter (read: more correct) implementations. There are also
commercial solutions that achieve this:
https://www.trustifier.com/kse/#!overview and others like it, for example
Raytheon also do similar products.

Configuring SELinux with a MLS/BLP model
https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model is how to achieve
the "go on, be root/UID0, you wont be allowed to do the things you are not
allowed to do" setup.

Good luck