[OLPC Security] Why not SELinux?

[Michael Stone]

Blake,

Questions like this are best addressed to the security mailing list:

  security at lists.laptop.org

However, the brief answer is:

 * selinux appears to me to be more expensive to use than the path I've
   pursued so far because it seems both enourmously complicated and
   sparsely documented. 

 * no selinux advocates have been able to explain to me, in detail, how
   I can use it to solve the problems that I want to solve. They
   typically point to run-time policy generation as the way forward
   while neglecting to address the issues that

     - user-land policy servers are an active research topic and 

     - selinux's policy configuration language and APIs are rather
       ad-hoc.

 * relatively few programmers know how to reason about or work in
   selinux-controlled environments compared to the number who can work
   happily with Unix discretionary access control.

This being said, I've spent some time in recent weeks reading about
selinux so that I'm better informed of its capabilities. If someone
makes a persuasive argument to me that I can use it to fulfill my goals
at less cost than the path I'm currently pursuing, then I'll be all ears.

Michael

On Fri, Jan 25, 2008 at 01:23:33PM -0500, cortland.setlow at gmail.com wrote:
> Hi Mike,
> 
> I was wondering why you didn't pick SELinux for the OLPC's activities
> and activity instances.  Is it that you will eventually have Rainbow set
> up individualized security contexts for each instance, or that Rainbow
> and SElinux solve different problems?  If you don't know much about
> SELinux, I'll do the reading on my own, but if you know about it I'd
> rather hear about it from you.  
> 
> --Blake.