Linked by Thom Holwerda on Wed 5th Mar 2008 09:43 UTC, submitted by diegocg
Sun Solaris, OpenSolaris "OpenSolaris has launched a new project, Flexible Mandatory Access Control, to integrate the Flask/TE security scheme into their OS. This is the same underlying model implemented by SELinux, and follows other cross-platform Flask/TE integration projects such as SEDarwin and SEBSD. This is very exciting in terms of establishing compatible security across operating systems, particularly for Mandatory Access Control, which has traditionally been narrowly focused and generally incompatible. With FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC security."
Thread beginning with comment 303505
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[4]: Trusted Solaris?
by PlatformAgnostic on Wed 5th Mar 2008 17:09 UTC in reply to "RE[3]: Trusted Solaris?"
PlatformAgnostic
Member since:
2006-01-02

Any idea why the cost is so high?

On Windows, we do the expensive security check when you open a handle (aka fd) and you are granted tbe desired rights until you close the handle. There is a cost when using handles of checking that the handle has been given the right needed for each operation, but it's a single AND and a comparison that happens in the handle table lookup codepath.

What does SELinux do that is more expensive?

Reply Parent Score: 3

RE[5]: Trusted Solaris?
by sbergman27 on Wed 5th Mar 2008 18:20 in reply to "RE[4]: Trusted Solaris?"
sbergman27 Member since:
2005-07-24

Any idea why the cost is so high?

In this case, apparently it was checking more frequently than necessary. From the email that Method and I were looking at:

I found a overhead in selinux_file_permission function.
This is a function that is called in read/write calls,
and does SELinux permission check.
SELinux checks permission both in open and read/write time.
Stephen Smalley sugessted that we can usually skip permission check
in selinux_file_permission.
By this patch,
permission check in selinux_file_permssion is done only when
- sid of task has changed after file open
- sid of inode has changed after file open
- policy load or boolean change happen after file open

Just how much work has actually gone into optimizing SELinux performance is unclear to me. The Fedora Core 5 SeLinux FAQ, which is the latest available, has this to say:

SELinux performance tuning continues to be a priority of the development team.

The "Unofficial SELinux FAQ" says:

Currently, the performance overhead is approximately 7%. There has been little effort to date to optimise the SELinux code for performance, and in some cases such as networking the impact may be higher. The SELinux development team is looking at improving performance. If you set "selinux=0" as a kernel boot option, SELinux will have no performance impact.

There has been quite a bit of work on the performance of SE Linux. In early 2005, SE Linux was optimised for machines with 32 or more CPUs. Recently changes have been made to the kernel code to reduce memory use (not in kernel.org or distribution kernels yet).

So, based upon that, while there has been little effort to date to optimize SELinux code for performance, there has been quite a bit of work on the performance of SE Linux. But those of us unfortunate enough to have fewer than 32 cores are SOL in any case. ;-)

The official SELinux FAQ is mum on the issue.

Edited 2008-03-05 18:32 UTC

Reply Parent Score: 3

RE[5]: Trusted Solaris?
by Method on Wed 5th Mar 2008 18:20 in reply to "RE[4]: Trusted Solaris?"
Method Member since:
2006-05-15

Any idea why the cost is so high?

On Windows, we do the expensive security check when you open a handle (aka fd) and you are granted tbe desired rights until you close the handle. There is a cost when using handles of checking that the handle has been given the right needed for each operation, but it's a single AND and a comparison that happens in the handle table lookup codepath.

What does SELinux do that is more expensive?


It use to revalidate read/write perms on every read and write so that if access were revoked, due to file relabeling, policy reload, an open file descriptor being passed to a domain that did not have read/write access or policy boolean change the access would be denied.

Now it still supports that but doesn't have to consult the policy each time because it keeps the policy sequence number, which is incremented and keeps track of relabels.

This is different than most other implementations because we wanted to support revocation and wanted to be able to fully understand, via policy, what domains could access what files. Unfortunately we can't fully support revocation due to the ability to mmap() files.

Edited 2008-03-05 18:24 UTC

Reply Parent Score: 2

RE[6]: Trusted Solaris?
by PlatformAgnostic on Fri 7th Mar 2008 02:42 in reply to "RE[5]: Trusted Solaris?"
PlatformAgnostic Member since:
2006-01-02

The revocation issue is interesting and one that is totally unsupported by Windows in the current incarnations. It could be implemented for all kernel securable objects, however, without breaking the driver ABI(I've got a way in mind).

Application compatibility, on the other hand, would suffer greatly. And it would create the risk of data loss and mysterious failures when an application can open a file successfully with write access but then fails to write due to asynchronous changes to the ACL. As a practical matter, do these revocations work? Is it easy for an administrator to do it through the tools available, or is this just a theoretical capability of the system?

Reply Parent Score: 2