Fine-grained access control -- XACE, XSELinux and X security

Mark Seaborn mseaborn at onetel.com
Wed Nov 30 13:16:03 PST 2005


Bryan Ericson <bericson at trustedcs.com> wrote:

> > Do XACE and XSELinux provide any new X requests?
> 
> No, although XSELinux does have a config file that it reads during
> initialization in our current implementation.

What does it let you configure?

How does XSELinux treat X's clipboard?  Is it perhaps an
all-or-nothing thing where an X client either cannot access the
clipboard at all, or can copy and paste to/from the clipboard at any
time?

Presumably XSELinux is not able to distinguish between a given
client's X resources (such as its various windows), because the client
does not co-operate in telling the server what functions the resources
have?

> > > Based on your description, I don't think XSELinux would work for
> > > you. 
> > > Access control in SELinux is based on access rules in the security
> > > policy, which cannot be modified on the fly.  Thus, if your app
> > > has
> > > access to another app, then it will always have that same level of
> > > access, and a given application has no control over which apps
> > > have
> > > access to it.
> > 
> > I'm curious, do the SELinux folks see this as a drawback of SELinux?
> 
> Actually, it's seen as an advantage.  It prevents a malicious program
> from attempting to escalate its own privileges.  Also, it allows for
> very predictable behavior, which is always a good thing for security. 

The problem is that it's not always possible to tell in advance what
authority an application should have.

Take an e-mail application, for example.  You might need to give it
read access to a file to be sent as an attachment.  If there isn't a
way for the user to grant this access dynamically, the user will have
to run the application with access to all of their files, because they
won't know in advance (when the app is installed or launched) which of
the files it might need.  This obviously violates the principle of
least privilege/authority.  This is what I'm trying to address with
the powerbox mechanism.

Mark



More information about the xorg mailing list