[nSLUG] Policy. WAS Re: Every one in a while....
jeff at coherentnetworksolutions.com
Fri Oct 19 13:40:27 ADT 2007
Quoting Daniel Morrison <draker at gmail.com>:
> My take on this is that Unix had a half-decent permissions scheme for many
> years, while MS didn't. Microsoft created a giant policy framework which,
> naturally having the benefit of hindsight, was more flexible and capable than
> the Unix model, although much more complicated. Inertia is keeping the Unix
> model in place, and things like SELinux have been created to supplement it
> in order to provide the "granularity" and flexibility that some modern
Well, to be fair Windows NT always had an exceedingly fine-grain
security model, (conceptually) inherited from VMS, with a good
opportunity for hindsight with that and other systems - plus good dose
of second-system effect.
It is horrifically complicated at an API level, the interactions of
ordering ACLs being difficult to understand - and early on,
undocumented. Thus many/most developers saying "fuck that" to
themselves and "run as administrator" to their users. Academics loved
it, mortals in industry couldn't figure it out.
So... About where SELinux is today :)
> So now that we've got all that out in the open, let's either have
> discussion about SELinux policies and possibly how they compare with the
> current Windows implementation of GPO, or whatever it is, or let's
> just let it be.
GPO runs on top of this low level kernel API. but is a bunch of levels
of abstraction up. GPO compares to gconf policy, not to SELinux.
More information about the nSLUG