[nSLUG] Policy. WAS Re: Every one in a while....

Jeff Warnica jeff at coherentnetworksolutions.com
Fri Oct 19 13:40:27 ADT 2007

Quoting Daniel Morrison <draker at gmail.com>:

> My take on this is that Unix had a half-decent permissions scheme for many
> years, while MS didn't. Microsoft created a giant policy framework which,
> naturally having the benefit of hindsight, was more flexible and capable than
> the Unix model, although much more complicated. Inertia is keeping the Unix
> model in place, and things like SELinux have been created to supplement it
> in order to provide the "granularity" and flexibility that some modern
> installations
> require.

Well, to be fair Windows NT always had an exceedingly fine-grain  
security model, (conceptually) inherited from VMS, with a good  
opportunity for hindsight with that and other systems - plus good dose  
of second-system effect.

It is horrifically complicated at an API level, the interactions of  
ordering ACLs being difficult to understand - and early on,  
undocumented. Thus many/most developers saying "fuck that" to  
themselves and "run as administrator" to their users. Academics loved  
it, mortals in industry couldn't figure it out.

So... About where SELinux is today :)

> So now that we've got all that out in the open, let's either have   
> constructive
> discussion about SELinux policies and possibly how they compare with the
> current Windows implementation of GPO, or whatever it is, or let's
> just let it be.

GPO runs on top of this low level kernel API. but is a bunch of levels  
of abstraction up. GPO compares to gconf policy, not to SELinux.

More information about the nSLUG mailing list