Access Control: take them from Novell Netware

I feel the urge to clarify my initrc comment. Although it's been a while since I dealt with it, here's what I remember, and some context. I run a payment gateway, so we decided to use SELinux to enforce a true division of roles. We made root a second class citizen to the role a user belonged to. The most difficult part of doing this was that root could transition through rpm_t into initrc_t into any other role on the system. The idea, I think, being that root should be able to install packages, and packages, if they were related to a service, should be able to restart themselves. This had the unwanted effect of giving root the ability to transition to just about anything. Trying to remove the 20 bazillion independent transition paths took a hard 2 weeks. This was with the reference policy, and not a vendor supplied policy, which is much more strict than the strict policy. What it really boiled down to, is what it always boils down to in the end. That delicate balance between usability, and security. In the end it was doable, but it wasn't easy.

I think SELinux is amazingly complete. It allowed us to implement a solution that always requires 2 users, from a group of 3. You throw LUKS, encrypted drives, and removable media into the mix, and you have as close to a bullet proof scenario as possible. On the other hand, I don't want to have to write code that the average admin can't administer without spending a month dealing with a sharp learning curve.

Like a lot of us here I'm a developer, and a system administrator. When I have my development hat on I try to think of the user, and what they have to put up with, while balancing it with security requirements etc. As an administrator, I know I'm willing to tolerate more than most users. The difficult part for me, is defining my target audience, and understanding their abilities and tolerance, and shooting for that. And sometimes the perfect solution, has to be hobbled security wise, or the product won't sell. The only way I've found to begin addressing that is though intelligent defaults, and meaningful dialogs/user interaction.

I am intrigued by the Netware ACL's though, since you seem to have found a happy place when dealing with them as opposed to other permission systems. Thanks for the input.