[Info-vax] Desirable features for VMS
Simon Clubley
clubley at remove_me.eisner.decus.org-Earth.UFP
Fri Jan 26 13:36:17 EST 2024
On 2024-01-26, Arne Vajhøj <arne at vajhoej.dk> wrote:
> On 1/26/2024 8:16 AM, Simon Clubley wrote:
>> On 2024-01-25, Arne Vajhøj <arne at vajhoej.dk> wrote:
>>> On 1/25/2024 6:59 PM, Stephen Hoffman wrote:
>>>> Jails / sandboxes can be built upon some of the parts of mandatory
>>>> access controls, but I ~never want to have to use a system configured
>>>> for SEVMS-style MAC. Jails, sure. SEVMS-style MAC, not so much.
>>>
>>> SEVMS-style MAC was targeting the 1980's requirements.
>>
>> When I talk about MAC, I am talking about SELinux style MAC, not SEVMS.
>>
>> I've read the public SEVMS documentation and it is way too limiting for
>> today's world. SELinux fits right in however. One of the things I like
>> about SELinux is just how fine-grained and how wide-ranging the control
>> is. For example, you can allow a service to make outgoing TCP connections
>> on some ports and deny it access to everything other TCP port.
>>
>> That way, even if the service gets compromised, the shellcode _still_
>> can't make an outgoing connection on any TCP port the service has been
>> denied access to.
>
> Is that even MAC? Elsewhere it is called a software firewall.
>
Yes, it absolutely is. It's part of the SELinux policy and has nothing
to do with the internal firewall that Linux systems also have.
It's just that SELinux has access to a _wide_ range of objects to control,
not just the traditional file-based access you may be familiar with from
older MAC systems, and a TCP port is just another internal object that
can be controlled by the SELinux policy, including your own extensions
to that policy.
> It is certainly a well known feature. Windows also got it.
>
> In theory it does enhance security. With no other mitigations
> in place it can prevent some problems. Like Log4Shell.
>
> But I don't know about how much impact it has in real life.
> Secure servers are already behind a firewall that by default
> blocks, so outgoing traffic is blocked.
>
That's one of the reasons it's part of a MAC policy, standalone from
any external firewall. The next outgoing connection from the shellcode
might be to a port on IP address 127.0.0.1 as part of a chained attack
so that external firewall never sees that connection attempt.
For anyone unfamiliar with SELinux, I just found this document that gives
a top-level overview of it. I wish VMS had something like this:
https://access.redhat.com/solutions/7032454
Simon.
--
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
More information about the Info-vax
mailing list