PolicyKit: looser limitations, tighter security for Linux applications

by Andy Oram

We're used to think of system-enforced access policies as crude and coarse-grained, such as the setuid permission bit that lets a user execute a program as the file's owner. Fine-grained access has to be enforced by individual applications, a laborious coding process that is weakened by not being able to take advantage of underlying operation system security. PolicyKit, developed by Red Hat and included in Fedora 8, ameliorates this unsatisfactory situation.

Red Hat developer David Zeuthen describes through examples the types of access problems solved by PolicyKit: "it's fine to mount removable media; it's not fine to mount fixed media; it's not fine to change the timezone." These are operating system capabilities that can be enforced by such operating system components as the HAL or the filesystem. But any application can use PolicyKit API to enforce any kind of access it chooses to, and it gets the backing of the operating system. Zeuthen compares PolicyKit to Authorization Services on Mac OS X and Group Policy in Windows.


2 Comments

Wayne
2007-11-13 20:08:52
It doesn't seem as if PolicyKit will replace SELinux or PAM? If that's right, you still don't have a single policy DB. So why would an SA want yet another policy DB to maintain?


On the other hand, if PolicyKit is meant to replace SELinux it won't be good enough as described to pass C2 or Common Criteria for trusted base system components. Or, if meant to replace PAM it should become the new PAM and not a layer on top of PAM (which requires both PolicyKit and PAM security configuration files to be maintained.)


What am I missing?

Rudd-O
2007-11-19 09:33:26
SELinux serves a different purpose from PolicyKit. SELinux is a mandatory access control solution to contain processes and to prevent them from executing particular actions. PolicyKit is a toolkit to delegate parts of system administration. SELinux can't do what PolicyKit does. PolicyKit cannot do what SELinux does. They, therefore, are independent and complementary.