Monday, November 26, 2007

Politics. Mudslinging. Chocolate.

Whether Murray is right or not, I think his recent rant is rather tasteless and I agree some kind of retraction/apology is needed.

FWIW, Murray’s post certainly don’t reflect what I’ve experienced when I started participating in the GNOME project 2003-2004ish. That said, I acknowledge it may reflect what others have experienced. I don’t know. Also, I tend to stay out of politics… at least politics on that level. That said, I do appreciate others doing all this work; for a project of GNOME’s size we do need people in the foundation and some board, we need people spreading the word around GNOME, we do need to participate in standard organizations etc.

Either way, this kind of mudslinging is very unproductive for the project and everyone involved should know better. An old friend of mine once said “Can’t we just focus on the chocolate?”. This was in reaction to stupid in-company fighting and also a pun on a tv commercial from some chocolate company. The commercial involved three chocolate makers. They were making chocolate. Or rather, two of them were ranting about all sorts of non-sense and as a result they didn’t make much chocolate. At some point the third guy just had enough and he started whining. Much like me in this post.

Guys, can we please focus on the chocolate instead of all this non-sense?


Sunday, November 18, 2007

On Xguest, Access Control and Desktop

Dan, I think the ideas behind Xguest are nice. But your ideas about using SELinux to implement access control for users leaves much to be desired. If you think that a brutal approach of denying individual users to even access services like HAL, NetworkManager and Bluez is good, then please think again. Please realize that if you do this, the desktop experience will suddenly change. Things like networking and bluetooth applets will cease to work. The file manager will fall back to relying on /etc/mtab and /etc/fstab. I’m not sure PulseAudio will start.

The problem is that your approach is not fine grained; it’s all or nothing. And this is not really useful. For example, for NetworkManager what you want is to lock down the machine so the user can only connect to trusted networks. With e.g. trusted networks being defined as something that is defined in a file in /etc that only uid 0 can change.

I’m not sure if it’s a surprise to you, but over the past year or so I’ve been working on and off on an application-level access control mechanism (similar to various RBAC implementations but with a few innovations on top) called PolicyKit that does all this. It’s specifically designed and optimized for desktop applications but can also be useful for legacy UNIX command line apps. It puts the administrator and users back in control since it provides a way for them to gain authorizations by authenticating and also supports systems like Ubuntu that has no root password. It provides a nice user interface for human beings to manage authorizations. There’s GTK+ widgets to make it really simple to integrate into existing applications (and KDE support is underway). The list of applications that are PolicyKit enabled is growing rapidly. It’s in all the major distributions. It encourages least privilege, e.g splitting a program into privileged and non-privileged bits.

It’s not that I hate SELinux because I don’t. I think SELinux is already very useful, just look at how useful SELinux is in confining network-facing and privileged services. I also have SELinux support in PolicyKit already and I plan (with your help) to make gnome-user-share run in a dedicated SELinux context so it is authorized to punch holes in the firewall without any configuration whatsoever (today it’s totally broken since g-u-s picks a random high port number to listen on). But, Dan, frankly, I think your use of SELinux to lock down access on the desktop is misguided. It’s a bit like if all you have is a hammer, then everything looks like a nail. I feel that it’s a bit sad that that two developers, working for the same company, in the same office are trying to solve the same problems. We really ought to do better.

(Disclaimer: this post does not necessarily represent the views of my employer, Red Hat, Inc.)

Update: A few people pointed out that I sounded too confrontational in this post and maybe they’re right. As I tried (and probably failed at) to explain it’s not either/or. Surely, there’s a ton of value in using SELinux to lock down privileged mechanisms like HAL, NM, Bluez and so on. Having PolicyKit and SELinux work well together is in everyone’s best interest.

Monday, November 12, 2007


Andy Oram wrote a nice piece on PolicyKit detailing what it is and some of the plans for the future. I also did a short walk-through recently on one of our staff meetings here at Red Hat, there are some pseudo slides here. On the topic of coverage I’ve recently add unit tests to all the library sources and gcov tells me we’re at 59%. Not too shabby.