[rsbac] RSBAC RC vs. SELinux

Peter Busser peter at devbox.adamantix.org
Sun Dec 28 12:19:45 CET 2003


> I've just read through a study about NSA'S SELinux and I've got the
> feeling that the RC module and SELinux's TE+RBAC mode are _very_
> similar. Not the same but very similar. Is there a comparsion or study
> between the two (benchmarks etc.) or I should create one if I want to
> start to compare them? I know the best way is to compare them by myself
> and study but I'm curious about other's opinion (notth blind myself with
> my opinion).

In general you could say that LSM restricts the kind of access control SELinux
is able to implement. From what I heard, there are no auditing or network
access control hooks in LSM. This functionality is therefore probably lacking
from SELinux. RSBAC does not suffer from these arbitrary limitations imposed
by LSM (that is, arbitrary from a security point of view). (BTW, more about
LSM restrictions at: http://www.rsbac.org/lsm.html)

Another feature found in RSBAC is the combination of modules. The total of the
modules is more than the sum of the individual modules. In other words, you can
use the modules which are best suited for a given job or use a combination of
modules. This reduces the overall complexity. (And complexity is the enemy of

Peter Busser

More information about the rsbac mailing list