Monthly Archives: June 2009

SELinux for Humans

I mean, SLUGs…

Paul Wayper gave a couple of talks on SELinux at this weeks’ SLUG meeting, and includes links to a couple of very useful slide decks:

The sysadmin slides look particularly useful, as they focus on solving common issues such as running FTP/SAMBA/Apache servers, and provide some very useful general tips, such as looking in the audit log and using policy booleans for high-level policy tweaking.

These slides may be the best, short introduction for sysadmins on the topic that I’ve seen. It’s a difficult thing to get right.

Security subsystem changes in the 2.6.30 kernel

Here’s an update on the major changes to the kernel security subsystem for the 2.6.30 kernel.

  • TOMOYO
    The TOMOYO security framework from NTT was merged. This is the first significant LSM scheme to be merged since SELinux in 2003. TOMOYO is characterized by its targeting of non-technical users, where security policy is automatically generated with a “learning mode” tool. This scheme utilizes pathnames for determining access to filesystem objects. Another interesting feature is that a domain, i.e. an active subject which acts on objects, is defined as a history of process invocations, rather than a single process. This allows policy to be applied to a particular branch of processes in the system. For example, an access permitted for init->httpd->perl may not be permitted for init->httpd->bash. Sample policy may be found here.
  • IMA
    IBM’s Integrity Measurement Architecture was also merged. This uses the TPM to verify and store cryptographic checksums of files used by the system, i.e. measurement. If a measured file has been modified on disk, this will be detected and stored permanently in the TPM. The aim is to help detect attacks based on modifying files—such as executable binaries or configuration files—although it cannot detect runtime attacks, and requires checksums to be known in advance for the full system startup chain. Files to be measured may be specified in a policy loadable via securityfs.
  • Remove Old SELinux Network Controls
    The original SELinux network controls were deprecated by the iptables-based Secmark system several years ago, although they remained available via the compat_net option for the likely few people who were using them. The old code has now been removed entirely, and users should transition to Secmark: Paul Moore has written a detailed guide for this.

The remaining changes were primarily bugfixes and enhancements across most parts of the security subsystem, including SELinux, SMACK, and keys.

Paul and I are finalizing the schedule for the security microconf at the upcoming Linux Plumbers Conference. It’s looking like a great line-up at this stage—stay tuned for more details soon.

SELinux Developer Summit: CfP closes 1st July (1 week)

Just a reminder for SELinux developers and anyone interested in the internals of SELinux that the SELinux Developer Summit CfP closes on July 1st, which is about a week away.

SELinux logo

Details of the CfP are here. Don’t forget to join the event mailing list if you’re attending.

Proposals for presentations, lightning talks, and development sessions should be submitted via email per the instructions in the CfP. Proposals do not need to be especially detailed: if you have a good idea, simply send it in.

mystery object

For reading this, you are rewarded with a mystery object (pictured above). See if you can figure out what it is before clicking on it and reading the comments @ flickr.

Classic Unix Design Principles

In the process of preparing my talk for KCA, I re-read the classic paper: The UNIX Time-Sharing System by Ritchie & Thompson. This paper was revised several times between 1973 and 1978, and the authors’ observations are well worth remembering:

Perhaps paradoxically, the success of the Unix system is largely due to the fact that it was not designed to meet any predefined objectives. The first version was written when one of us (Thompson), dissatisfied with the available computer facilities, discovered a little-used PDP-7 and set out to create a more hospitable environment […] We have not been faced with the need to satisfy someone else’s requirements, and for this freedom we are grateful.

Three considerations that influenced the design of Unix are visible in retrospect.

First: because we are programmers, we naturally designed the system to make it easy to write, test, and run programs. The most important expression of our desire for programming convenience was that the system was arranged for interactive use, even though the original version only supported one user. We believe that a properly designed interactive system is much more productive and satisfying to use than a “batch” system. Moreover, such a system is rather easily adaptable to noninteractive use, while the converse is not true.

Second: there have always been fairly severe size constraints on the system and its software. Given the partially antagonistic desires for reasonable efficiency and expressive power, the size constraint has encouraged not only economy, but also a certain elegance of design. This may be a thinly disguised version of the “salvation through suffering” philosophy, but in our case it worked.

Third: nearly from the start, the system was able to, and did, maintain itself. This fact is more important than it might seem. If designers of a system are forced to use that system, they quickly become aware of its functional and superficial deficiencies and are strongly motivated to correct them before it is too late. Because all source programs were always available and easily modified on-line, we were willing to revise and rewrite the system and its software when new ideas were invented, discovered, or suggested by others.

It’s clear that the success of Linux (and FOSS more generally), is underpinned by these principles.  These principles are not merely about technology; they’re a way of thinking about technology and the people who create and use it.

Fedora 11 with sVirt

sVirt (MAC security for Linux Virtualization), which I’ve previously discussed here, and formally presented at LCA in January, was released today as an integral part of virtualization in Fedora 11.

If you’d like to give it a spin, simply download and install Fedora and use the GUI admin tools to create a new virtual machine.

Thanks again to Dan Walsh, Dan Berrange and all the developers who helped with input and the heavy lifting work of completing the userland code. It still amazes me how fast things move in FOSS.

As mentioned in my last+1 post, Dan W will be talking on this topic at the upcoming LinuxCon.

Further developments in this area are already underway, and you can expect to hear about them in the coming months—see the talk slides for possible hints.