Here are the slides from my FOSS.IN/2005 talks.

• Overview of NSA Security Enhanced Linux (pdf)
• SELinux Kernel Internals and Architecture (pdf)

Also, found some good media coverage here in The Hindu.

Bangalore: The grounds of the Bangalore Palace have seen many high tech conferences — including the annual IT.in mela — but nothing like this: On Tuesday nearly 3000 young `techies’ queued up for over an hour to register for `FOSS.in’, the annual Free and Open Source Software conference which began five years ago as the Bangalore Linux event.

The atmosphere here is fantastic. It’s currently a very bright and warm day with a nice dry breeze. People are wandering around the grounds of the Bangalore Palace, sitting under trees, chatting, eating lunch. All of the technical talks I’ve seen so far have been packed. I can’t remember another conference with so much enthusiasm and such intense thirst for knowledge. It seems like there’s a looming explosion in grassroots Linux activity here (consider the fact that this huge conference itself is a volunteer effort).

I’m now in Bangalore for FOSS.IN/2005, which looks to be a very large event this year with several thousand delegates expected. Wandered around the city today with a few other speakers, and found lots of Linux books and distros available on store shelves.

(Rs. 450 is about USD $10).

There’s just over two weeks left to nominate for the SELiunx Symposium Community Delegate Program. If you know someone making important community-based contributions to SELinux, nominate them per the link and they may be selected to travel to the 2006 SELinux Symposium in Baltimore, Maryland. Remember that you can self-nominate, and that nominations are open worldwide.

I’ll be giving two SELinux talks at FOSS.IN/2005 in a couple of weeks. One on kernel internals and architecture, and another on developments in SELinux. So far, there are 185 events scheduled overall with around 3000 people expected to attend. I’ve never seen a technical Linux/FOSS conference on this scale.

Reduced memory footprint
The 2.6.14 kernel release has an important change in the way SELinux uses kernel memory.

Under SELinux, checkpolicy manipulates security policy entries into low-level access rules and compiles them into a binary format. The binary policy is then loaded into the kernel via writing to /selinux/load. During the load, these access rules are inserted kernel’s access vector table (avtab), which is later consulted for every SELinux access control check, with results cached in the access vector cache (AVC).

A typical security policy may contain tens or even hundreds of thousands of these low-level rules, and thus, require significant amounts of kernel memory to store them in the avtab. A patch from Stephen Smalley (here) was merged upstream during 2.6.14 development which dramatically reduces the memory used by the avtab. It first reduces the size of the data structures used to hold the access rule information, resulting in a ~50% reduction in the total size of the memory used. The total number of avtab nodes is also reduced, by essentially pre-computing less information. The latter theoretically imposes an additional runtime overhead, although any calculated results are stored in the AVC, and no significant performance hit has been measured.

This results in memory savings of up to around 20x, depending on the system architecture and policy configuration. I measured the number of avtab slab objects on a 64-bit system at the time (via “grep avtab_node /proc/slabinfo“):

            #objs  objsize   kernmem
Targeted policy:
  Before:  237888       40     9.1MB
  After:    19968       24     468KB

Strict policy:
  Before:  571680       40   21.81MB
  After:   221052       24    5.06MB

This shows a massive kernel memory saving for targeted policy, from over 9MB to 470KB. The avtab object size is reduced from 40 bytes to 24 (on 32-bit, it’s 32 bytes to 16), and the total number of entries is reduced by an order of magnitude. As well as the sheer reduction of kernel memory, having a smaller object size invokes other efficiencies such as increasing the number of objects per slab. Improvements for strict policy are not as large, but still significant. Given that the default is targeted policy, this is a very welcome outcome.

Generic security xattr handling
Another interesting patch (here), changes the VFS to punt security extended attribute calls to the loaded security module if the filesystem does not support them natively. This allows the security module to perform in-kernel labeling for all such filesystems, and for the removal of existing security xattr code for devpts and tmpfs (and the need to write similar code for other psuedo-filesystems). Under SELinux, this change means that security xattrs on pseudo-filesystems now “just work”. Calls to setxattr(2), getxattr(2) and listxattr(2) operate on in-kernel values automatically, and you’ll actually see security contexts now when doing things like:

# ls -Z /selinux/null 
crw-rw-rw-  root     root     system_u:object_r:null_device_t  /selinux/null

Atomic inode create and label
This patchset implements atomic inode labeling, ensuring that it is possible to create and label a file in an atomic operation. Previously, there was a gap during file creation where it was possible to access an inode before the labeling hook was invoked. This has always been safe under SELinux, due to inodes being created with a safe default label, although under heavy loads, you would sometimes see false denials caused by this default label being referenced. The security risk here was indirect: people may end up loosening their security policies to avoid the false denial messages. The patchset fixes the problem by adding a new LSM hook inode_init_security, to be called from within each security xattr supporting filesystem during file creation. Each of these filesystems has been modified to call the hook.

Miscellaneous
As well as minor fixes and the usual audit-related adjustments, there’s an update to the way IP protocol sockets are classified by SELinux, to correctly accommodate more recently implemented protocols such as SCTP and DCCP.

***

Also, there’s a month left to get nominations in for the SELinux Symposium Community Delegate Program. If you know someone (including yourself) who’s active in the SELinux community, and you think they deserve a free trip to Baltimore, be sure to nominate them before November 30th.

Red Hat and HP are sponsoring a delegate program for the 2006 SELinux Symposium in Baltimore, Maryland, USA.

Modeled somewhat on the Sun Regional Developer Program for LCA, the purpose of this program is to recognize and encourage community-based SELinux efforts. Up to three delegates will be chosen to attend the symposium, covering the costs of their travel, registration and accommodation.

If you know anyone who’s been doing good work on SELinux (including yourself), follow the link below and nominate them.

Note that this is not just for developers: any form of involvement, including helping out on mailing lists, documentation, academic research, user group efforts etc. is valid for nomination in this program. The closing date for nominations is November 30, 2005, so there’s still quite a bit of time.

Full details of the SELinux Symposium Delegate Program here.

If you update to the current Fedora rawhide now, you’ll be able to start using a new security mechanism called Multi-Category Security (MCS).

Rationale
MCS is something we’ve been working on to help make SELinux more user-oriented, as well as adapt some of the Multi-Level Security (MLS) infrastructure for more general use. An important aspect of SELinux is that it implements Mandatory Access Control (MAC), where security policy is managed by a system or security administrator and is not overridable by users or applications. MAC is important for dealing with security threats arising from software flaws, malware, user error and some classes of malicious users.

Unfortunately, a fine-grained, flexible MAC system is also likely to be complicated, reflecting the complexity of the underlying operating system. Currently, the idea is that a vendor (such as Fedora) ships the SELinux security policy, which may then be modified in a controlled and limited way by a system administrator via ‘booleans’. These are a set of high level abstractions which may be enabled or disabled as required, such as ‘httpd_enable_cgi’.

The vendor and the sysadmin thus have some say in the way security is imposed on this MAC system, but users have no real say over things. Which is generally what we want with MAC security, although as a technology, it doesn’t really empower or engage users. How can a MAC system allow users to have more direct control over security? The answer is pretty simple: provide a mechanism which allows users to further restrict the security of their own resources. This is what MCS does.

In a nutshell, MCS is an enhancement to SELinux which allows users to label files with categories. These categories are used to further constrain DAC and TE logic. They may also be used when displaying or printing files. An example of a category is “Company_Confidential”. Only users with access to this category can access files labeled with the category — assuming the existing DAC and TE rules also permit access.

The term categories here refers to the same non-hierarchical categories as used by MLS. I recently provided an overview of MLS and related concepts including categories here — it may be useful as a reference in understanding MCS. To briefly recap, under MLS, objects and subjects are labeled with Security Levels. These Security Levels consist of an hierarchical sensitivity value (such as “Top Secret”) and zero or more non-hierarchical categories (such as “Crypto”). Categories provide compartments within sensitivity levels and enforce the need to know security principle.

MCS is in fact an adaptation of MLS. It re-uses much of the MLS framework in SELinux, including the MLS label field, MLS kernel code, MLS policy constructs, labeled printing and label encoding/translation. From a technical point of view, MCS is a policy change, along with a few userland hacks to hide some of the unwanted MLS stuff. There are a couple of kernel changes, but only relating to making it easy to upgrade to MCS (or MLS) without invoking a full filesystem relabel.

Another important justification for MCS is that it will provide a way to more widely deploy, test and even shape the concurrent MLS development effort. Legacy MLS systems have often been an old, heavily modified fork of the main OS product. These ‘trusted’ systems tend to fall behind their general purpose counterparts by at least a release or two, and could be described as a series of evolutionary dead ends accompanied by expensive certificates. The userbase for these systems is likely to be very small and narrow, and the QA burden must be enormous (read: expensive, and passed on to the user). With MCS, we ‘re trying to avoid these problems to a large extent by including MLS technology in the current version of the OS and enabling a generally useful subset of it by default. We want this technology to be mainstream, as far as possible.

The hope is to improve the quality of the system as a whole, reduce costs, leverage the open source process, increase transparency, and make the technology base useful to more than a handful of extremely special case users.

Design
There are a few major differences between MCS and MLS:

1) MCS ignores sensitivity levels. Everything is labeled with the same sensitivity, ‘s0’, which makes the idea of sensitivity levels effectively disappear. Hierarchical security designations generally do not map well outside of Military and similar environments, which are rigidly defined and controlled.

2) MCS discards the Bell La-Padula (BLP) security model. BLP properties such as No-Write-Down, which is designed to prevent leakage from high security levels to low security levels, are often confusing and break many assumptions of existing software . Consider root not being able to write to /tmp, as one of many possible problems relating to shared data.

3) MCS is discretionary, similar to standard Unix DAC logic. The current implementation provide users with MCS control over their own files. This should map more readily to more general cases, reflecting the typical discretionary nature of real-world security outside of the Mil/Gov etc. environment. It is possible to adjust MCS to make it less discretionary, but really, that’s what MLS is for.

4) MCS always runs at a single level. The current level of all subjects running on the system is ‘s0’. When a subject is granted access to categories (remember: a security level is a combination of sensitivity and categories), this is done by adding categories to the high range clearance of the subject. The high range clearance refers to the maximum security level that the subject can run at. Under MCS, the subject will never run at anything other than ‘s0’, so the high range clearance is merely used to determine which categories the subject has access to when performing an access control decision. This is similar to Unix supplementary groups: a process can have access to several supplementary groups but not be running in any of them. Similarly, under MCS, a process can have access to a set of categories, but not be running at a security level which includes them. Having everything running at the same level vastly simplifies things.

MCS uses MLS technology, but is not MLS. This should be made very clear: MCS does not provide any inherent protection against flawed or malicious software, user error or malicious users. However, keep in mind that it sits on top of standard Type Enforcement (TE), which is a MAC scheme. Both traditional DAC and TE rules are consulted before MCS rules.

So, a user might create a file and label it with the category “Company_Confidential”. Only processes with access to that category will then be able to access the file. Apache, for example, would not be able to read the labeled file, unless it was itself cleared to access the “Company_Confidential” category.

The names of the categories are set by the sysadmin, who also determines which users have access to which categories. Internally, SELinux sees all categories in the form Cn (C0…C127). A translation file, /etc/mcs.conf, may be edited by the sysadmin to assign locally meaningful values to categories. The intent here is to allow maximum flexibility when deploying systems.

Categories could be names of departments, such as “Finance” and “Payroll”; they might refer to the nature of the information and be linked to business rules for information handling, such as “Patient_Data” or “Credit_Card_Details”; they could also indicate that the information is associated with specific NDAs like “NDA-GOV-12338310A”. It’s really up to users how they make use of MCS and integrate it with their business rules.

You may realize by now that MCS seems like ACLs. MCS is similar, but not equivalent to ACLs. For detailed discussion on the subject, refer to this thread on the SELinux mailing list.

Use
Beyond access control, one planned use of MCS is to re-use MLS labeled printing, so that the MCS categories can be displayed at the top and bottom of each page being printed, and/or on a cover sheet which may also indicate handling procedures for the document. It should also be possible to integrate MCS with future developments in SELinux, such as Security Enhanced X. If integrated with a directory server, it may be possible to add MCS support to email, so that outgoing emails can be labeled by the sender and also through the act of attaching labeled files. The mailer can then determine whether the recipients are known to be cleared to access the categories assocated with the emails.

Currently, MCS is in an early but useable and seemingly stable stage of development. As mentioned, upgrading to the latest Fedora rawhide will install the updated policy and userland components. If you want to activate MCS, you will need to reboot your system (sorry). This is absolutely required as SELinux has to be restarted with MLS subsystem active, which can only be done securely during early kernel initialization. You should not need to relabel your filesystem, even though the label format on disk has changed. Pre-MCS files contexts will be interpreted automatically by the kernel as MCS contexts. Newly created files under MCS will, however, be labeled with the extra ‘MLS’ field:

$ touch foo
$ ls -Z
-rw-r--r--  fred     fred     user_u:object_r:tmp_t:s0           foo

Note the ‘s0’ on the end. This is the dummy sensitivity level with which everything is labeled under MCS. Normally, this component will be hidden, as it is not useful under MCS. In this case, the field was un-hidden by editing /etc/mcs.conf and adding a line:

disable=1

Setting that to zero again will enable the label translation library.

$ ls -Z
rw-r--r--  fred     fred     user_u:object_r:tmp_t               foo

With the dummy sensitivity level hidden, the system, by default will act as if nothing has changed. Only when categories are added to files should behavior change.

Currently, it is always still possible to see the ‘real’ label on the file with getfattr(1), which calls getxattr(2) directly without using the label translation library.

$ getfattr -n security.selinux foo
# file: foo
security.selinux="user_u:object_r:tmp_t:s0\000"

This is expected to change in the 2.6.15 kernel (and already has in the latest -mm kernels), so that getxattr(2) always returns the kernel’s canonicalized version of the label. This is to simplify the userland code, which is currently jumping through some flaming hoops to manage different label formats.

Adding a category to a file is currently performed via chcon(1):

$ chcon -l Moonbase_Plans foo

$ ls -Z foo
-rw-r--r--  fred     fred     user_u:object_r:tmp_t:Moonbase_Plans foo

Note that the category label is in the MLS field of the security context. The value of the label was configured in /etc/mcs.conf for this example.

s0:c10=Moonbase_Plans

Which means: c10 is to be translated to “Moonbase_Plans”, where c10 is one of the generic categories used internally by SELinux. Now, domains without access to this category will not be able to access the file.

Note that you can view the internal category value (c10) as part of the raw MLS field using gefattr(1) or disabling label translation (as mentioned above).

$ getfattr -n security.selinux foo
# file: foo
security.selinux="user_u:object_r:tmp_t:s0:c10\000"

Status
In this initial release, by default, all SELinux users are provided with access to all categories (c0 through c127). This can of course be locally customized by the sysadmin, but the primary intention at this stage is to enable the technology and get people using it.

Work is being done on a flexible user management scheme, where individual users at the Unix level are assigned a set of categories during login. This is to prevent the need for manipulating SELinux user policy and policy reloads.

Join the NSA SELinux mailing list if you’re interested in discussing and/or using MCS as we develop it further.

A special thanks to Dan Walsh who did a lot of heavy lifting getting some of the tricky userland MCS stuff working. It’s quite a feat to enable a new security model in a mainstream general purpose operating system without causing a great deal of disruption.

Patches from Lorenzo Hernandez Garcia-Hierro add two new memory execution permissions for processes:

• execheap – this permission is required for a process to make heap memory executable, even if it already has the execmem permission. The X server’s module loader seems to need this currently.
• execstack – similarly, this permission is now required if a process wants to make its main stack executable. This is for applications such as JVMs, although, mplayer needs this permission for some reason.

A patch for the MLS code allows easier transition to an MLS system by handling the lack of an on-disk MLS field in the security context of a file if running in MLS mode. Instead of the previous behavior of just internally setting the security context to ‘unlabeled’, SELinux will internally infer an MLS field based on the default for the filesystem mount. This is intended to allow systems to enable MLS without requiring a full filesystem relabel (which can take a very long time).

Otherwise, things have been fairly quiet for SELinux in this kernel release: a few bug fixes and assorted changes related to ongoing CAPP audit development (which SELinux is dependent on).

MLS Background
I was planning on writing an introductory article on Multilevel Security (MLS), to be published here or at another online venue. The purpose being to provide a gentle introduction to the subject for those wishing to understand MLS under SELinux.

During my research, I came across a good introductory article online by Dr Rick Smith: Introduction to Multilevel Security.

Rather than covering much of the same ground, but not as well, I’d instead recommend that people who are interested in getting started learning about MLS simply go and read that (at least the Introduction section).

Other online materials worth tracking down are manuals for “trusted” versions of a couple of remaining Unix variants (e.g. Trusted Solaris), keeping in mind that implementation details will vary.

Book-wise, I’d recommend:

• Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson (a general, indispensable security book with some coverage of MLS)
• Fundamentals of Computer Security Technology by Edward Amoroso (essential text covering many of the MLS concepts and technologies in more detail).

Brief Concepts and Terms
However, I will very briefly outline a few key concepts, and terms as we use them. (MLS terminology is a confusing mess across different implementations and standards).

MLS, as discussed here, refers to a specific Mandatory Access Control (MAC) security scheme. Under this scheme, processes are called Subjects. Files, sockets and other passive operating system entities are called Objects.

Subjects and Objects are labeled with Security Levels (SLs).

An SL is composed of two types of entities:

1. Sensitivity: An hierarchical attribute such as “Secret” or “Top Secret”
2. Categories: A set of non hierarchical attributes such as “US Only” or “UFO”

An SL must have one sensitivity, and may have zero or more categories.

Examples of SLs are: { Secret / UFO, Crypto }, { Top Secret / UFO, Crypto, Stargate } and { Unclassified }

Note the hierarchical sensitivity followed by zero or more categories. The reason why we have categories as well as sensitivities is so that sensitivities can be further compartmented on a need to know basis. For example, while a user may be cleared to Secret, they may not need to know anything about project WarpDrive (which could be the name of a category).

– SLs on Objects are called classifications.
– SLs on Subjects are called clearances.

Thus, Objects are labeled with a classification while Subjects operate with a specific clearance. SLs can have also ranges, but we’ll keep it simple here and ignore that.

MLS Policy
The rules governing MLS access are quite complicated (sometimes counter-intuitive), and covered in detail in some of the references listed above. There are several MLS models. The most common, Bell-LaPadula (BLP) deals with confidentiality. Another, Biba, provides an integrity model. Some existing systems use both. SELinux actually uses BLP, with Type Enforcement (TE) for integrity.

But in very simple terms, MLS policy will ensure that a Subject has an appropriate clearance to access an Object of a particular classification.

For example, under MLS, the system will need to know how to answer a question like:

Can a process running with a clearance of { Top Secret / UFO, Railgun } write to a file classified as { Top Secret / UFO } ?

The MLS model and policy implemented for it will determine the answer. (As an exercise, consider the problem of information leaking out of the Railgun category into the file).

MLS meets a very narrow (yet critical) set of security requirements based around the way information and personnel are managed in rigidly controlled environments such as the military. To my knowledge, MLS has not been widely successful in the general commercial world, although there are apparently a few commercial MLS deployments. MLS is typically very difficult to work with and maps very poorly to general case scenarios.

Type Enforcement under SELinux is actually a far more flexible and expressive security scheme, which is in many cases more suitable than MLS, although there are several scenarios where traditional MLS is still required. For example, when you have a large number of Security Levels and a need for strong isolation on a single system; such as a file server where the stored data may be of mixed classification and where clients connect at different clearances. This type of scenario is the reason that SELinux includes MLS as a security model, as an adjunct to TE.

LSPP Certification
Currently, efforts are just underway to have Linux certified as an MLS operating system. The certification is equivalent to the old B1 rating, which has been reworked into the Labeled Security Protection Profile under the Common Criteria scheme.

People interested in participating in or following the LSPP effort should subscribe to the redhat-lspp mailing list via: https://www.redhat.com/mailman/listinfo/redhat-lspp

Community
One of the issues with MLS is that it’s a very specialized security scheme with a narrow userbase. So, it’s really not a great fit with the open source development model. An important challenge we face is to engage the wider community with this technology by making it more generally useful. We (various SELinux developers) are currently working on an project which will attempt to do this, and we should hopefully have more to say on this soon. Currently it’s a matter of getting the initial work done and then integrated into Fedora.

The Call for Papers for the 2006 SELinux Symposium has now been issued at http://www.selinux-symposium.org/2006/callforpapers.php

This second symposium will be held in Feb/Mar next year in Baltimore.

Proposals are due September 19th, so there’s a couple of months to prepare.

Be there and be square!

The slides from my Netconf talk are now online here. They cover some current developments and future directions for networking under SELinux.

Slides from all of the talks should be up on the Netconf site soon, and the talks will be summarized at the Kernel Summit in a few days by Stephen Hemminger or a mystery guest.