Dave Quigley has just submitted an Internet Draft to the IETF outlining the requirements for Labeled NFS:

MAC Security Label Requirements for NFSv4 (link)

Abstract

This Internet-Draft outlines high-level requirements for the
integration of flexible Mandatory Access Control (MAC) functionality
into NFSv4.1 . It describes the level of protections that should be
provided over protocol components and the basic structure of the
proposed system. It also gives a brief explanation of what kinds of
protections MAC systems offer and why existing NFSv4 protection
mechanisms are not sufficient.

This draft is a generalization the original Security Enhanced NFS document posted last year, addressing the general need for mandatory access control support in NFS.

NFSv4 currently supports two access control schemes: standard DAC and ACLs. MAC labeling support is required for technologies such as SELinux and OpenSolaris FMAC.

Essentially what’s needed is a way to convey MAC labels over the wire (for both setting and retrieving their values), and to be able to enforce security policy using those labels. The server needs to be able to determine the security label of the remote client process when enforcing policy, and all systems need to be able to ensure they understand each other’s labels, or be able to translate them. A “Domain of Interpretation” (DOI) attribute is used to determine the meaning of labels, a term which may be familiar to those who’ve braved the IPsec specifications. The confidentiality and integrity of these security attributes must be protected in transit, while all parties need to be authenticated. We also need to be able to handle the case where either the client or server does not have MAC enabled, and to ensure non-breakage with existing implementations. There’s a lot more in the details, but that’s the gist of it.

It may seem at first glance that NFSv4 named attributes (NAs) would provide the required labeling functionality, but they’re not a good fit. NAs are specifed as opaque to the system and user-managed, while MAC security labels are managed by the system. NAs also do not provide necessary semantics such as conveying client security attributes or negotiation of DOI. There are also issues with attribute namespaces (which are user-managed and unspecified) and labeling atomicity. Another possible approach is to implement Linux/BSD-style extended attributes (EAs), which are simple text string attributes associated with files, in contrast with the NA “subfile” scheme. This would potentially only solve the attribute namespace issue, and is also not a good general solution. EAs are also not currently part of the NFSv4 specification, and it seems like a contentious area in any case.

The current Labeled NFS prototype code utilizes NFSv4 recommended attributes (RAs), which are fully extensible, already exist, and are already used for similar management of metadata (e.g. ACLs). This seems to be the simplest and most straightforward approach.

Once there’s consensus on the requirements, the next step will be to develop a protocol specification and hopefully have it incorporated into NFSv4. v4.1 is currently in “last call”, so the next candidate would be v4.2, it seems. The prototype code for Linux/SELinux will continue to be developed alongside the standards process.

For those interested in following or contributing to the project, there are several relevant mailing lists:

• Labeled NFS
• IETF NFSv4
• Linux NFS

Dave is hoping to have further discussion IETF 72 in July, and will be presenting on the state of the project at the SELinux Developer Summit ahead of that.

We managed to get the SELinux developer summit schedule published a few days early. Hopefully, this will help people who are making travel arrangements to OLS.

As mentioned, a lot of high quality proposals were submitted. To ensure that all important topics can be covered, the format of the summit has been changed to moderated discussion panels with presentations; rather than the original plan of having a set of fixed-length presentations followed by discussion panels.

Presentations will now be 10-20 minutes, with a greater focus on discussion. This provides much more flexibility, and is derived somewhat from experience with the kernel networking summit, which has been very successful with short presentations driving discussions.

The panel sessions are as follows:

• Community
• Applications
• Desktop
• Distributed Technologies
• Policy Configuration
• Policy Infrastructure
• Emerging Technology/Works in Progress

More detailed information, including topics, issues, and links to abstracts may be found at the schedule page. Also see the printable version and the topics page.

All SELinux developers and folk with a technical interest in SELinux and related technologies are welcome to attend. Don’t forget that you also need to be registered to attend OLS.

Jeronimo Zucco has published some SELinux documentation in Portuguese:
Hardening Linux Usando Controle de Acesso Mandatório.

Relatedly, I just read Spot‘s report on attending FISL in Brazil. Sounds like it was an exciting and productive event. With over 7000 attendees, I wonder if this was the largest FOSS conference ever?

The 2008 SELinux Developer Summit CFP is now closed.

As suspected, most of the proposals arrived at the last possible moment. It looks like we have more proposals than can reasonably fit in one day, so the organizing team now has the interesting task of squeezing as much in as possible without overloading the schedule. This is going to be very difficult, as pretty much all of the submissions are of excellent quality.

In any case, we should have the schedule finalized and published within a week or so.

The Call for Participation for the 2008 SELinux Developer Summit closes on the 18th of April — that’s this Friday!

If you’ve been working on something interesting, there are some slots still open for the informal 30-minute talks. We’re also accepting suggestions for discussion topics and panels.

Send your ideas/proposals to the organizing team: selinux-summit-team AT namei.org

We’ve just announced the SELinux Developer Summit for 2008, which will be held in Ottawa (as an OLS mini-summit) on July 22nd. A CfP will be issued early next week, where we’ll be looking for people to submit talks and panel topics.

In previous years, the project has had the SELinux Symposium, generously run by Tresys, with an invite-only developer summit tacked onto the end.

The new Developer Summit is intended to track with the evolution of SELinux as a wider community project, and we are very pleased to be able to hold an open event this year in conjunction with OLS.

All developers and folk with a strong technical interest in SELinux and related Flask/TE projects are encouraged to attend. Note that attendees need to also be registered for OLS.

There’ll be more information on the CfP and schedule soon — this is something of a heads up for those planning travel and who may be wish to start thinking about presentation and discussion topics.

The organizing team is as follows:

• Serge Hallyn (IBM)
• Paul Moore (HP)
• James Morris (Red Hat)
• Chad Sellers (Tresys)
• Stephen Smalley (NSA)

For more details on the event, including contact details for the team refer to the SELinux Developer Summit page.

So, there’ll be quite a lot of SELinux content at OLS, some of which I’ve previously mentioned. To summarize, in addition to the Developer Summit, there’ll be:

Talks:

• SELinux for Consumer Electric Devices by Yuichi Nakamura of Hitachi Software.
• Have you driven an SELinux lately?, an update on the state of the SELinux project by… me :-)

A tutorial:

• Confining the User with SELinux by Dan Walsh, star blogger.

A BoF session:

• NSA Security-Enhanced Linux Users chaired by Dave Quigley of Labeled NFS fame.

So, if you’re involved with SELinux or otherwise interested in it, I’d suggest flying, driving, walking or swimming (I’m pretty sure this is possible) to Ottawa this July.

Because the cool kids are doing it, here are photos of the bookshelves above my desk:

Click for more detail.

It’s really great being able to reach over and grab whatever I need without going anywhere. Some would call it lazy; I’d call it efficient.

The OLS 2008 schedule is up:

• Presentations
• Tutorials
• BOFs

There are quite a lot of security-related items this year, with several covering SELinux. I’ve had a talk accepted on the general state of the SELinux project. If you can read Japanese, see Yuichi Nakamura’s blog entry (he’s presenting on SELinux in consumer electronics).

We’re hoping to hold an SELinux developer event in conjunction with OLS. Hopefully there’ll be more to say on that soon.

It’s interesting to see so many Indian flags next to speakers’ names this year. No doubt related to the enthusiastic efforts of the grassroots community in India as evidenced by FOSS.IN and the growing number and scope of regional conferences.

A quick google returns regional conferences this year in Delhi, Calicut, Chennai and Pune. I probably missed some. A few of them happen around the same time (February or so ) and if its similar next year, then there’s scope for folk who are interested in both traveling around India and in FOSS to do some kind of geek tour — on PTO, I’d imagine, unless your management is epically cool.

Christer Edwards has announced support for SELinux in Ubuntu 8.04, and documented the installation procedure:

  $ sudo aptitude install selinux

It’s great to see other distributions adopting SELinux. I’m anticipating that the Ubuntu community will bring in fresh ideas and perspectives based on their overall focus on usability.

SELinux has always been an entirely open project and it was never intended to be specific to any particular distribution or company (a perception which unfortunately has emerged in recent times). Hopefully, adoption by Ubuntu (and others) will help to dispel such myths, including the myth that SELinux is difficult to use. It would be unrealistic not to expect a few teething problems in Ubuntu, but experience with Fedora has shown that they can be fixed, and that stronger security can be made highly usable in the general case.

Something interesting to consider is that with SELinux support, Ubuntu is now a potentially LSPP/EAL4+ certifiable distribution. As many will know, such certifications are important requirements for significant classes of government and military procurement, and we are also seeing some such users moving exclusively to open systems.

Side note: it seems that there’ll be some SELinux talks and events at OLS: nothing official quite yet, but keep your calendars open!

• What is Security Enhanced PostgreSQL ? Good overview from Kaigai Kohei, with cute diagrams.
  

• Schneier blogs about the future of security as a standard feature, eliminating the “best of breed vs suites” decision:
  

  That they’re forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.

  It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they’re selling.

  Interesting article, but the concept of shipping security features by default is significantly established and even pioneered within FOSS. For example, the idea that mandatory access control could be enabled by default, in a general purpose OS, was I think unheard of until SELinux was released as a standard part of Fedora.

  Linux systems have many best of breed security features available as standard, typically for free: firewalling, PAM, OpenSSH (thanks OpenBSD folk), binary protection, code review, vulnerability response, audit, crypto, network stack hardening, and so on. The inclusion of such features as standard, rather than expensive, layered products with vendor lock-in written all over them, is itself an innovation in computer security. An innovation which is being adopted by major OS vendors.

  I was surprised to see Bruce interviewed a few months back, being asked what he thought Linux had contributed to security, and to see him answer something along the lines of merely raising the bar for Windows. That may be true to an extent, but I think he seems to underestimate (or not understand) the direct value provided now to the millions of systems running Linux, many of which are running all kinds of critical workloads. We’re talking stock exchanges, large banking systems, Google, telephone exchanges, cell phones, supercomputers, file and print servers, much of the web, mail servers, routers, hospitals, military, government, and almost anything you can think of. FOSS achievements stand alone, and frankly, have enabled progress which simply would otherwise not have occurred.

• For those who may have missed it, Linuxworld covered SELinux mitigation of vulnerabilities. I was interviewed for this, which I think is the first time I’ve been interviewed for a magazine.
• Government Computer News has coverage of the Labeled NFS effort on its front page today. Dave Quigley presented on the topic this week at IETF 71 — it’ll be very interesting to see how that turned out, as IETF acceptance is a critical requirement for the project.