Patches from Lorenzo Hernandez Garcia-Hierro add two new memory execution permissions for processes:

• execheap – this permission is required for a process to make heap memory executable, even if it already has the execmem permission. The X server’s module loader seems to need this currently.
• execstack – similarly, this permission is now required if a process wants to make its main stack executable. This is for applications such as JVMs, although, mplayer needs this permission for some reason.

A patch for the MLS code allows easier transition to an MLS system by handling the lack of an on-disk MLS field in the security context of a file if running in MLS mode. Instead of the previous behavior of just internally setting the security context to ‘unlabeled’, SELinux will internally infer an MLS field based on the default for the filesystem mount. This is intended to allow systems to enable MLS without requiring a full filesystem relabel (which can take a very long time).

Otherwise, things have been fairly quiet for SELinux in this kernel release: a few bug fixes and assorted changes related to ongoing CAPP audit development (which SELinux is dependent on).

MLS Background
I was planning on writing an introductory article on Multilevel Security (MLS), to be published here or at another online venue. The purpose being to provide a gentle introduction to the subject for those wishing to understand MLS under SELinux.

During my research, I came across a good introductory article online by Dr Rick Smith: Introduction to Multilevel Security.

Rather than covering much of the same ground, but not as well, I’d instead recommend that people who are interested in getting started learning about MLS simply go and read that (at least the Introduction section).

Other online materials worth tracking down are manuals for “trusted” versions of a couple of remaining Unix variants (e.g. Trusted Solaris), keeping in mind that implementation details will vary.

Book-wise, I’d recommend:

• Security Engineering: A Guide to Building Dependable Distributed Systems by Ross Anderson (a general, indispensable security book with some coverage of MLS)
• Fundamentals of Computer Security Technology by Edward Amoroso (essential text covering many of the MLS concepts and technologies in more detail).

Brief Concepts and Terms
However, I will very briefly outline a few key concepts, and terms as we use them. (MLS terminology is a confusing mess across different implementations and standards).

MLS, as discussed here, refers to a specific Mandatory Access Control (MAC) security scheme. Under this scheme, processes are called Subjects. Files, sockets and other passive operating system entities are called Objects.

Subjects and Objects are labeled with Security Levels (SLs).

An SL is composed of two types of entities:

1. Sensitivity: An hierarchical attribute such as “Secret” or “Top Secret”
2. Categories: A set of non hierarchical attributes such as “US Only” or “UFO”

An SL must have one sensitivity, and may have zero or more categories.

Examples of SLs are: { Secret / UFO, Crypto }, { Top Secret / UFO, Crypto, Stargate } and { Unclassified }

Note the hierarchical sensitivity followed by zero or more categories. The reason why we have categories as well as sensitivities is so that sensitivities can be further compartmented on a need to know basis. For example, while a user may be cleared to Secret, they may not need to know anything about project WarpDrive (which could be the name of a category).

– SLs on Objects are called classifications.
– SLs on Subjects are called clearances.

Thus, Objects are labeled with a classification while Subjects operate with a specific clearance. SLs can have also ranges, but we’ll keep it simple here and ignore that.

MLS Policy
The rules governing MLS access are quite complicated (sometimes counter-intuitive), and covered in detail in some of the references listed above. There are several MLS models. The most common, Bell-LaPadula (BLP) deals with confidentiality. Another, Biba, provides an integrity model. Some existing systems use both. SELinux actually uses BLP, with Type Enforcement (TE) for integrity.

But in very simple terms, MLS policy will ensure that a Subject has an appropriate clearance to access an Object of a particular classification.

For example, under MLS, the system will need to know how to answer a question like:

Can a process running with a clearance of { Top Secret / UFO, Railgun } write to a file classified as { Top Secret / UFO } ?

The MLS model and policy implemented for it will determine the answer. (As an exercise, consider the problem of information leaking out of the Railgun category into the file).

MLS meets a very narrow (yet critical) set of security requirements based around the way information and personnel are managed in rigidly controlled environments such as the military. To my knowledge, MLS has not been widely successful in the general commercial world, although there are apparently a few commercial MLS deployments. MLS is typically very difficult to work with and maps very poorly to general case scenarios.

Type Enforcement under SELinux is actually a far more flexible and expressive security scheme, which is in many cases more suitable than MLS, although there are several scenarios where traditional MLS is still required. For example, when you have a large number of Security Levels and a need for strong isolation on a single system; such as a file server where the stored data may be of mixed classification and where clients connect at different clearances. This type of scenario is the reason that SELinux includes MLS as a security model, as an adjunct to TE.

LSPP Certification
Currently, efforts are just underway to have Linux certified as an MLS operating system. The certification is equivalent to the old B1 rating, which has been reworked into the Labeled Security Protection Profile under the Common Criteria scheme.

People interested in participating in or following the LSPP effort should subscribe to the redhat-lspp mailing list via: https://www.redhat.com/mailman/listinfo/redhat-lspp

Community
One of the issues with MLS is that it’s a very specialized security scheme with a narrow userbase. So, it’s really not a great fit with the open source development model. An important challenge we face is to engage the wider community with this technology by making it more generally useful. We (various SELinux developers) are currently working on an project which will attempt to do this, and we should hopefully have more to say on this soon. Currently it’s a matter of getting the initial work done and then integrated into Fedora.

The Call for Papers for the 2006 SELinux Symposium has now been issued at http://www.selinux-symposium.org/2006/callforpapers.php

This second symposium will be held in Feb/Mar next year in Baltimore.

Proposals are due September 19th, so there’s a couple of months to prepare.

Be there and be square!

The slides from my Netconf talk are now online here. They cover some current developments and future directions for networking under SELinux.

Slides from all of the talks should be up on the Netconf site soon, and the talks will be summarized at the Kernel Summit in a few days by Stephen Hemminger or a mystery guest.

The mailing list for Linux kernel network development has moved from netdev@oss.sgi.com to netdev@vger.kernel.org

Details http://vger.kernel.org/vger-lists.html#netdev

(Also mentioned in the subscriber edition of LWN at http://lwn.net/Articles/139208/)

Thanks to Ralf Baechle and SGI for keeping the list going there for so many years.

One new feature in this kernel (2.6.12 final still seems some way off):

Finer-grained permissions for audit events. The kernel audit subsystem uses Netlink for communication with userspace. This communication includes:

• Transmitting audit messages to userspace (e.g. auditd).
• Loading audit filtering rules into the kernel.
• Controlling the kernel audit module.
• Retrieving the status of the kernel module.
• Relaying important user events (such as login) via the kernel module back to userspace.

Until now, Netlink communications were controlled under SELinux with the generic socket controls, and two special Netlink permissions: nlmsg_read and nlmsg_write. These permissions were used to determine whether Netlink messages, from userspace, were essentially either read or write operations. For example, listing the kernel routing table requires nlmsg_read permission for the netlink_route_socket class, but writing to it requires nlmsg_write. These two permissions provide a great deal of flexibility and control over user-kernel communication. They’re also abstracted in a simple way, “read” and “write”, with only the latter generally being considered privileged.

However, the audit subsystem has some very specific requirements based on CAPP (Controlled Access Protection Profile), where audit records need to be reliably and sequentially correlated with specific login sessions. As the kernel audit code is the source of truth for audit records, login events are sent to the kernel, allocated a sequence number then passed back to userland (typically to auditd), all via Netlink. This messaging did not fit the existing SELinux Netlink permissions, as it is not about reading or writing privileged kernel data.

Another issue arose where the listing the kernel audit rules is considered a privileged operation by the audit folk.

So, two new permissions have now been added for the netlink_audit_socket class:

These permissions may be useful to other classes of Netlink sockets, but are currently only valid for audit.

Other fixes in this kernel: Stephen Smalley cleaned up some of the SELinux IPC code, and Herbert Xu fixed an oops in the SELinux IPv6 packet parsing code.

A few more SELinux kernel patches have been merged since 2.6.12-rc2 and are now available in -rc3:

• Explicit support has been added for the KOBJECT_UEVENT Netlink family. This allows SELinux permissions to be applied specifically to these types of sockets, rather than the default, which was to treat them as generic Netlink sockets. KOBJECT_UEVENT messages are sent by the kernel to userspace to provide notification of changes to kobjects. You’ll most likely need to update to the latest policy packages if you install this kernel, as haldaemon makes use of these types of Netlink sockets, for which older policy will not have any permissions. This is what you’ll see without an updated policy:

  avc:  denied  { create } for  scontext=system_u:system_r:hald_t
                                tcontext=system_u:system_r:hald_t
                                tclass=netlink_kobject_uevent_socket
  

• A bug was fixed in the detection of NETLINK_IP6_FW messages (as used in the upstream kernel by ip6_queue), where such messages would instead be detected as generic Netlink messages.
• Stephen Smalley fixed an audit related deadlock in SELinux, which was discovered by IBM testing. His patch moves more SELinux logging to the audit subsystem, cleaning up the SELinux code and allowing the logged information to be more complete and reliable. I would thus now suggest always running SELinux with audit enabled (which is the default now in Fedora rawhide). With audit enabled and auditd running, AVC messages will now go to wherever auditd is configured to send them, as specified by /etc/auditd.conf. This is /var/log/audit/audit.log on my system, which takes a bit of getting used to after years of having AVC messages splattered across the console.

With Linus’ kernel at -rc2 stage, we now have a reasonable idea of what 2.6.12 will look like. Here’s an overview of SELinux kernel features which have been added since 2.6.11.

name_connect
This is a new permission for the TCP socket class, specified by Dan Walsh and implemented by Stephen Smalley. It extends the way SELinux handles the connect(2) syscall for TCP sockets. The existing SELinux connect permission is applied to all classes of sockets, simply determining whether a domain is allowed to use the connect(2) syscall on the specified socket class. With name_connect, SELinux makes an additional check as to whether the domain can connect to a specific set of port types. Here are some examples from current policy sources:

allow mount_t portmap_port_t:tcp_socket name_connect;
allow squid_t { http_port_t http_cache_port_t }:tcp_socket name_connect;
allow unconfined_t port_type:tcp_socket name_connect;

The first is the simplest case, where a domain needs to connect to one type of port. In this case, the mount_t domain is allowed to initiate TCP connections to ports of portmap_port_t type. The latter is defined in policy as port 111 via the portcon directive. This allows the mount_t domain to perform portmap queries over TCP when mounting NFS partitions.

Importantly, as SELinux denies everything by default, allowing only what’s explicitly specified, the mount_t domain can’t connect to any other types of port.

In the second example, we see how the policy language supports multiple port types: the squid_t domain is allowed to initiate connections to ports of type http_port_t and http_cache_port_t.

A catch-all entry is shown last, for the unconfined_t domain. In this case, the port_type attribute is used to signify all port types. This is useful if you don’t know what ports a domain will need, or haven’t yet analyzed the needs of the domain — assuming you prefer it to work correctly rather than not at all.

In terms of the implementation, some thought was given to extending the existing packet-level controls, recv_msg and send_msg, to detect whether a TCP packet has a SYN bit set. This approach would have required adding significant complexity and per-packet processing overhead to the SELinux code; been potentially difficult to support extensibly with the existing policy language; and replicated existing iptables functionality. And as we’re only concerned with outgoing stream connections and the associated local process, it turned out better to place the hook at the socket level. This was done by adding some TCP specific code to the existing selinux_socket_connect hook, called during connect(2), via the LSM security_socket_connect hook. No core kernel code was modified.

The name_connect permission should help lock down a lot of the networking policy. For example, domains which need networking also tend to need to perform DNS lookups. The new permission will allow domains to be locked down to only outgoing DNS (in the TCP case) and whatever else they actually need. This kind of fine grained control should help prevent some common network security problems, such as compromised systems being used to send spam. If, say, Apache is compromised via a remote hole, SELinux can still lock down the network resources used by the application at the kernel level. In this case, with name_connect, it’s quite simple: domains which need to initiate TCP connections to port 25 are provided with the permission, all others are denied by default.

reiserfs
Previously, SELinux file labeling for reiserfs via xattrs has been seriously broken, as described in this mailing list post. The problem was that reiserfs maintains internal inodes, which the VFS and thus SELinux were not distinctly aware of, leading to problems such as a deadlock between reiserfs and SELinux when reiserfs creates internal inodes for storing xattr data. This issue was solved by Jeff Mahoney of Suse, who added an S_PRIVATE flag to mark inodes as internal to the filesystem. This flag signals to the LSM framework (and its applications, such as SELinux) that access control for the inode will be handled internally by the low-level filesystem code.

It appears to be working well now, although I’m not sure how much testing coverage it’s had. Currently, standard SELinux policy disables the use of xattrs for reiserfs, so if you want to try it out, you’ll need to edit policy sources:

1. Edit genfs_contexts and remove the genfscon line for reiserfs:

   # reiserfs - until xattr security support works properly
   #genfscon reiserfs      /      system_u:object_r:nfs_t
   

2. Edit fs_use and add:

   fs_use_xattr reiserfs system_u:object_r:fs_t;

Build, then load the policy (and install it if you wish to keep using it). When mounting any reiserfs partitions after this, you should see the following type of kernel log message:

SELinux: initialized (dev hda3, type reiserfs), uses xattr

The “uses xattr” clause shows that xattr labeling is active on the partition (which will need labeling if it’s never been labeled before). If you intend to keep using reiserfs with SELinux xattrs before your distro fully supports it, you’ll also need to update the policy Makefile so that reiserfs is included in the FILESYSTEMS variable, and also make similar changes to the fixfiles script.

Enhanced MLS
Multi-level security (MLS) is typically used by military and government folk who need to manage information at different security levels, and handle users with varying security clearances. SELinux has always had rudimentary and experimental MLS support, although I don’t believe it’s ever had much use. A company called Trusted Computer Solutions (TCS) has been working on a more flexible and fully featured MLS implementation for SELinux, and an initial patch of theirs is now in the upstream kernel. It updates the core MLS implementation, replacing hard-coded logic with a more flexible and expressive system based on policy language constraints. The patch also allows MLS to be enabled at boot-time (like SELinux itself), and supports a single policy binary format for MLS and non-MLS systems.

Chad Hanson gave a talk on their work at the recent SELinux symposium, slides of which may be downloaded here. MLS under SELinux is still incomplete, lacking features such as polyinstantiated directories, and somewhat experimental. If you’re feeling brave, you can try setting up an MLS system with the new TCS code by following the README.MLS in the latest selinux-doc package. It’s probably best to try this on a system which you don’t mind reinstalling from scratch if something goes wrong.

Memory protection checking for legacy binaries & libraries
In recent kernels, when a process maps a memory region (or changes its protection), the requested protection flags may be modified by the kernel before access control checks are performed. This currently happens if a binary or shared library is marked as needing an executable stack, and PROT_READ is requested. In this case, the kernel will also add PROT_EXEC (“read-implies-exec”). With this behavior, SELinux policy for some applications had to be loosened to allow execution privileges when they may not have really been required (e.g. an application isn’t marked at all and the kernel assumes it needs an executable stack).

To address this, Stephen Smalley implemented a way to control whether SELinux uses the protection that the kernel will apply, or the protection originally requested by the application. An selinuxfs node has been added, checkreqprot, which allows selection of the required SELinux behavior by writing one of the following values to it:

0 – SELinux uses the protection value to be applied by the kernel.
1 – SELinux uses the protection value originally requested by the application.

The current value may be viewed simply with:

# cat /selinux/checkreqprot 
1

The default value may be set during kernel compilation via the SECURITY_SELINUX_CHECKREQPROT_VALUE parameter.

Miscellaneous
SELinux now logs the details of any Netlink messages it doesn’t understand, to handle the case where new message types are added and the SELinux code is not updated. Such messages are now also allowed through if in permissive mode.

The SELinux boot options have been documented in the kernel source tree, as requested by Andrew Morton.

Code which handles writes to the /proc/<pid>/attr nodes has been modified to treat a newline character as a null value. The normal way to clear these nodes of any value is to do an empty write, but Posix says that this can be ignored and we can’t rely on that behavior. So, thanks to Posix, you can now clear the value of a procattr node by writing a newline to it. This also allows easier modification of the nodes from shell scripts, but direct manipulation of these nodes should not normally performed: use libselinux and helper utilities instead.

Note that these changes are now available in Fedora rawhide kernels (and likely other distributions’ development pools tracking Linus’ kernel). If you update the kernel, make sure you also update your SELinux policy, as older policies will not have any allow rules for the name_connect permission and you could find your system somewhat more secure than you intended.

The Lions’ Commentary finally arrived. After weeks of waiting with one of the large online booksellers, they canceled the order. So I emailed the publisher, Peer to Peer Communications, and they suggested buying from Lulu, which worked out well. A colleague had exactly the same experience.

The SELinux Symposium in Maryland was very well attended. Slides from the talks are available now here. It’s good to see such a high level of interest displayed on a project that you’ve been working on for years. At this stage it seems that most of the interest is from government related folk, and not yet the wider enterprise or general user communities. (Although there does seem to be broader involvement in Japan).

One of the challenges for the SELinux project now, I feel, is to gain more traction with the wider community. After chatting with some people at the symposium, I’ve got a few ideas for progress in this area.

Another critical factor is the evolution of the SELinux toolchain, particularly relating to policy management. Looks like there’s some good fundamental work going on here.

Enhancing the security of the desktop is a major challenge. Colin Walters presented a good overview of the problem space and provided some examples of work he’s been doing, while Jim Gettys held a BoF session on Security Enhanced X (not sure if there are any notes from this available). Desktop SELinux integration is definitely an area that someone looking to make a mark in the open source world should have a look at, it’s fertile and somewhat unexplored ground, and there are some very highly experienced people likely available to mentor.

Lions’ Commentary on UNIX is being published again by Peer to Peer Communications. Details here.

This famous 70’s commentary on the Unix source code is considered by many to be the best text on the subject. It was innovative in presenting remarkably well annotated source code, an unusual thing at the time. Originally written as a text for a UNSW course, the book was not officially published for some 20 years, during which time it became what is believed to be the most copied book in the computing field. It went out of print last year (I think), just before I tried to buy a copy. I’m glad it’s available again so I can finally own a “real” version. Used copies of this 1996 version are selling for around US$170 at the moment, although I guess these prices will drop very soon. I have no idea how much one of the original Bell Labs versions would go for, if you can even find one.

Note that Greg Lehey has put the source and PDF/PS versions of the book online here, as found in an alt.folklore.computers posting from 1994. This was from before the original official publication in 1996 and does not contain the extra commentary on the book itself by folk such as Dennis Ritchie and Ken Thompson.

Poking around a little, I found this 1994 interview with John Lions reposted to Usenet, which shows that the students at UNSW actually suggested covering the entire kernel, after initially only having parts of it presented to them. The interview is also interesting for some general perspectives on Unix.

I’ve heard a greybeard say that the best thing about the Lions book is that you can use it to fit an understanding of an entire Unix kernel into your head. Trying to understand, say, all of the Linux kernel these days is likely an impossible task: it’s just too big and complicated. And, judging by the Linux kernel over the last few years, things are changing very quickly, at an increasing rate (I’m reminded of the accelerating expansion of the Universe :-) So, I think there is really great value in a book such as this, covering an early, classic kernel, as a foundation for a fuller understanding of modern kernels.

Peer to Peer are also about to release an interesting looking book titled Building the ARPANET, a collection of seminal papers and documents on the subject. For those of us interested in such things, this should be a great way to access the information. I often spend quite a bit of time trying to track down a paper that I’m fond of, such as IEN 2, “Comments on Internet Protocol and TCP” by Postel 1977, which outlined the concept of separating a “hop by hop” interface from TCP, creating what we now call the IP layer.

We are screwing up in our design of internet protocols by violating the principle of layering. Specifically we are trying to use TCP to do two things: serve as a host level end to end protocol, and to serve as an internet packaging and routing protocol. These two things should be provided in a layered and modular way. I suggest that a new distinct internetwork protocol is needed, and that TCP be used strictly as a host level end to end protocol.

Cool stuff. I look forward to a book collating the best of this kind of material from the ancient era.

I’d also like to see something similar collecting together seminal computer security texts, particularly those now out of print and held tightly in rare public copies of journals by a few libraries. Examples are found in proceedings of the National Computer Security Conference, such as Boebert & Kain’s A Practical Alternative to Hierarchical Integrity Policies from 1985, which outlines the concepts of Type Enforcement, a central component of SELinux.

NIST is making an effort in this area. They’ve published all of the proceedings of the NISSC (initially NCSC) from 1996 to the final conference in 2000 here. My understanding is that copyright problems are preventing online publication of proceedings from earlier years (where you would find the Boebert & Kain paper), although they’ve put up selection of important earlier papers on their History of Security page. While people have written excellent textbooks covering these topics in a readable and contextualized manner, I still like reading the original papers where possible.