Below are the 9 most recent journal entries recorded in the "James Morris" journal:
Linux Security Events in Portland|
Several Linux security events are planned in association with LinuxCon this year in Portland, Oregon.
- 2009 SELinux Developer Summit
The CFP for this event has just been published. The developer summit will be held on the 20th of September as an ancillary event of LinuxCon. This is a one-day event, and developers are encouraged to submit proposals around the primary topics of extensibility and usability. We're hoping to have a flexible format this year, perhaps with half a day of talks and then half a day of hack sessions. Note that all attendees need to be registered for LinuxCon, and that earlybird registration ends this Monday, June 1st. Also, please subscribe to the event mailing list if you're planning to attend, so we can estimate numbers. More details are available at the summit web page.
- Security Microconf
A security microconf will be held at the co-located Plumbers Conference. The Call for Topics ends on June 15th, and anyone doing interesting work in Linux security should consider submitting a proposal. Also see the LWN topic discussion and Paul McKenney's recent blog entry on the event.
- LinuxCon Talks
There are several security-related talks at LinuxCon itself:
I'll be giving a LinuxCon talk on adding extended attributes support to NFSv3, presenting a prototype implementation (based on the GPL IRIX code) for discussion. xattrs are a very common feature in Unix and Linux filesystems, but there is no standard for them, nor for conveying them over NFS. NFSv4 supports "named attributes", although this is based on the Solaris extended attribute scheme (subfiles), and somewhat incompatible the simple name/value string-based xattrs supported by Linux, BSD, IRIX etc. It would be nice to have Linux-style xattrs supported in NFSv3, with the current work then potentially forming the basis for a future NFSv4 protocol extension. If you're interested in this stuff, please consider attending and helping with the discussion.
Tags: developers, events, fmac, labeled networking, labeled nfs, linux foundation, linux plumbers conference, linuxcon, lsm, mac, mandatory access control, nfs, portland, security, selinux, svirt, virtualization
Notes from the SELinux Developer Summit 2008|
The SELinux Developer Summit went pretty well yesterday. It was a long day: 10 hours of talks and discussions with about forty developers attending.
I've just uploaded slides from the talks, which may be found next to their respective entries in the schedule.
Some of the talks I found particularly useful/interesting:
- Josh Brindle on SELinux in Ubuntu. They're making good progress, although the idea of SELinux is to introduce ubiquitous, generalized MAC security, so he is advocating they enable SELinux by default as is done in Fedora, and as you typically do with other OS security layers.
- John Weeks from Sun talking about OpenSolaris FMAC (introducing Flask/TE to their OS). It was interesting to see a dtrace graph of the AVC operating—a kernel mechanism for which I've developed an abstract mental model but never "seen".
- Dan Walsh Talking about his ongoing work in utilizing SELinux to create practical security features for everyday users.
The above is from a demonstration where nsplugin (the framework for Firefox plugins, i.e. where flash etc. is run) is being sandboxed by SELinux, so that a flawed or malicious plugin cannot be used to snoop your keystrokes. In this case, a simulated (and trivial) exploit was blocked from capturing internet banking passwords by SELinux.
Btw, Dan will be demonstrating this today during his OLS talk on Confining the User. There's a lot of really cool stuff coming in this area & the talk should be well worth attending.
- Karl MacMillan on alternatives to comprehensive least-privilege, where he described some ideas and plans for simplifying the way SELinux policy is deployed for general purpose use. He has some really promising ideas on reducing the granularity of the policy while still maintaining strong security. This can lead to simpler and smaller policy, which is important for all kinds of users.
- Peter White talked about two higher-level languages being developed to express SELinux policy, Lobster and Shrimp, which will introduce features such as type checking and object orientation to the policy language area. Peter is a Haskell guy, and it all looks very promising.
Yuichi Nakamura talking about embedded systems and SELinux.
The format worked reasonably well—a series of short talks and discussions—although it would have been nicer to have a more relaxed schedule and more time for deep discussions on specific issues. There's already been discussion of what to do next year, and we may move it to a two-day event. Certainly, I think we'll want to have it again in conjunction with a major developer conference, which makes it a good environment for collaboration with the wider FOSS community.
For those that couldn't make it this year, I believe notes were taken and will be sent out to the mailing list. There are more photos here.
Tags: developers, events, fedora, flask, fmac, foss, linux, mandatory access control, ols, opensolaris, ottawa, rhel, security, selinux, type enforcement, ubuntu
Linux Foundation Japan Symposium Notes|
I presented on the SELinux project today at the Linux Foundation Japan Symposium in Tokyo. The slides from my talk may be downloaded here.
It's been an interesting conference, with some smaller BoF sessions planned for tomorrow. I live micro-blogged the conference via my identi.ca account, which I guess turned out as a kind of public note-taking.
Andrew Morton covered quite a lot of interesting kernel process material, highlighting some areas which we need to address (such as whether we're ready at all to support solid state disks), and explaining his view of the linux-next tree, one unpublished purpose of which was to get kernel hackers to test each others code before upstream merge. He also said that around 15% of kernel contributions are now coming from Japan.
Greg DeKoenigsberg kindly shipped a pile of Fedora DVDs and Live CDs across to give to the attendees. The CDs & DVDs proved very popular and were all distributed.
More photos here.
Tags: events, fedora, flask, fmac, foss, geek, japan, kernel, linux, security, selinux
Sliding into SELinux Policy Development with Fedora 9|
In case you hadn't noticed, Fedora 9 has been released. One of the many goodies to be included is SLIDE: the SELinux policy development IDE. This should be great news for application developers who want their projects to work well with SELinux.
It's been possible for some time now to quickly develop a loadable policy module when an application clashes with the shipped SELinux policy. The technique is quite simple: parse the audit log and generate rules which allow the previously denied accesses. This is a form of "learning mode", which risks encapsulating badness and being incomplete. It's often handy for resolving local issues, but not necessarily the kind of thing that a developer would want to use for creating shippable and maintainable policy.
This is where SLIDE comes in. It's an eclipse-based environment with deep knowledge of the SELinux policy infrastructure, facilitating policy development for everything from the simplest application through to the general system policy. It's not "SELinux policy for Dummies", but it does provide some useful high-level abstractions such as wizards. Developers who are interested in learning more about how to develop policy for their applications can now easily get started with SLIDE in Fedora 9. If not installed already, do so:
$ sudo yum install eclipse-slide selinux-policy-devel
SLIDE should then be available via Applications -> Programming -> Eclipse. Start a new project and follow the prompts to create a policy module for an application. The application doesn't even need to exist—this is simply a good way to learn about the policy framework. Note that the location of reference policy is /usr/share/selinux/devel/include.
Here are some screenshots (click for larger images):
Creating a new policy module via the wizard.
Guided interface. These fields are automatically populated, while elements may be expanded out for greater control.
Automatically generated initial policy ready for building or further development.
It would be immensely useful now to have a simple worked tutorial to help people get started in a practical manner. I'm not sure if anyone is planning to do this currently, so if you're looking for a way to dive in and contribute to the project, please get in touch via the mailing list. Otherwise, please wait until it falls from the sky.
Tags: developers, eclipse, fedora, fedora9, flask, fmac, foss, ide, linux, mac, mandatory access control, policy, security, selinux, slide, sulphur, type enforcement
Labeled NFS Requirements Draft Submitted|
Dave Quigley has just submitted an Internet Draft to the IETF outlining the requirements for Labeled NFS:
MAC Security Label Requirements for NFSv4 (link)
This Internet-Draft outlines high-level requirements for the
integration of flexible Mandatory Access Control (MAC) functionality
into NFSv4.1 . It describes the level of protections that should be
provided over protocol components and the basic structure of the
proposed system. It also gives a brief explanation of what kinds of
protections MAC systems offer and why existing NFSv4 protection
mechanisms are not sufficient.
This draft is a generalization the original Security Enhanced NFS document posted last year, addressing the general need for mandatory access control support in NFS.
NFSv4 currently supports two access control schemes: standard DAC and ACLs. MAC labeling support is required for technologies such as SELinux and OpenSolaris FMAC.
Essentially what's needed is a way to convey MAC labels over the wire (for both setting and retrieving their values), and to be able to enforce security policy using those labels. The server needs to be able to determine the security label of the remote client process when enforcing policy, and all systems need to be able to ensure they understand each other's labels, or be able to translate them. A "Domain of Interpretation" (DOI) attribute is used to determine the meaning of labels, a term which may be familiar to those who've braved the IPsec specifications. The confidentiality and integrity of these security attributes must be protected in transit, while all parties need to be authenticated. We also need to be able to handle the case where either the client or server does not have MAC enabled, and to ensure non-breakage with existing implementations. There's a lot more in the details, but that's the gist of it.
It may seem at first glance that NFSv4 named attributes (NAs) would provide the required labeling functionality, but they're not a good fit. NAs are specifed as opaque to the system and user-managed, while MAC security labels are managed by the system. NAs also do not provide necessary semantics such as conveying client security attributes or negotiation of DOI. There are also issues with attribute namespaces (which are user-managed and unspecified) and labeling atomicity. Another possible approach is to implement Linux/BSD-style extended attributes (EAs), which are simple text string attributes associated with files, in contrast with the NA "subfile" scheme. This would potentially only solve the attribute namespace issue, and is also not a good general solution. EAs are also not currently part of the NFSv4 specification, and it seems like a contentious area in any case.
The current Labeled NFS prototype code utilizes NFSv4 recommended attributes (RAs), which are fully extensible, already exist, and are already used for similar management of metadata (e.g. ACLs). This seems to be the simplest and most straightforward approach.
Once there's consensus on the requirements, the next step will be to develop a protocol specification and hopefully have it incorporated into NFSv4. v4.1 is currently in "last call", so the next candidate would be v4.2, it seems. The prototype code for Linux/SELinux will continue to be developed alongside the standards process.
For those interested in following or contributing to the project, there are several relevant mailing lists:
Dave is hoping to have further discussion IETF 72 in July, and will be presenting on the state of the project at the SELinux Developer Summit ahead of that.
Tags: developers, flask, fmac, foss, ietf, kernel, labeled nfs, linux, mac, mandatory access control, opensolaris, security, selinux, type enforcement
2008 SELinux Developer Summit Schedule Now Up|
We managed to get the SELinux developer summit schedule published a few days early. Hopefully, this will help people who are making travel arrangements to OLS.
As mentioned, a lot of high quality proposals were submitted. To ensure that all important topics can be covered, the format of the summit has been changed to moderated discussion panels with presentations; rather than the original plan of having a set of fixed-length presentations followed by discussion panels.
Presentations will now be 10-20 minutes, with a greater focus on discussion. This provides much more flexibility, and is derived somewhat from experience with the kernel networking summit, which has been very successful with short presentations driving discussions.
The panel sessions are as follows:
- Distributed Technologies
- Policy Configuration
- Policy Infrastructure
- Emerging Technology/Works in Progress
More detailed information, including topics, issues, and links to abstracts may be found at the schedule page. Also see the printable version and the topics page.
All SELinux developers and folk with a technical interest in SELinux and related technologies are welcome to attend. Don't forget that you also need to be registered to attend OLS.
Tags: developers, events, flask, fmac, foss, linux, mandatory access control, ols, opensolaris, ottawa, security, selinux, type enforcement
SELinux Developer Summit: CFP closed|
The 2008 SELinux Developer Summit CFP is now closed.
As suspected, most of the proposals arrived at the last possible moment. It looks like we have more proposals than can reasonably fit in one day, so the organizing team now has the interesting task of squeezing as much in as possible without overloading the schedule. This is going to be very difficult, as pretty much all of the submissions are of excellent quality.
In any case, we should have the schedule finalized and published within a week or so.
Tags: developers, events, flask, fmac, foss, linux, ols, opensolaris, ottawa, security, selinux, type enforcement
SELinux Developer Summit 2008 Announced|
We've just announced the SELinux Developer Summit for 2008, which will be held in Ottawa (as an OLS mini-summit) on July 22nd. A CfP will be issued early next week, where we'll be looking for people to submit talks and panel topics.
In previous years, the project has had the SELinux Symposium, generously run by Tresys, with an invite-only developer summit tacked onto the end.
The new Developer Summit is intended to track with the evolution of SELinux as a wider community project, and we are very pleased to be able to hold an open event this year in conjunction with OLS.
All developers and folk with a strong technical interest in SELinux and related Flask/TE projects are encouraged to attend. Note that attendees need to also be registered for OLS.
There'll be more information on the CfP and schedule soon -- this is something of a heads up for those planning travel and who may be wish to start thinking about presentation and discussion topics.
The organizing team is as follows:
- Serge Hallyn (IBM)
- Paul Moore (HP)
- James Morris (Red Hat)
- Chad Sellers (Tresys)
- Stephen Smalley (NSA)
For more details on the event, including contact details for the team refer to the SELinux Developer Summit page.
So, there'll be quite a lot of SELinux content at OLS, some of which I've previously mentioned. To summarize, in addition to the Developer Summit, there'll be:
A BoF session:
So, if you're involved with SELinux or otherwise interested in it, I'd suggest flying, driving, walking or swimming (I'm pretty sure this is possible) to Ottawa this July.
Tags: developers, events, flask, fmac, linux, mac, mandatory access control, ols, opensolaris, ottawa, security, selinux, type enforcement
OpenSolaris to adopt Flask/TE security scheme|
As noted at SELinux News, OpenSolaris has launched a new project, Flexible Mandatory Access Control (FMAC), to integrate the Flask/TE security scheme into their OS. This is the same underlying model implemented by SELinux, and follows other cross-platform Flask/TE integration projects such as SEDarwin and SEBSD.
This is very exciting in terms of of establishing compatible security across operating systems, particularly for Mandatory Access Control, which has traditionally been narrowly focused and generally incompatible. With FMAC, we're closer to seeing truly ubiquitous, cross-platform MAC security.
I'll be interested to see how they approach the integration, with the opportunity to learn lessons from the SELinux experience.
It'll also be great to have an expanded TE/Flask community. According to their project page, areas of work include improving usability (we can never have enough of that), desktop integration via XACE, integration with Xen (presumably via XSM), Labeled NFS, and Labeled IPSec. It seems they already have a separate project for the latter, txipsec.
I'll be watching with great interest, and would like to offer any assistance in ensuring interoperability with SELinux.
Tags: flask, fmac, mac, mandatory access control, opensolaris, selinux, type enforcement