LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

LWN Weekly Edition

Front page
Security
Kernel development
Distributions
Development
Linux in the news
Announcements
->One big page

 

This page

Previous week
Following week

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LK2008: The values of the Linux community

LWN.net Weekly Edition for October 9, 2008

Plugging into GCC

LWN.net Weekly Edition for October 2, 2008

Ubuntu debuts its Upstream Report

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

LWN.net Weekly Edition for July 10, 2008

SELinux and Fedora

By Jake Edge
July 9, 2008

Red Hat has undoubtedly done more to make SELinux usable than any other organization, but has it actually reached the point where it can be enabled by default for all desktops? The Fedora project clearly thinks so. Not only is SELinux enabled, but the installer no longer has an option to disable it or to put it into "permissive" mode. Most of the posts in a thread on the fedora-devel mailing list see that as the right choice, but some are not so sure.

Jon Masters started things off by making a request to restore the installation option, giving several reasons summing up with:

But there are numerous other justifications I could give, including my personal belief that it's absolutely nuts to thrust SE Linux upon unsuspecting Desktop users (who don't know what it is anyway) without giving them the choice to turn it off.

His reasons were unconvincing to many as he was not considered to be a "normal" desktop user; the things he was doing were much more technical than the users that are being targeted by the SELinux policies distributed with Fedora 9. The problems he reported were resolved quickly, but the fact remains that there are paths through Fedora—even just using desktop applications—that will result in SELinux-caused failures. The Red Hat SELinux team is very responsive, but users will get frustrated quickly if things they are trying to do fail in mysterious (to them) ways.

Alan Cox argues against providing an installation choice because he doesn't think users have enough context to make a sensible choice. He likens it to a car with multiple choices for safety features:

"This car has brakes, enable them ?"
"Would you like the seatbelts to work ?"
"Shall I enable the airbag ?"

When push comes to shove, Masters and a few others see the default of SELinux installed in "enforcing" mode as being too restrictive. It is likely to cause users to become annoyed with Fedora as a whole because one or more paths through the applications have not yet been tested. That, unfortunately, is the crux of the issue: SELinux policies are being developed in a reactive manner based on testing applications and adding exceptions for actions they perform.

As a security tool, SELinux is a good choice, because it essentially denies everything by default. Policies are added that will allow certain actions for users and applications. Its complexity is legendary, however, which is why Red Hat (and others) have made a substantial effort to make it work semi-invisibly. They started by generating policies for network-facing services and have now moved into securing desktop applications, particularly programs like web browsers which are increasingly the target of attacks.

SELinux has three modes, disabled, which turns off SELinux, permissive, which just logs attempts to do things that violate the policies, and enforcing, which disallows any access that is denied by the policies. When getting applications to work with SELinux, permissive mode is typically used. The log messages are analyzed to determine what changes should be made to the policies or to the application so that they work together. If there are features that were not tested in the application that require additional privileges, the first user that tries that feature in enforcing mode will run into trouble.

When that happens, SELinux can be put into permissive mode with a simple GUI or configuration file change, followed by a reboot. One of the problems is that users may very well not know that SELinux is the source of their problem. There are tools, like SETroubleShoot, that can help alert users, but it is still a frustrating, hard to comprehend problem at times. Once the user has "fixed" the problem by disabling SELinux, they are unlikely to turn it back on.

It is a difficult choice, but Fedora is firmly on the side of forcing non-technical users into using SELinux, at least until it breaks. More technical users will know about SELinux and, perhaps, be able to make more informed choices. One of Red Hat's SELinux developers, James Morris, neatly sums up the reasons it is important to continue pushing SELinux:

The only way to really make progress in improving security is to make it a standard part of the computing landscape; for it to be ubiquitous and generalized, which is the aim of the SELinux project.

[...] Punting the decision to the end user during installation is possibly the worst option. It's our responsibility as the developers of the OS to both get security right and make it usable. It's difficult, indeed, but not impossible.

There are efforts underway to add easier ways for users to report SELinux log messages, perhaps even in an automated way, so that policy or application problems get identified and fixed more quickly. While it may not be easy for long-time Linux users to adjust to an SELinux-enabled system, it is getting to the point where average users, who never use the command line, rarely run into problems. And those are just the kind of users who need the level of security that SELinux can provide.

Comments (72 posted)

Questions and answers with Stormy Peters

By Jonathan Corbet
July 9, 2008
Those who have followed the GNOME project over the last few years have seen the wishlist item for a "business manager" or "executive director" for the GNOME Foundation; the subject was especially likely to come up during Foundation board elections. This position has remained unfilled for some time, seemingly a result of uncertain funding and the difficulty of finding the right person. These problems would appear to be in the past now; on July 7, the GNOME Foundation announced that this position would be filled by Stormy Peters, formerly of OpenLogic.

Stormy now has the challenge of helping an energetic and independent-minded development community build on its success and achieve its ambitious goals for the future. We asked her a few questions about how she thought that might go; here's what we got back.

LWN: This is a new position, in that the GNOME Foundation has never had an executive director before. So people may be wondering what you'll actually be doing. How do you expect to be spending your time in this position?

Actually, the GNOME Foundation has had an executive director before but not for the past few years. I will spend my time strengthening relationships with the existing sponsors, working on finding new industry partners and helping the Board of Directors and the community execute some of their great ideas for GNOME. The GNOME community's goal is to provide an easy to use, intuitive interface for Linux and Unix as well as a powerful development platform.

A year from now, what do you hope your biggest accomplishments will be?

The GNOME community has a tremendous amount of passion and a real dedication to making a development platform and a desktop that is easy to use. I think showing the world that, getting the word out and showing how it is changing the way people are able use their computers and mobile devices is key. So to answer your question, I'd like to see a stronger Foundation (more sponsors and members), increase the amount of great ideas that get executed, and make GNOME a household name. :)

Next year, it seems reasonably likely that there will be a combined GNOME/KDE developers conference in Europe. What are your thoughts on the current state of cooperation with KDE, and how do you think it could be improved?

I hope we have a combined GUADEC/Akademy next year. KDE and GNOME have been working more closely together during the past year or so and they have accomplished some good things like with dbus. I think anytime you get great developers together, good things happen.

One high-profile GNOME goal was 10x10 - 10% of the desktop market by 2010. In mid-2008, it seems fairly clear that this goal will not be achieved. Do you think that the desktop remains a suitable target for free software, or should GNOME deemphasize the traditional desktop in favor of other goals?

I do think that a free and open source desktop is still a great goal. While the number of free and open source desktops out there might be small, it is growing tremendously. Just look at the number of laptops that ship with GNU/Linux (from Dell, Asus and other) as well as the number of mobile devices that are based on free and open source software.

Though the GNOME Foundation is not intended to control the technical direction of the project, it clearly cannot be without influence there. Are there technical directions you would like to see the development community take, directions which would help to convince manufacturers to incorporate GNOME technologies and contribute to GNOME development?

I'll be working closely with the community and the board of advisors to figure out how I can best help with technical directions. One thing we'd like to see from our sponsors - through our board of advisors - is more information on what end-users would like to see in GNOME.

In the past you have spoken about how introducing money into free software development can have a demotivating effect on developers. Do you fear that sort of problem as GNOME becomes more commercially successful? How would you hope to avoid that kind of difficulty?

I don't think it's an issue in the short term as growing the GNOME Foundation doesn't directly correspond to hiring lots of developers. But that said, I think the key is maintaining the intrinsic motivations that make GNOME contributors such a passionate group of developers.

Thanks to Stormy for being kind enough to answer our questions in the middle of what must have been a highly busy time at GUADEC in Istanbul.

Comments (6 posted)

Notes on the Viacom ruling

By Jonathan Corbet
July 4, 2008
Google's purchase of YouTube always seemed questionable to some observers: it looked as if Google were buying itself a whole new source of copyright lawsuits. One of the benefits of that purchase came through on July 2, when a U.S. District Court ordered Google to hand over its complete set of YouTube traffic logs, containing information about every video viewed on the service. See Groklaw for the full text of the order. If this order stands (and it appears that Google will not appeal it), millions of users worldwide will have their viewing data handed over to a litigious entertainment industry company. There's a couple of important implications to draw from this turn of events, so LWN will venture a little far afield and take a look.

The data involved includes, for each video viewed, the time, which video was involved, which YouTube user account was used, and the IP address the request came from. Viacom claimed that the privacy of YouTube users is not threatened by this release of data, and the court agreed. But account names can be correlated across sites, and IP addresses (especially time-correlated IP addresses) can easily identify exactly who was watching a particular video. Viacom promises it would never use this data to launch enforcement actions against individuals; the fact that the company feels the need to make that promise suggests that Viacom feels it could use this data to that end.

One other interesting aspect of the ruling which has been commented upon less is this: Google has also been ordered to hand over every video which has been removed from the site. Once again, that is a great deal of data. It also drives home the point that, on a site like YouTube, nothing is really removed: all of those "removed" videos are still there, waiting for some company with enough lawyers to go after it.

All of this data is to be handed over regardless of what jurisdiction the users thought they were in. Nobody's privacy or data retention laws apply here. This is a worldwide compromise of personal data.

So lesson number one is obvious: attending to one's personal security requires being very careful about the data tracks that one leaves on other peoples' servers. Regardless of any site's privacy policy or any country's data sharing laws, that data is there for the grabbing. The course of events which led to the compromise of vast amounts of video-viewing data can also lead to the disclosure of electronic mail, accounting data, online chat sessions, purchase histories, software downloads, or which edgy Second Life neighborhood one likes to hang out in. Indeed, records of video viewing activity are more strongly protected in the U.S. than many other types of data; other types of information may well prove easier to get. What we leave on remote machines seems to stay there indefinitely, and it's an open book for those with sufficient legal power on their side.

If you gather together that much information on the behavior of many millions of people, somebody, somewhere, is going to try to get their hands on it. The second lesson is for anybody running a publicly-available server, as many LWN readers do. The video activity database being grabbed by Viacom is said to be about 12 terabytes deep - before getting into the "removed" videos. It should not be surprising that a data stash of that size would attract this kind of action. If you gather together that much information on the behavior of many millions of people, somebody, somewhere, is going to try to get their hands on it. How could it possibly be any other way?

Not enough people are asking this question: why does Google/YouTube hold that much data about its users? Why does it retain the ability to replay their actions years after the fact? And why do "removed" videos not go away? If that data did not exist in the first place, there would be no question of disclosing it to an attacking corporation. A company which keeps that amount of data around is prioritizing whatever commercial value it sees in that data over the privacy and security of its users. And, by inviting raids from corporations (which we hear about) and governments (which we might not hear about), such companies are not helping their own security either.

So there are strong arguments for simply not retaining all that data in the first place. Naturally, some governments are doing their best to force that kind of retention, but that's a different battle. In the absence of legal constraints, a standard policy mandating short data retention periods makes a lot of sense. It behooves all of us to think about what kind of data we leave lying around - either through our activities or by facilitating the activities of others - and to keep it to a minimum. The most secure data is data which does not exist.

Comments (37 posted)

Page editor: Jonathan Corbet

Inside this week's LWN.net Weekly Edition

  • Security: Secrecy and the DNS flaw; New vulnerabilities in bind, mercurial, poppler, ruby,...
  • Kernel: The current development kernel is...linux-next?; Multiqueue networking; Enhanced printk() merged.
  • Distributions: Fedora takes Linux to college; Gentoo Linux 2008.0; Foresight 2.0.3; Ubuntu 8.04.1 LTS; openSUSE Build Service 1.0; Rawhide users: brace for a new RPM; New Gentoo council elected; Next Ubuntu Developer Summit
  • Development: What's coming in OpenSSH 5.1, Google releases Protocol Buffers, new versions of G4L, Samba, python-ldap, vacation, dobrado, scgi, jack_capture, SLV2, GNOME, GARNOME, SQL-Ledger, Ember, Oggz, Patchage, rakarrack, PocketSphinx, CODESH, eric, GIT.
  • Press: OpenMoko FreeRunner software stacks, Invitrogen switches servers to SUSE, Move Your Business from Windows to Linux, Reiser leads police to wife's body, free software tools for privacy, KDE 4.1 Beta 2 review, KOffice 2 Alpha 8 review, Acer Linpus Linux Lite review.
  • Announcements: BitNami.org hits 150,000 downloads, Purple Labs acquires Openwave mobile browser business, Pwnie Awards nominations open, Opera web standards education call for Perl grant proposals, LCA cfp, MEITSEC cfp, Power management cfp, Akademy program, LUGOD installfest.
Next page: Security>>

Copyright © 2008, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds