The Linux Plumbers Conference (LPC) had a full-day security track with
talks on multiple topics of interest—far too many to adequately
cover. So, just a few of the talks will be looked at here. Some
of the other presentations will likely serve as the basis for other
articles on this page in the future.
SELinux in Ubuntu
Caleb Case reported on the status of SELinux in Ubuntu. Since Ubuntu
already uses AppArmor, one of the obvious questions was: why would Ubuntu
add SELinux? Case said that users were asking for it and that having more
options for running SELinux (beyond Fedora/RHEL) was desirable. Ubuntu has
had SELinux available to install since Hardy Heron (8.04), but it has many
more policy modules enabled in Jaunty (9.04) and Karmic (soon to be
The SELinux policy "needs work", Case said, and SELinux in
Ubuntu is "not nearly as slick" as it is in Fedora, but it is
a work in progress. Users can now do an apt-get install selinux,
which will pull in everything that is needed and uninstall AppArmor. The
installation updates initramfs, installs the policy, and schedules
a system relabel.
Policy is loaded from initramfs instead of via a patched
init as has been done in the past. The upstart
maintainers did not want to carry a patch to do policy loading, as they didn't
want to have to patch for each and every Linux Security Module (LSM) that
came along. As it turns out, loading from initramfs is becoming
the popular option. Fedora is doing that via
dracut and someone from the AppArmor team spoke up to note that it
had switched over to loading policy from initramfs as well.
In the future, Case would like to see setroubleshoot added to
Ubuntu and integrated with the desktop. They would like to enable more
policy modules by default, so setroubleshoot would come in handy.
Case said that the Ubuntu policy has fewer confined daemons than Fedora
does, and that the reference policy has not been changed anywhere near as
much as it has for Fedora. He invited the audience to "check it out,
[and] see if it works, or doesn't" and joked that bugs should be
submitted to Red Hat's Dan Walsh.
Smack and applications
Smack developer Casey Schaufler
presented a look at application changes needed to support Smack on Linux.
He started with a brief overview of Smack, including some newer information
on packet labeling that can be used by Smack to enforce various controls on
Not many changes were required to core applications to support Smack.
Things like ls, id, and attr needed to change to
show the Smack labels, while login required changes to set the
Smack label on the user's login shell. mount needed to
support some Smack-specific options for setting default labels on
filesystems, and a new utility, newsmack—an administrative tool
that is used for setting smack
labels on processes and files—was added.
For network applications, sshd needed to be changed to handle the
labeling of the login shell. To support network services running at
different labels, an xinetd-like utility called
smackpolyport was created. It listens at the '*' label and can
spawn services running with other labels to enforce network access
restrictions. There is also work in progress on adding a Smack extension
to the X Access Control Extension
(XACE). There is more work to be done to integrate Smack into window
managers as well as things like D-Bus, he said.
Schaufler has a habit of tweaking the SELinux
development community as part of his talks, and he continued that tradition
at LPC. He was discussing his work on making Smack work with the Oracle
11gR1 database server, and one of the criteria he noted was that it did not
work with SELinux. In fact, the first step in the installation guide is to
turn off SELinux. Some grumbling from the SELinux developers was heard in
response to that, with the indication that it was possible—perhaps
even unofficially working—but there is no public information on
how to run Oracle with SELinux. Schaufler then went through the, fairly simple,
steps he took to make Oracle and Smack work together.
Someone asked Schaufler if Smack had been integrated into any
distributions. He said that Wind River listed Smack in one of its
brochures, and someone from Wind River piped up to say that it was in
versions 2.0 and
3.0 of its Linux product. Schaufler also noted that Philips televisions
will be soon, running Smack.
Why policy is special
Joshua Brindle looked at the interaction between package managers and
SELinux policies, noting that installing policies is very different than
application installation. There are policies available for more than 290
applications currently that are typically packaged by distributions, often
after some customization is done. For rpm-based distributions, policies
get loaded via post-script sections, which can lead to problems
that require user intervention if the policy module fails to load.
In addition, third-parties (like Oracle) have a hard time supporting
policies for their packages, he said. There are "numerous
hacks" to support policy loading. In general, policies just do not
fit well into the current application installation model.
Policy is different because it potentially affects the entire system,
unlike an application. Policies should be loaded before the applications
they affect, or else there is a window in which the application is present,
but the labels and policies have not been changed. If the policy fails to
load, the application should not be installed, but under the current
system, there is no way for rpm to roll the installation back if the
post-script section fails.
Policies may also affect multiple applications and their interactions. In
many cases, the policy should not be removed if the application is, because
there may be user data that is protected by that policy. In addition,
other applications may require the policies to be present so they can
access the data. So, Brindle said,
a new approach is needed. The goal of that work is to include the policy
with the distribution package such that policies are installed first,
"without hacks", and are part of the installation transaction,
so they can be rolled back in the case of failure.
Brindle outlined additional goals of this work, which is initially targeted
at rpm: supporting various corner cases like cross-installs and
bootstrap installs. Helping third-parties distribute policies for their
applications is also an explicit goal, so there needs to be support for
multiple policies and policy types (e.g. targeted), as well as support for different
distributions and releases. Overall, he summed up the goals as trying to
"make life with SELinux easier".
The initial patch to rpm adds policy loading support before the
transaction. A second patch changes the %Policy directive to
support policy renaming as well as allowing policies to obsolete one
another. In addition, the changes to the %Policy directive allow
for different policies based on the policy type of the
system. Additional patches will support bootstrapping and
chroot() installations. Those patches will also add the policies
to the rpm database, which will allow the user to change the
system policy type while giving rpm the information it needs to
install the proper policy.
There is more work to be done, of course. One area that needs to be
addressed is how to inform the administrator of policy changes that are
being done by a package. Packages from dubious sources could install
policies that have the effect of disabling some or all SELinux protections,
so administrators need to be informed. There may be support added for
differing levels of trust based on where the package file came from, so
that administrators can enforce restrictions on what kind of policies
packages can install.
The most popular attendee was clearly the AVC cow, which made
an appearance in Eamon Walsh's demo of XACE. The cow popped up whenever
there was an AVC denial from SELinux,
which led to calls for more violations so the cow would pop up again. As
Dan Walsh (no relation) noted in his blog linked above, it is proof that
at least some folks at the NSA (where Eamon Walsh works) have a
sense of humor.
Other talks in the track were Dan Walsh's presentation on "sandbox -X", a look at
the kernel crypto subsystem by Herbert Xu, David Safford on using the
Integrity Management Architecture (IMA), James Carter on a new SELinux policy
infrastructure, and a discussion of how to make SELinux easier to use led
by Bryan Jacobson. The slides for each of the talks are available on the
LPC Program page.
There was a fair amount of audience participation, both in terms of
questions and suggestions, throughout the sessions; very much in keeping
with the mission of LPC. Overall, it was a very
useful track for anyone trying to keep up with security in Linux.
to post comments)