LPC: Three sessions from the security track

This article brought to you by LWN subscribers Subscribers to LWN.net made this article — and everything that surrounds it — possible. If you appreciate our content, please buy a subscription and make the next set of articles possible.

The Linux Plumbers Conference (LPC) had a full-day security track with talks on multiple topics of interest—far too many to adequately cover. So, just a few of the talks will be looked at here. Some of the other presentations will likely serve as the basis for other articles on this page in the future.

SELinux in Ubuntu

Caleb Case reported on the status of SELinux in Ubuntu. Since Ubuntu already uses AppArmor, one of the obvious questions was: why would Ubuntu add SELinux? Case said that users were asking for it and that having more options for running SELinux (beyond Fedora/RHEL) was desirable. Ubuntu has had SELinux available to install since Hardy Heron (8.04), but it has many more policy modules enabled in Jaunty (9.04) and Karmic (soon to be released 9.10).

The SELinux policy "needs work", Case said, and SELinux in Ubuntu is "not nearly as slick" as it is in Fedora, but it is a work in progress. Users can now do an apt-get install selinux , which will pull in everything that is needed and uninstall AppArmor. The installation updates initramfs , installs the policy, and schedules a system relabel.

Policy is loaded from initramfs instead of via a patched init as has been done in the past. The upstart maintainers did not want to carry a patch to do policy loading, as they didn't want to have to patch for each and every Linux Security Module (LSM) that came along. As it turns out, loading from initramfs is becoming the popular option. Fedora is doing that via dracut and someone from the AppArmor team spoke up to note that it had switched over to loading policy from initramfs as well.

In the future, Case would like to see setroubleshoot added to Ubuntu and integrated with the desktop. They would like to enable more policy modules by default, so setroubleshoot would come in handy. Case said that the Ubuntu policy has fewer confined daemons than Fedora does, and that the reference policy has not been changed anywhere near as much as it has for Fedora. He invited the audience to "check it out, [and] see if it works, or doesn't" and joked that bugs should be submitted to Red Hat's Dan Walsh.

Smack and applications

Smack developer Casey Schaufler presented a look at application changes needed to support Smack on Linux. He started with a brief overview of Smack, including some newer information on packet labeling that can be used by Smack to enforce various controls on network traffic.

Not many changes were required to core applications to support Smack. Things like ls , id , and attr needed to change to show the Smack labels, while login required changes to set the Smack label on the user's login shell. mount needed to support some Smack-specific options for setting default labels on filesystems, and a new utility, newsmack —an administrative tool that is used for setting smack labels on processes and files—was added.

For network applications, sshd needed to be changed to handle the labeling of the login shell. To support network services running at different labels, an xinetd -like utility called smackpolyport was created. It listens at the '*' label and can spawn services running with other labels to enforce network access restrictions. There is also work in progress on adding a Smack extension to the X Access Control Extension (XACE). There is more work to be done to integrate Smack into window managers as well as things like D-Bus, he said.

Schaufler has a habit of tweaking the SELinux development community as part of his talks, and he continued that tradition at LPC. He was discussing his work on making Smack work with the Oracle 11gR1 database server, and one of the criteria he noted was that it did not work with SELinux. In fact, the first step in the installation guide is to turn off SELinux. Some grumbling from the SELinux developers was heard in response to that, with the indication that it was possible—perhaps even unofficially working—but there is no public information on how to run Oracle with SELinux. Schaufler then went through the, fairly simple, steps he took to make Oracle and Smack work together.

Someone asked Schaufler if Smack had been integrated into any distributions. He said that Wind River listed Smack in one of its brochures, and someone from Wind River piped up to say that it was in versions 2.0 and 3.0 of its Linux product. Schaufler also noted that Philips televisions are, or will be soon, running Smack.

Why policy is special

Joshua Brindle looked at the interaction between package managers and SELinux policies, noting that installing policies is very different than application installation. There are policies available for more than 290 applications currently that are typically packaged by distributions, often after some customization is done. For rpm -based distributions, policies get loaded via post-script sections, which can lead to problems that require user intervention if the policy module fails to load.

In addition, third-parties (like Oracle) have a hard time supporting policies for their packages, he said. There are "numerous hacks" to support policy loading. In general, policies just do not fit well into the current application installation model.

Policy is different because it potentially affects the entire system, unlike an application. Policies should be loaded before the applications they affect, or else there is a window in which the application is present, but the labels and policies have not been changed. If the policy fails to load, the application should not be installed, but under the current system, there is no way for rpm to roll the installation back if the post-script section fails.

Policies may also affect multiple applications and their interactions. In many cases, the policy should not be removed if the application is, because there may be user data that is protected by that policy. In addition, other applications may require the policies to be present so they can access the data. So, Brindle said, a new approach is needed. The goal of that work is to include the policy with the distribution package such that policies are installed first, "without hacks", and are part of the installation transaction, so they can be rolled back in the case of failure.

Brindle outlined additional goals of this work, which is initially targeted at rpm : supporting various corner cases like cross-installs and bootstrap installs. Helping third-parties distribute policies for their applications is also an explicit goal, so there needs to be support for multiple policies and policy types (e.g. targeted), as well as support for different distributions and releases. Overall, he summed up the goals as trying to "make life with SELinux easier".

The initial patch to rpm adds policy loading support before the transaction. A second patch changes the %Policy directive to support policy renaming as well as allowing policies to obsolete one another. In addition, the changes to the %Policy directive allow for different policies based on the policy type of the system. Additional patches will support bootstrapping and chroot() installations. Those patches will also add the policies to the rpm database, which will allow the user to change the system policy type while giving rpm the information it needs to install the proper policy.

There is more work to be done, of course. One area that needs to be addressed is how to inform the administrator of policy changes that are being done by a package. Packages from dubious sources could install policies that have the effect of disabling some or all SELinux protections, so administrators need to be informed. There may be support added for differing levels of trust based on where the package file came from, so that administrators can enforce restrictions on what kind of policies packages can install.

Other talks

The most popular attendee was clearly the AVC cow, which made an appearance in Eamon Walsh's demo of XACE. The cow popped up whenever there was an AVC denial from SELinux, which led to calls for more violations so the cow would pop up again. As Dan Walsh (no relation) noted in his blog linked above, it is proof that at least some folks at the NSA (where Eamon Walsh works) have a sense of humor.

Other talks in the track were Dan Walsh's presentation on " sandbox -X ", a look at the kernel crypto subsystem by Herbert Xu, David Safford on using the Integrity Management Architecture (IMA), James Carter on a new SELinux policy infrastructure, and a discussion of how to make SELinux easier to use led by Bryan Jacobson. The slides for each of the talks are available on the LPC Program page. There was a fair amount of audience participation, both in terms of questions and suggestions, throughout the sessions; very much in keeping with the mission of LPC. Overall, it was a very useful track for anyone trying to keep up with security in Linux.

