yep, or /udev (configured in the udev config file) if its tmpfs, this would void the requirement of passing a mount option fscontext, udev would set the correct context when started up (a check could also be added to do this only if the mount point is /dev and its tmpfs... *shrug*) *nod* I applied the patch to tmpfs to make it store xattr attributes which i found on the mailing list, seems your patch forgets xattr.h? I also applied the patch which adds "matchpathcon()" & "setfscreatecon()" support, and modified udev to set the correct context of its root_path on startup. at boot time i have about 5 devices in /dev with correct contexts set, udev them mounts tmpfs over this, WorksForMe(tm) so in actual fact we do need matchpathcon() & setfscreatecon(), if its a persistent or non-persistent filesystem i have a simple persistent /dev which is used before udev runs, udev is then initialized, mounts a tmpfs over /dev (and restores its context) just after sysctl -p is run in my initscripts so its basically one of the first things to run. Seeing as my initial /dev is on a persistent filesystem i don't have a problem with pre-udev stuff running. -- Nigel Kukard, PhD CompSc (Chief Executive Officer) Linux Based Systems Design (Non-Profit) Web: www.lbsd.net Email: nkukard(a)lbsd.net Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723 Fax: (+27) 023 349 1395 Support: 086 747 7600 Address: LIGT House, 2 Klipdrift Rd, Rawsonville Linux Systems Design & Technology Solutions The best language to use is the language that was designed for what you want to use it for. ===================================================================== Disclaimer ---------- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Linux Based Systems Design, LinuxRulz or any of it's subsideries, associated companies or principals and is therefore not endorsed by Linux Based Systems Design or LinuxRulz. Due to e-maill communication being insecure, Linux Based Systems Design and LinuxRulz do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent.

On Tue, Aug 31, 2004 at 10:49:08AM +0100, Luke Kenneth Casson Leighton wrote: no... it just depends how you want it configured ;-) *nod*, i'm pondering creating the patches... let me see what i can do cool, that will at least remove 1 patch out my build tree nope.... mount -t ramfs none /dev then run udevstart (udevstart does the C call to restorecon on root_path, so it ends up being labeled with whatever is configured) correct, not sure if this is the 100% right way to do it though, I think it would be better for the capabilities of the fs to be set properly instead of commenting out code, this will have better chance being included mainstream. correct!, it does the restore in udevstart got no reason to add other entries to the pre-udev /dev, so as I said ItWorksForMe(tm). yep, i'm 100% aware of this... i don't need /.dev, nor do I have it, nor do I want it ... heh, on installation of our distribution the pre-udev /dev is created and labeled correctly. yep, but as I said... i don't label pre-udev /dev when udev is running, before I added it to our distro installer I mounted /dev/hda1 (root) as /mnt/hda1, chroot'd onto it and re-labeled the files there (basically the same thing our installer does) thats a good idea ;-), although in "my" case didn't need it. i don't have any problems with this ;-) no probs with any of these either (and yes we do use them), the pc i'm on runs dual-head nvidia ;-) every distro is different, so i would expect some to gulp bubbles and some not to... *shrug* we load them after udev, and everything ends up labeled correctly... for instance... ot(a)localhost.localdomain policy]# ls -Z /dev/ppp ls: /dev/ppp: No such file or directory [root(a)localhost.localdomain policy]# modprobe ppp_generic [root(a)localhost.localdomain policy]# ls -Z /dev/ppp crw------- root root system_u:object_r:ppp_device_t /dev/ppp [root(a)localhost.localdomain policy]# if you need any of my initscripts or anything, give me a shout, i've nearly got a 100% functional selinux enabled server! ;-) just writing a few security policies -- Nigel Kukard, PhD CompSc (Chief Executive Officer) Linux Based Systems Design (Non-Profit) Web: www.lbsd.net Email: nkukard(a)lbsd.net Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723 Fax: (+27) 023 349 1395 Support: 086 747 7600 Address: LIGT House, 2 Klipdrift Rd, Rawsonville Linux Systems Design & Technology Solutions The best language to use is the language that was designed for what you want to use it for. ===================================================================== Disclaimer ---------- The contents of this message and any attachments are intended solely for the addressee's use and may be legally privileged and/or confidential information. This message may not be retained, distributed, copied or used if you are not he addressee of this message. If this message was sent to you in error, please notify the sender immediately by reply e-mail and then destroy the message and any copies thereof. Opinions, conclusions and other information in this message may be personal to the sender and is not that of Linux Based Systems Design, LinuxRulz or any of it's subsideries, associated companies or principals and is therefore not endorsed by Linux Based Systems Design or LinuxRulz. Due to e-maill communication being insecure, Linux Based Systems Design and LinuxRulz do not guarantee confidentiality, security, accuracy or performance of the e-mail. Any liability for viruses is excluded to the fullest extent.

On Tue, Aug 31, 2004 at 10:49:08AM +0100, Luke Kenneth Casson Leighton wrote: it's insufficient to add /.?u?dev to just file_contexts/types.fc you also have to search in file_contexts/program/* for /dev and set the right context there, too. there is i believe a bug at present in e.g. file_contexts/program/init.fc because it only covers /dev/initctl not /udev/initctl and not /.dev/initctl. i think this one is the only one that's really really critical [except on redhat of course where they all should be /u?dev] because if /.dev/initctl gets set to default_t, you're stuffed at next boot. l.

correct correct aha, u correct!!!! perfect!!!!, so that solves the need for the hooks patch, which is in actual fact wrong. *nod* yep had to add quite a couple more, but i'm still working on that to make it "correct" i need this aswell.... which is very interesting, so my "way of doing it" doesn't solve this problem. i'll keep looking for the solution this doesn't cause the problem, its something else correct, i'm still working on it though and it HAS TO BE COMPLETED SOON!!!! *shrug*, just a different outlook, patching userspace instead of kernel space kernel developers will very much not like to get patches unless for a very good reason... *shrug*... guess i have the totally oposite outlook than you, i've had quite a number of my patches go mainstream though -Nigel -- Nigel Kukard, PhD CompSc (Chief Executive Officer) Linux Based Systems Design (Non-Profit) Web: www.lbsd.net Email: nkukard(a)lbsd.net Tel: (+27) 023 349 8000 Cell: (+27) 082 333 3723 Fax: (+27) 023 349 1395 Support: 086 747 7600 Address: LIGT House, 2 Klipdrift Rd, Rawsonville Linux Systems Design & Technology Solutions The best language to use is the language that was designed for what you want to use it for.

On Tue, 2004-08-31 at 15:18, Luke Kenneth Casson Leighton wrote: It provides control over the set of files that can live in a given filesystem, based on their security types (equivalence classes). As you are now creating device types in a different filesystem type, further allow rules are needed to allow that association. The more important issue is that fscontext= lets you set the superblock security context, not just the root directory context. restorecon can't do that. -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency

This should be of great assistance with two home projects currently and 1 work project due to the filesystem types. I am still working through size issues and further locking down the images. Project 1 = SE Linux image for Netgear MR314 Wireless Lan Router Project 2 = SE Linux image for Cisco 2501 Router Project 3 = Debian Sarge Server build on SGI Octane with reiserfs ( Work for Network Management Server ) Thanks, Jim McCullough On Tue, 31 Aug 2004 21:02:10 +0100, Luke Kenneth Casson Leighton <lkcl(a)lkcl.net&gt; wrote: -- Jim McCullough

On Tue, Aug 31, 2004 at 08:18:10PM +0100, Luke Kenneth Casson Leighton was heard to remark: Totally off-topic remark, unrelated to anything, but I'm waiting for somethig to compile :) Every now and then, I look at SELinux, and I get scared away by its complexity. This complexity makes it very hard to audit, and assure oneself that its actually providing any real security, as opposed to the illusion of security. During this email thread, there are references to mysterious rules that neither party in the conversation fully understands; this scares me. Compare this to less complex security provided by e.g. the Linux VServer project. VServer is intended to allow an ISP to pretend they have a rack of 100 cpu's all running linux, when in fact they have just one. The fact that it provides security is a side-effect; but its far simpler, far easier to audit, and allows me to sleep at night. Another example: Way back in the kernel-2.2 timeframe, I hacked on something neat: 'LOMAC': if you came in from a network connection, you lost permission to do almost anything, other than to e.g. webserve. The system was simple, worked well, the kernel patches were easy to audit, you could go home without worrying about priveledge escalation. Compare that to this thread, where we are talking about atomic vs. non-atomic restoration of context for udev-mounted temp file systems. Shudder. This seems to be begging for an exploit to be discovered. Are we sure that SELinux is really on the right track here? --linas

[ The CC list here is rather nuts, someone needs to trim it...] On Tue, 2004-08-31 at 17:44 -0500, Linas Vepstas wrote: It is actually not that complicated, but if you're unfamiliar with mandatory access control (as I was when I first started learning about SELinux), it does require understanding some theory before you dive in. Because two people in a thread don't understand SELinux, that means that it's too complex? I can certainly find plenty of examples of people not understanding Linux on linux-kernel; does that imply Linux is too complex? VServer isn't solving the same problem as SELinux. VServer is really a virtualization solution. For example, it would make sense to run *both* a virtualization solution like VServer (or Xen, which looks more promising), and SELinux at the same time. That way, if e.g. the bind daemon running in one of the virtualized servers gets cracked, it doesn't mean a compromise of the whole virtual server. Now, you can use a virtualization technology as a primitive form of separation by running e.g. your MTA in one virtual server, your name server in another, etc. But that's rather painful, and is only an approximation to least privilege. That's also a rather blunt tool; SELinux is much more flexible. I doubt it. Files created in /dev should have a default type like device_t which most domains will not have access to. Given the amount of research behind SELinux, and the amount of work being done on it, I think so, yes.

Linas Vepstas linas-at-austin.ibm.com |fedora| wrote: Has anyone been working on a graphical representation to the rules and current labeling for visualizing a rulebase/system/runtime configuration? It seems to me that for Fedora/SELinux to go mainstream some form of a visual auditing tool would be required. Being able to take some entity such as a file system or running process and visually displaying the access permissions in the context of privileges granted to a user or process would go a long way towards SE's mainstream adoption. If such a tool were to also help the admin rewrite the rules based on changes to entities while walking down the directory tree it would put SELinux in a much better position for the average admin. Of course such a tool would require careful though in the design due to the desired separation of duties (e.g. auditing vs. administration privs) and the rule definition v.s. Application thereof v.s. the runtime contexts for a given user/process. I have to admit that I have been merely lurking here for a while and have not yet installed SELinux on anything as of yet. My “lurking” rather than “doing” is due mostly to my time limitations, and the thought of making my system unusable for my real work because I would have no way to understand all the rules in such short order. If I could see the effects of making a given change (e.g. color coding, symbolic representation) to the system before actually applying that change (relabeling) then I would be much less hesitant to convert everything over to FC2/3 with SELinux as my primary reason for migrating. From what I can see so far SELinux is great stuff, and I praise everyone working on it for such dedicated work! Thanks to all.

-----Original Message----- From: fedora-selinux-list-bounces(a)redhat.com [mailto:fedora-selinux-list-bounces@redhat.com] On Behalf Of Stephen Smalley Sent: Thursday, September 02, 2004 11:11 AM To: Fedora SELinux support list for users & developers. Cc: linux-hotplug-devel(a)lists.sourceforge.net; SELinux; Bill Nottingham; Colin Walters; Nigel Kukard; harald(a)redhat.com Subject: Re: [OT] SELinux vs. other systems [was Re: [idea] udev + selinux] On Wed, 2004-09-01 at 13:25, Linas Vepstas wrote: The complexity of the rules reflect the complexity of the existing Linux system and its interactions; SELinux didn't introduce that complexity - SELinux just enables you to control what happens in that complex system. No criticism intended of Linux; the same would apply to any mainstream operating system, and the complexity just reflects real world requirements. And you do have the option of reducing the visible complexity based on your security goals; if you don't care about the interactions among a set of processes/resources, you fold the domain and type space accordingly. The targeted policy is an example of doing that to an extreme. Analysis of that complexity _does_ require automated tools, and such tools exist. apol (yum install setools setools-gui) provides support for analysis, including domain transitions and information flow. slat (available from the NSA SELinux site or MITRE) does security goal checking using a model checker. Gokyo from IBM Watson (which AFAIK is unfortunately not released publically yet, perhaps you could encourage that to happen) analyzes against Biba integrity constraints and identifies exceptions for further examination. The policy maintainers for the various distros are not anonymous and appear to take their work quite seriously; rejecting policy changes despite a reduction in functionality is not uncommon. You seem to be assuming that policy for each package is maintained by the individual package maintainers; that isn't the case, and likely never will be. Ditto for sysadmins; most of them should never touch policy at all. Reality is complex. Deal with it. Being confident in the correctness of an inadequate security model doesn't help much. It isn't actually possible to implement LOMAC via SELinux, but that's another topic. Until Grandma wants to do useful work. Simple security models are nice to look at, but they don't capture the behavior of real systems, and it doesn't matter that the model is "secure"; you just break one of the trusted subjects authorized to override the security model in order to get the real work done. SELinux policy may look weaker to you, but it actually represents what is being allowed in the system; no exceptions. -- Stephen Smalley <sds(a)epoch.ncsc.mil&gt; National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list(a)redhat.com http://www.redhat.com/mailman/listinfo/fedora-selinux-list

On Thu, Sep 02, 2004 at 12:29:07PM -0500, Linas Vepstas wrote: [this is all with the strict policy 1.14 mostly sortof btw] i've installed clamav, spamassassin, razor and pyzor. oh, and freshclam. i then found a little script called clamassassin [google], i then searched [google] for some advice on how to set up kmail filters. kmail, the clamassassin script and spamc all run under the user context. the user context is given the right to bind to servers. spamd and clamd both run as servers: they have their own policies that restrict their operation to what is known that they presently do, but they are allowed to listen to incoming requests [from spamc and the clamassassin script respectively.] selinux doesn't in the _slightest_ bit get in the way. the only thing that i did find is that razor is a complete pain. it endeavours to write log files into /root/razor.log, /tmp/razor.log, /razor.log, it's a pain, and selinux is _exactly_ the sort of thing that can detect - and stop! - this behaviour. pyzor appears to be a lot less haphazard. also nobody else appears to have tried to run freshclam [automatic update script] before now, so i had to hack the clamav.te policy a bit to get it to run. l.

On Thu, Sep 02, 2004 at 10:15:20PM +1000, Russell Coker was heard to remark: policy. I wasn't refering to them, the posters to the thread were. Unfortunately, I've already deleted those emails. OK. Well, here's another idle question, again off-topic: Does SELinux provide any sort of assurances that storage media weren't tampered with between reboots? For example, with BIOS/firmware getting more sophisticated over time, there's potential for an attacker to break in, remotely, into bios/firmware, shortly before booting into the OS, and then alter disk contents. Yes, I know this is far-fetched, but was just curious. What got me going on that thread was thinking about udev/hotplug again: with devices coming and going, disappearing and re-appearing, it isn't obvious that there wasn't tampering while the device was gone. Again, excuse me if this sounds naive, un-informed or far-fetched, or terribly off-topic, but: In ye olden days, viruses spread through diskettes. These days, we're plugging-n-playing usb keychains, cameras, ipods, bluetooth this-n-that; although I haven't heard of attacks carried out through these media, its not obivious that these couldn't be carriers for an attack. --linas

Russell Coker wrote: there is a second option (also bios and startup related): you can put an additional pci-extension-bios to any pci-card which have a own pci-extension-bios for setting up its hardware, the chips are usaly 64k but not fully used (graficcard, networkcard, ...) and the point is, the standard allows you to put several pci-extension-bios-images into one of such eeproms which just point to each other and get called through the main-bios so its not really necessary to exchange the system bios, get your hands on a pci-card with a extension-bios may be enough... so keep your eyes open if you change hardware ;) and this is working practical, i have written a pci-extension-bios which actuly was sitting at (in this case) the network card for reading/setting bios-settings (nvram) during boot-up process at the serial port some years ago (was for some semiautomatic setting up process of 'black-box' hardware with no keyboard monitors attached to it) ok - second problem here, would be getting the code surviving in ram the boot-up sequence of the operating system, but i'm sure this won't be any problem for some ppl with the necessary skills i'm not sure about the pci-x-standard, but i think this could be working similar greetings dalini

On Sat, 4 Sep 2004 20:54, Ives Steglich <fedora-se-linux(a)dalini.de&gt; wrote: Good point. However one limitation of this is that it won't work so well for laptops. The idea of replacing a BIOS was first suggested to me after a discussion of an advertised security product which had some very suspect claims about it's performance. The claim that it could survive a re-install of Windows seemed difficult to believe and a modified BIOS was the only suggestion of a possible way of doing it. That is solvable too. It would have to decompress the kernel image, modify the kernel code in some subtle way (EG making some security check function in the kernel be a noop), re-compress the kernel image and then present it to the boot loader upon read requests. It's difficult, but not impossible. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page