Fedora Core 2 Test 2 - delayed

Russell Coker russell at coker.com.au
Fri Feb 27 21:39:56 UTC 2004 

On Sat, 28 Feb 2004 05:25, Stephen Smalley <sds at epoch.ncsc.mil> wrote:
> On Fri, 2004-02-27 at 13:19, James Harrison wrote:
> > Can we have two kernels - one with SELinux and one without.
>
> Boot with selinux=0, and the SELinux code is disabled.

Also note that the selinux=0 code was written by James Morris not the NSA.  ;)

On Sat, 28 Feb 2004 05:19, James Harrison <jamesaharrisonuk at yahoo.co.uk> 
wrote:
> I read the wonderful news article about SELinux and how the NSA have
> inserted their "security" code into Linux, but I cant see any technical
> detail.

SE Linux implements the "domain type" security model.  Every object that can 
be accessed by a process (dir, file, socket, etc) has a type.  Every process 
has a domain.  You have a database of rules specifying which domains can 
access each type loaded by the kernel.

When any access is requested first standard Unix checks are performed (IE 
UID/GID etc), then after those checks are passed SE Linux checks are 
performed.

If the Unix checks deny an operation then the core SE Linux code will never 
even see it.  There is talk of making changes to this at some future time, 
however the impression is that the main kernel people don't like such ideas.  
Also the current operation is good for the time when SE Linux is becoming 
popular.  Lots of people can be expected to stuff up their policy, and with 
the current setup they can't make things any less secure than a regular Linux 
system.

The domain that a process runs in can be determined by the type of the 
executable (EG /sbin/init has type init_exec_t and when kernel_t exec's it 
the domain transitions to init_t).  The domain can also be specified by the 
process calling exec (so that /bin/login and sshd can specify the correct 
context for a shell).

There is a lot more than that, roles, identities, constraints, assertions, and 
MLS (which we have no immediate plans to put in Fedora).  But when you first 
start using SE Linux you don't have to worry too much about that.

On Sat, 28 Feb 2004 02:49, "Mike A. Harris" <mharris at redhat.com> wrote:
> It's been scrutinized fairly heavily from what I understand.  One
> of the beautiful things about open source is that anyone can
> scrutinize the source, so it is much more likely to have any
> security holes found and fixed in it.  That's irrespective of
> wether they would be planted or accidental of course.

I know several people who have read through all the SE Linux kernel code and 
looked for bugs/trojans/etc.  Last time I spoke to them about such issues 
none of them were willing to publically announce this.  Claiming to be good 
enough at kernel coding to find any back-doors written by experts would be a 
significant boast.  But I think that having a number of people look through 
the code gives a good degree of assurance, maybe one or two people might miss 
a bug, but someone would find it.

Finally, there are lots of people who are trying to make a career in computer 
security by finding vulnerabilities.  If they could find a bug in SE Linux 
(either deliberate or accidental) then they would become quite famous very 
quickly.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

More information about the devel mailing list