SELinux Userspace 2.7

A few days ago, Jason "perfinion" Zaman stabilized the 2.7 SELinux userspace on Gentoo. This release has quite a few new features, which I'll cover in later posts, but for distribution packagers the main change is that the userspace now has many more components to package. The project has split up the policycoreutils package in separate packages so that deployments can be made more specific.

Let's take a look at all the various userspace packages again, learn what their purpose is, so that you can decide if they're needed or not on a system. Also, when I cover the contents of a package, be aware that it is based on the deployment on my system, which might or might not be a complete installation (as with Gentoo, different USE flags can trigger different package deployments).

libsepol - manipulating SELinux binary policies

The first package, known in Gentoo as sys-libs/libsepol, is the library that enables manipulating the SELinux binary policies. This is a core library, and is the first SELinux userspace package that is installed on a system.

It contains one command, chkcon, which allows users to validate if a specific security context exists within a binary policy file:

~$ chkcon policy.29 user_u:user_r:mozilla_t:s0
user_u:user_r:mozilla_t:s0 is valid

The package does contain two manpages of old commands which are no longer available (or I'm blind, either way, they're not installed and not found in the SELinux userspace repository either) such as genpolusers and genpolbools.

libselinux - the main SELinux handling library

The libselinux library, known in Gentoo as sys-libs/libselinux, is the main SELinux library. Almost all applications that are SELinux-aware (meaning they not only know SELinux is a thing, but are actively modifying their behavior with SELinux-specific code) will link to libselinux.

Because it is so core, the package also provides the necessary bindings for different scripting languages besides the standard shared objects approach, namely Python (as many SELinux related tooling is written in Python) and Ruby.

Next to the bindings and libraries, libselinux also offers quite a few executables to query and manipulate SELinux settings on the system, which are shortly described on the SELinux userspace wiki but repeated here for convenience. Most of these are meant for debugging purposes, as they are simple wrappers toward the libselinux provided functions, but some of them are often used by administrations.

  • avcstat gives statistics about the in-kernel access vector cache, such as number of lookups, hits and misses
  • compute_create queries the kernel security server for a transition decision
  • compute_av queries the kernel security server for an access vector decision
  • compute_relabel queries the kernel security server for a relabel decision
  • compute_member queries the kernel security server for a labeling decision on a polyinstantiated object
  • getconlist uses the security\_compute\_user() function, and orders the resulting list based on the default\_contexts file and per-user context files
  • getdefaultcon is like getconlist but only returns the first context
  • compute_user queries the kernel security server fo a set of reachable user contexts from a source context
  • getfilecon gets the context of a file by path
  • getpidcon gets the context of a process by PID
  • getseuser queries the seuser file for the resulting SELinux user and contxt for a particular linux login and login context
  • getsebool gets the current state of a SELinux boolean in the SELinux security server
  • matchpathcon queries the active filecontext file for how a particular path should be labeled
  • policyvers queries the kernel security server for the maximum policy version supported
  • getenforce gets the enforcing state of the kernel access vector cache
  • sefcontext_compile generates binary filecontext files, optimized for fast querying
  • selabel_lookup looks up what the target default context is for various classes (supporting the X related SELinux types, database types, etc.)
  • selabel_digest calculates the SHA1 digest of spec files, and returns a list of the specfiles used to calculate the digest. This is used by Android.
  • selabel_partial_match determines if a direct or partial match is possible on a file path
  • selabel_lookup_best_match obtains the best matching SELinux security context for file-based operations
  • selinux_check_securetty_context checks whether a SELinux tty security context is defined as a securetty context
  • selinux_check_access checks if the source context has the access permission for the specified class on the target context
  • selinuxexeccon reports the SELinux context for an executable
  • selinuxenabled returns if SELinux is enabled or not
  • setfilecon sets the context of a path
  • setenforce sets the enforcing state of the kernel access vector cache
  • togglesebool toggles a SELinux boolean, but only runtime (so it does not persist across reboots)

checkpolicy - policy compiler

The checkpolicy package, known in Gentoo as sys-apps/checkpolicy, provides two main applications, checkpolicy and checkmodule. Both applications are compilers (unlike what the name implies) which build a binary SELinux policy. The main difference between these two is that one builds a policy binary, whereas the other one builds a SELinux module binary.

Developers don't often call these applications themselves, but use the build scripts. For instance, the semodule_package binary would be used to combine the binary policy with additional files such as file contexts.

libsemanage - facilitating use of SELinux overall

The libsemanage library, known in Gentoo as sys-libs/libsemanage, contains SELinux supporting functions that are needed for any regular SELinux use. Whereas libselinux would be used everywhere, even for embedded systems, libsemanage is generally not for embedded systems but is very important for Linux systems in overall.

Most SELinux management applications that administrators come in contact with will be linked with the libsemanage library. As can be expected, the semanage application as offered by the selinux-python package is one of them.

The only application that is provided by libsemanage is the semanage_migrate_store, used to migrate the policy store from the /etc/selinux to the /var/lib/selinux location. This was done with the introduction of the 2.4 userspace.

selinux-python - Python-based command-line management utilities

The selinux-python package, known in Gentoo as sys-apps/selinux-python, is one of the split packages that originally where part of the policycoreutils package. It contains the majority of management utilities that administrators use for handling SELinux on their systems.

The most known application here is semanage, but it contains quite a few others as well:

  • sepolgen generates an initial SELinux policy module template, and is short for the sepolicy generate command
  • audit2why translates SELinux audit messages into a description of why the access was denied. It is short for the audit2allow -w command.
  • audit2allow generates SELinux policy allow/dontaudit rules from logs of denied operations
  • sepolgen-ifgen generates an overview of available interfaces. This overview is used by audit2allow to guess the right interface to use when allowing or dontauditing certain operations.
  • sepolicy is the SELinux policy inspection tool, allowing to query various aspects of a SELinux configuration (namely booleans, communication flows, interfaces, network information and transition information). It also provides the ability to generate skeleton policies (as described with sepolgen) and manual pages.
  • chcat changes a file's SELinux security category
  • sepolgen-ifgen-attr-helper generates an overview of attributes and attribute mappings. This overview is used by audit2allow to guess the right attribute to use when allowing or dontauditing certain operations.
  • semanage is a SELinux policy management tool, allowing a multitude of operations against the SELinux policy and the configuration. This includes definition import/export, login mappings, user definitions, ports and interface management, module handling, file contexts, booleans and more.

semodule-utils - Developing SELinux modules

The semodule-utils package, known in Gentoo as sys-apps/semodule-utils, is another split package that originally was part of the policycoreutils package. In it, SELinux policy module development utilities are provided. The package is not needed for basic operations such as loading and unloading modules though.

  • semodule_expand expands a SELinux base module package into a kernel binary policy file
  • semodule_deps shows the dependencies between SELinux policy packages
  • semodule_link links SELinux policy module packages together into a single SELinux policy module
  • semodule_unpackage extracts a SELinux module into the binary policy and its associated files (such as file context definitions)
  • semodule_package combines a modular binary policy file with its associated files (such as file context definitions) into a module package

mcstrans - Translate context info in human readable names

The mcstrans package, known in Gentoo as sys-apps/mcstrans, is another split package that originally was part of the policycoreutils package. In it, the MCS translation daemon is hosted. This daemon translates the SELinux-specific context ranges, like s0-s0:c0.c1024 to a human-readable set, like SystemLow-SystemHigh.

This is a purely cosmetic approach (as SELinux internally always uses the sensitivity and category numbers) but helps when dealing with a large number of separate categories.

restorecond - Automatically resetting file contexts

The restorecond package, known in Gentoo as sys-apps/restorecond, is another split package that originally was part of the policycoreutils package. It contains the restorecond daemon, which watches over files and directories and forces the right SELinux label on it.

This daemon was originally intended to resolve a missing feature in SELinux (having more fine-grained rules for label naming) but with the named file transition support, the need for this daemon has diminished a lot.

secilc - SELinux common intermediate language compiler

The secilc package, known in Gentoo as sys-apps/secilc, is the CIL compiler which builds kernel binary policies based on the passed on CIL code. Although the majority of policy development still uses the more traditional SELinux language (and supporting macro's from the reference policy), developers can already use CIL code for policy generation.

With secilc, a final policy file can be generated through the CIL code.

selinux-dbus - SELinux DBus server

The selinux-dbus package (not packaged in Gentoo at this moment) provides a SELinux DBus service which systems can use to query and interact with SELinux management utilities on the system. If installed, the org.selinux domain is used for various supported operations (such as listing SELinux modules, through org.selinux.semodule_list).

selinux-gui - Graphical SELinux settings manager

The selinux-gui package (not packaged in Gentoo at this moment) provides the system-config-selinux application which offers basic SELinux management support in a graphical application. It supports boolean handling, file labeling, user mapping, SELinux user management, network port definitions and module handling. As such, it can be seen as the graphical helper utility for the semanage command.

selinux-sandbox - Sandbox utility utilizing SELinux sandbox domains

The selinux-sandbox package (not packaged in Gentoo at this moment) is a set of scripts to facilitate the creation of SELinux sandboxes. With these utilities, which not only use SELinux sandbox domains like sandbox_t but also Linux namespaces, end users can launch applications in a restricted environment.

policycoreutils - Core SELinux management utilities

The policycoreutils package, known in Gentoo as sys-apps/policycoreutils, contains basic SELinux tooling which is necessary to handle SELinux in a regular environment. Supported utilities are:

  • newrole to switch a user session from one role to another
  • secon to query the SELinux context of a file, program or user input
  • genhomedircon to regenerate home directory context files, necessary when new users are defined on the system
  • setfiles to set SELinux file security contexts on resources
  • semodule to list, load and unload SELinux modules
  • run_init to launch an init script in the right domain
  • open_init_pty to run a program under a pseudo terminal with the right context set
  • sestatus to query current policy status
  • setsebool to set and, if wanted, persist a SELinux boolean value
  • selinuxconfig to display the current active configuration paths
  • restorecon to set SELinux file security contexts on resources
  • load_policy to load the SELinux policy, generally called from initramfs systems if the init system is not SELinux-aware
  • restorecon_xattr manages the security.restorecon_last extended attribute which is set by setfiles or restorecon

Gentoo also adds in two additional scripts: rlpkg to reset file contexts on files provided by a Gentoo package selocal to easily handle small SELinux rule additions to the active policy

There are even more

Attentive readers will notice that the setools package is not discussed here. This package is not provided by the SELinux userspace project, but is an important package for SELinux policy developers as it contains the sesearch command - an often used command to query the active policy.

The above list is thus a picture of the SELinux userspace utilities, which is becoming quite a big application set now that some functionality is split off from the policycoreutils package.

more ...

Authenticating with U2F

In order to further secure access to my workstation, after the switch to Gentoo sources, I now enabled two-factor authentication through my Yubico U2F USB device. Well, at least for local access - remote access through SSH requires both userid/password as well as the correct SSH key, by chaining authentication methods in OpenSSH.

Enabling U2F on (Gentoo) Linux is fairly easy. The various guides online which talk about the pam_u2f setup are indeed correct that it is fairly simple. For completeness sake, I've documented what I know on the Gentoo Wiki, as the pam_u2f article.

more ...

Using nVidia with SELinux

Yesterday I've switched to the gentoo-sources kernel package on Gentoo Linux. And with that, I also attempted (succesfully) to use the propriatary nvidia drivers so that I can enjoy both a smoother 3D experience while playing minecraft, as well as use the CUDA support so I don't need to use cloud-based services for small exercises.

The move to nvidia was quite simple, as the nvidia-drivers wiki article on the Gentoo wiki was quite easy to follow.

more ...

Switch to Gentoo sources

You've might already read it on the Gentoo news site, the Hardened Linux kernel sources are removed from the tree due to the grsecurity change where the grsecurity Linux kernel patches are no longer provided for free. The decision was made due to supportability and maintainability reasons.

That doesn't mean that users who want to stick with the grsecurity related hardening features are left alone. Agostino Sarubbo has started providing sys-kernel/grsecurity-sources for the users who want to stick with it, as it is based on minipli's unofficial patchset. I seriously hope that the patchset will continue to be maintained and, who knows, even evolve further.

Personally though, I'm switching to the Gentoo sources, and stick with SELinux as one of the protection measures. And with that, I might even start using my NVidia graphics card a bit more, as that one hasn't been touched in several years (I have an Optimus-capable setup with both an Intel integrated graphics card and an NVidia one, but all attempts to use nouveau for the one game I like to play - minecraft - didn't work out that well).

more ...

Project prioritization

This is a long read, skip to “Prioritizing the projects and changes” for the approach details...

Organizations and companies generally have an IT workload (dare I say, backlog?) which needs to be properly assessed, prioritized and taken up. Sometimes, the IT team(s) get an amount of budget and HR resources to "do their thing", while others need to continuously ask for approval to launch a new project or instantiate a change.

Sizeable organizations even require engineering and development effort on IT projects which are not readily available: specialized teams exist, but they are governance-wise assigned to projects. And as everyone thinks their project is the top-most priority one, many will be disappointed when they hear there are no resources available for their pet project.

So... how should organizations prioritize such projects?

more ...

Structuring infrastructural deployments

Many organizations struggle with the all-time increase in IP address allocation and the accompanying need for segmentation. In the past, governing the segments within the organization means keeping close control over the service deployments, firewall rules, etc.

Lately, the idea of micro-segmentation, supported through software-defined networking solutions, seems to defy the need for a segmentation governance. However, I think that that is a very short-sighted sales proposition. Even with micro-segmentation, or even pure point-to-point / peer2peer communication flow control, you'll still be needing a high level overview of the services within your scope.

In this blog post, I'll give some insights in how we are approaching this in the company I work for. In short, it starts with requirements gathering, creating labels to assign to deployments, creating groups based on one or two labels in a layered approach, and finally fixating the resulting schema and start mapping guidance documents (policies) toward the presented architecture.

more ...

Matching MD5 SSH fingerprint

Today I was attempting to update a local repository, when SSH complained about a changed fingerprint, something like the following:

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
Please contact your system administrator.
Add correct host key in /home/user/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/user/.ssh/known_hosts:9
ECDSA host key for has changed and you have requested strict checking.
Host key verification failed.
more ...

Switched to Lineage OS

I have been a long time user of Cyanogenmod, which discontinued its services end of 2016. Due to lack of (continuous) time, I was not able to switch over toward a different ROM. Also, I wasn't sure if LineageOS would remain the best choice for me or not. I wanted to review other ROMs for my Samsung Galaxy SIII (the i9300 model) phone.

Today, I made my choice and installed LineageOS.

more ...

Handling certificates in Gentoo Linux

I recently created a new article on the Gentoo Wiki titled Certificates which talks about how to handle certificate stores on Gentoo Linux. The write-up of the article (which might still change name later, because it does not handle everything about certificates, mostly how to handle certificate stores) was inspired by the observation that I had to adjust the certificate stores of both Chromium and Firefox separately, even though they both use NSS.

more ...