Doing away with interfaces
by Sven Vermeulen, post on Sat 29 August 2015CIL is SELinux' Common Intermediate Language, which brings on a whole new set of possibilities with policy development. I hardly know CIL but am (slowly) learning. Of course, the best way to learn is to try and do lots of things with it, but real-life work and time-to-market for now forces me to stick with the M4-based refpolicy one.
Still, I do try out some things here and there, and one of the things I wanted to look into was how CIL policies would deal with interfaces.
Why we do confine Firefox
by Sven Vermeulen, post on Tue 11 August 2015If you're a bit following the SELinux development community you will know Dan Walsh, a Red Hat security engineer. Today he blogged about CVE-2015-4495 and SELinux, or why doesn't SELinux confine Firefox. He should've asked why the reference policy or Red Hat/Fedora policy does not confine Firefox, because SELinux is, as I've mentioned before, not the same as its policy.
In effect, Gentoo's SELinux policy does confine Firefox by default. One of the principles we focus on in Gentoo Hardened is to develop desktop policies in order to reduce exposure and information leakage of user documents. We might not have the manpower to confine all desktop applications, but I do think it is worthwhile to at least attempt to do this, even though what Dan Walsh mentioned is also correct: desktops are notoriously difficult to use a mandatory access control system on.
Can SELinux substitute DAC?
by Sven Vermeulen, post on Sun 09 August 2015A nice twitter discussion with Erling Hellenäs caught my full attention later when I was heading home: Can SELinux substitute DAC? I know it can't and doesn't in the current implementation, but why not and what would be needed?
SELinux is implemented through the Linux Security Modules framework which allows for different security systems to be implemented and integrated in the Linux kernel. Through LSM, various security-sensitive operations can be secured further through additional access checks. This criteria was made to have LSM be as minimally invasive as possible.
Filtering network access per application
by Sven Vermeulen, post on Fri 07 August 2015Iptables (and the successor nftables) is a powerful packet filtering system in the Linux kernel, able to create advanced firewall capabilities. One of the features that it cannot provide is per-application filtering. Together with SELinux however, it is possible to implement this on a per domain basis.
SELinux does not know applications, but it knows domains. If we ensure that each application runs in its own domain, then we can leverage the firewall capabilities with SELinux to only allow those domains access that we need.
Don't confuse SELinux with its policy
by Sven Vermeulen, post on Mon 03 August 2015With the increased attention that SELinux is getting thanks to its inclusion in recent Android releases, more and more people are understanding that SELinux is not a singular security solution. Many administrators are still disabling SELinux on their servers because it does not play well with their day-to-day operations. But the Android inclusion shows that SELinux itself is not the culprit for this: it is the policy.
Loading CIL modules directly
by Sven Vermeulen, post on Wed 15 July 2015In a previous
post
I used the secilc
binary to load an additional test policy. Little did
I know (and that's actually embarrassing because it was one of the
things I complained about) that you can just use the CIL policy as
modules directly.
With this I mean that a …
Intermediate policies
by Sven Vermeulen, post on Sun 05 July 2015When developing SELinux policies for new software (or existing ones whose policies I don't agree with) it is often more difficult to finish the policies so that they are broadly usable. When dealing with personal policies, having them "just work" is often sufficient. To make the policies reusable for distributions (or for the upstream project), a number of things are necessary:
- Try structuring the policy using the style as suggested by refpolicy or Gentoo
- Add the role interfaces that are most likely to be used or required, or which are in the current draft implemented differently
- Refactor some of the policies to use refpolicy/Gentoo style interfaces
- Remove the comments from the policies (as refpolicy does not want too verbose policies)
- Change or update the file context definitions for default installations (rather than the custom installations I use)
Where does CIL play in the SELinux system?
by Sven Vermeulen, post on Sat 13 June 2015SELinux policy developers already have a number of file formats to work with. Currently, policy code is written in a set of three files:
- The
.te
file contains the SELinux policy code (type enforcement rules) - The
.if
file contains functions which turn a set of arguments into blocks of SELinux policy code (interfaces). These functions are called by other interface files or type enforcement files - The
.fc
file contains mappings of file path expressions towards labels (file contexts)
These files are compiled into loadable modules (or a base module) which are then transformed to an active policy. But this is not a single-step approach.
Live SELinux userspace ebuilds
by Sven Vermeulen, post on Wed 10 June 2015In between courses, I pushed out live ebuilds for the SELinux userspace applications: libselinux, policycoreutils, libsemanage, libsepol, sepolgen, checkpolicy and secilc. These live ebuilds (with Gentoo version 9999) pull in the current development code of the SELinux userspace so that developers and contributors can already work with in-progress code developments as well as see how they work on a Gentoo platform.
Testing with permissive domains
by Sven Vermeulen, post on Mon 18 May 2015When testing out new technologies or new setups, not having (proper) SELinux policies can be a nuisance. Not only are the number of SELinux policies that are available through the standard repositories limited, some of these policies are not even written with the same level of confinement that an administrator might expect. Or perhaps the technology to be tested is used in a completely different manner.
Without proper policies, any attempt to start such a daemon or application might or will cause permission violations. In many cases, developers or users tend to disable SELinux enforcing then so that they can continue playing with the new technology. And why not? After all, policy development is to be done after the technology is understood.