gentoo/hardened

gentoo/hardened

[Luke Kenneth Casson Leighton]

hi,

i've just installed gentoo/hardened on a laptop, and i wanted to run
Xorg on it.

bearing in mind the warnings about gentoo/hardened not having
"workstation" capability, i noted these and carried on, happy in the
knowledge that i would be able to sort it out.

... then i found out what chris had done.

chris - i hope you don't mind me saying this...

... but you have made a _lot_ of work for yourself, and for
people like myself who would be happy to contribute / get
things working.

what chris has done is, rather than create (for example, as one
possible way forward) a gentoo_hardened define and comment out
blocks of code is... he's started from the sf.net cvs policy
and REMOVED entire sections from the gentoo released selinux
policy (including a large number of booleans).

that makes it _really_ difficult for me - or anyone else - to follow
what's gone on, and to add stuff in, because you first have to identify
the "missing" stuff, and then add in what you need.  maybe.  because
if you copy the sf.net policy files into a gentoo/hardened policy,
you find that they are out-of-date (missing defines, macros, even
missing flasks!)

so, i have a plea and a question:

* chris, would you _please_ consider tracking the sf cvs more closely,
  and submitting more patches to this list, rather than diverging?

* to the people maintaining selinux cvs, would you consider adding a
  define gentoo_hardened as well as a gentoo_selinux or consider
  anything else - _anything_ - that would make it possible to consider
  sf.net cvs the "authoritative" and central repository of selinux
  policy for all distros?

pooling resources and expertise in this complex area is the only _sane_
way forward.  massive forking of selinux policy on a per-distro basis is
a good way to ensure that expertise and volunteers are difficult to come
by.

... of course, as always, you are entirely at liberty to completely
ignore anything and/or everything i say: i am paid by no-one and answer
to no-one - i just want this stuff to be easier and for it to succeed.

l.

-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo/hardened

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 3005 bytes --]

On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote:
> i've just installed gentoo/hardened on a laptop, and i wanted to run
> Xorg on it.
> 
> bearing in mind the warnings about gentoo/hardened not having
> "workstation" capability, i noted these and carried on, happy in the
> knowledge that i would be able to sort it out.
> 
> ... then i found out what chris had done.

You make it sound like I did something nefarious!

> chris - i hope you don't mind me saying this...
> 
> ... but you have made a _lot_ of work for yourself, and for
> people like myself who would be happy to contribute / get
> things working.
> 
> what chris has done is, rather than create (for example, as one
> possible way forward) a gentoo_hardened define and comment out
> blocks of code is... he's started from the sf.net cvs policy
> and REMOVED entire sections from the gentoo released selinux
> policy (including a large number of booleans).

This has been discussed on the list before.  We simply have different
goals then other distros.  The NSA example policy is being pushed by Red
Hat for widespread use, and the policy is developed in that direction,
which is fine.  The tunable policy was converted over to use booleans
and conditional policy support, which is to Red Hat's advantage, since
they don't want to install policy sources on people's system by default.
I don't have a problem with any of this, since widespread adoption helps
SELinux, which is good.  

Gentoo users are willing to give up more functionality, especially
legacy support, for more security.  We also don't want a bunch of dead
policy, since its wasteful, and leaves more possibility of unwanted
information flows.  So the 'base policy' is only the policy needed for
the core system packages.  As a user merges more packages, policy is
pulled in as a dependency as required.  Configurability is a big thing
for Gentoo users, and thus they are willing to get down into the
details, so we definitely install the policy sources.  Most of the
tunable policy does not need to be toggled at runtime; therefore, I
reverted the conditional policy back to m4 ifdefs so there isn't extra
unneeded policy in memory.

The main divergence is the conditional policy being switched back to m4
ifdefs.  This wouldn't be sanely handled with distro tunables.  Most
everything else is just the fact that I don't keep up with sourceforge
CVS religiously.  If it ain't broke, don't fix it.

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: gentoo/hardened

[Luke Kenneth Casson Leighton]

On Mon, May 30, 2005 at 07:46:06PM -0400, Chris PeBenito wrote:
> On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote:
> > i've just installed gentoo/hardened on a laptop, and i wanted to run
> > Xorg on it.
> > 
> > bearing in mind the warnings about gentoo/hardened not having
> > "workstation" capability, i noted these and carried on, happy in the
> > knowledge that i would be able to sort it out.
> > 
> > ... then i found out what chris had done.
> 
> You make it sound like I did something nefarious!
 
  :)  *snort*  the joys of writing email at 3am... sorry about that.

  
  i wanted to be able to help / merge in xdm.te (and desktop
  usage) into gentoo/hardened.

  now i have two options:

  1) learn what you've done, and then contribute to that, knowing full
     well that none of what i do will benefit any other project, and
     that i will find it difficult to get advice here on selinux ml
     because of the divergence

  2) ignore and delete what you've done and endeavour to
     install the sf.net latest cvs on gentoo.

  given that gentoo/hardened selinux policy is the one that's
  different from all others, i'm far more inclined to 2).


> > chris - i hope you don't mind me saying this...
> > 
> > ... but you have made a _lot_ of work for yourself, and for
> > people like myself who would be happy to contribute / get
> > things working.
> > 
> > what chris has done is, rather than create (for example, as one
> > possible way forward) a gentoo_hardened define and comment out
> > blocks of code is... he's started from the sf.net cvs policy
> > and REMOVED entire sections from the gentoo released selinux
> > policy (including a large number of booleans).
> 
> This has been discussed on the list before.  

 dang, missed it - or wasn't paying attention because i was
 focussing on debian / selinux.

 sorry about that.

> We simply have different
> goals then other distros.  The NSA example policy is being pushed by Red
> Hat for widespread use, and the policy is developed in that direction,
> which is fine.  The tunable policy was converted over to use booleans
> and conditional policy support, which is to Red Hat's advantage, since
> they don't want to install policy sources on people's system by default.
> I don't have a problem with any of this, since widespread adoption helps
> SELinux, which is good.  
> 
> Gentoo users are willing to give up more functionality, especially
> legacy support, for more security.  

 i'd like to be a gentoo user, and i'd like it to be _less
 work_ to achieve more [see later on.  short: users' confusion and
 bewilderment at complexity and divergence from the "standard"
 is a recipe for LESS security not more].

 i feel confident that if you proposed something reasonable that
 meant there was one more distro whose needs and requirements
 were incorporated conveniently into the selinux sf.net cvs
 then people would do their level best to make room for it /
 start thinking of ways to accommodate it.


> We also don't want a bunch of dead
> policy, since its wasteful, and leaves more possibility of unwanted
> information flows.  

 okay - how about splitting what you classify as "dead policy"
 [wrt gentoo] out into separate files, then submitting
 a patch that then makes it easier for gentoo to "exclude"
 those files... WITHOUT people like me having to wade through
 a diff -ru to work out what you've deleted!


> So the 'base policy' is only the policy needed for
> the core system packages.  

> As a user merges more packages, policy is
> pulled in as a dependency as required.  

 yes, i noticed that - i thought that was a great idea.
 
 it also means that people have to _explicitly_ install an
 selinux policy package in order to allow the service to
 actually... er... work!

 the debian install method - over 100 questions "do you want
 package X" - yeurrk :)  try doing apt-get install on _that_!


> Configurability is a big thing
> for Gentoo users, and thus they are willing to get down into the
> details, so we definitely install the policy sources.  Most of the
> tunable policy does not need to be toggled at runtime; therefore, I
> reverted the conditional policy back to m4 ifdefs so there isn't extra
> unneeded policy in memory.

 hm... you're the second person to have raised this.
 
 valdis just this week chopped a stack-load of [iirc
 correctly: unused? ] macro stuff out and the memory usage
 dropped dramatically.

 if what valdis has done is suitable for gentoo/hardened,
 that would [fortunately!] make this justification redundant
 (i hope!)


> The main divergence is the conditional policy being switched back to m4
> ifdefs.  This wouldn't be sanely handled with distro tunables.  Most
> everything else is just the fact that I don't keep up with sourceforge
> CVS religiously.  

 okay, here's the rub.

 you changed _two_ things - 1) distro tunables 2) not keeping up with sf
 cvs.

 that makes it _very_ difficult 1) for you to maintain 2) for anyone
 _but_ you to follow.

 i'm a bright guy (well, i'm supposed to be).

 but hell i _sure_ don't want to get involved with a "fork"
 of selinux security policy - i _just_ don't have the time or
 money to focus on it in enough paranoid detail, and - correct
 me if i'm wrong - i doubt whether you do, either.

 and that _sure_ as hell means that no sane gentoo admin
 is going to have the time or inclination either - no matter
 _how_ configurable gentoo is.  [i have an experienced sysadmin
 friend - 15 years he's set up servers in secure environments.
 he had to call ME in to implement up a customised bastion
 selinux sftp server a few months back, after he explained to
 his bosses that it would take him a MONTH to even BEGIN to
 understand the issues involved in selinux policy, and even
 then he wouldn't be sure where to start or even if he'd got
 it right]


 ... there _are_ people however whose expertise you could ride with -
 stephen, russell, tresys - but forking a separate gentoo/hardened
 policy makes their expertise that _extra_ bit more remote.

 ... come back to the fold, chris, please!  we miss you.  baaaa :)

 l.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo/hardened

[Chris PeBenito]

[-- Attachment #1: Type: text/plain, Size: 5927 bytes --]

On Tue, 2005-05-31 at 01:57 +0100, Luke Kenneth Casson Leighton wrote:
> On Mon, May 30, 2005 at 07:46:06PM -0400, Chris PeBenito wrote:
> > On Mon, 2005-05-30 at 02:31 +0100, Luke Kenneth Casson Leighton wrote:
> > > i've just installed gentoo/hardened on a laptop, and i wanted to run
> > > Xorg on it.
> > > 
> > Gentoo users are willing to give up more functionality, especially
> > legacy support, for more security.  
> 
>  i'd like to be a gentoo user, and i'd like it to be _less
>  work_ to achieve more [see later on.  short: users' confusion and
>  bewilderment at complexity and divergence from the "standard"
>  is a recipe for LESS security not more].

The complexity of policy is created by the fact that Linux is a general
purpose OS.  The current policy is hard to understand, regardless.  This
is something that we are working on improving at Tresys with our
reference policy work.

http://tresys.com/Downloads/selinux_dev/reference-policy.pdf

> > We also don't want a bunch of dead
> > policy, since its wasteful, and leaves more possibility of unwanted
> > information flows.  
> 
>  okay - how about splitting what you classify as "dead policy"
>  [wrt gentoo] out into separate files, then submitting
>  a patch that then makes it easier for gentoo to "exclude"
>  those files... WITHOUT people like me having to wade through
>  a diff -ru to work out what you've deleted!

I think I had a poor choice of words.  Its not dead policy, its unused
policy.  For example, there is no need for a ntpd policy to be installed
on all systems, since not all systems have ntp.

> > So the 'base policy' is only the policy needed for
> > the core system packages.  
> 
> > As a user merges more packages, policy is
> > pulled in as a dependency as required.  
> 
>  yes, i noticed that - i thought that was a great idea.
>  
>  it also means that people have to _explicitly_ install an
>  selinux policy package in order to allow the service to
>  actually... er... work!

No, as I said above, it is pulled in as a dependency.  So if you install
ntp, selinux-ntp (the ntpd policy package) is installed first.  It does
not have to be explicitly installed.

>  the debian install method - over 100 questions "do you want
>  package X" - yeurrk :)  try doing apt-get install on _that_!

Interactive ebuilds are disallowed in Gentoo.
 
> > Configurability is a big thing
> > for Gentoo users, and thus they are willing to get down into the
> > details, so we definitely install the policy sources.  Most of the
> > tunable policy does not need to be toggled at runtime; therefore, I
> > reverted the conditional policy back to m4 ifdefs so there isn't extra
> > unneeded policy in memory.
> 
>  hm... you're the second person to have raised this.
>  
>  valdis just this week chopped a stack-load of [iirc
>  correctly: unused? ] macro stuff out and the memory usage
>  dropped dramatically.

I am not concerned about the size of the policy.conf, I'm concerned
about the size of the policy in kernel memory.  For example, the Fedora
policy is somewhere around 1280 types and 270,000 rules.  The strict
policy on my notebook is 598 types and 64,822 rules, including the X
policies.  I'm sure the difference in memory footprint for the policydb
is noticeable.

> > The main divergence is the conditional policy being switched back to m4
> > ifdefs.  This wouldn't be sanely handled with distro tunables.  Most
> > everything else is just the fact that I don't keep up with sourceforge
> > CVS religiously.  
[cut]
>  but hell i _sure_ don't want to get involved with a "fork"
>  of selinux security policy - i _just_ don't have the time or
>  money to focus on it in enough paranoid detail, and - correct
>  me if i'm wrong - i doubt whether you do, either.

You used a scary word to describe the Gentoo policy.  It is most
certainly not a fork, it is a vendor branch.  I do sync up with the
latest changes, usually when there is a release by the NSA guys, or if
there is another need for an update.  This is a common practice.  For
example, I doubt that the Fedora coreutils package has the same patches
as the Debian coreutils package or the Gentoo coreutils package, etc.
The same can be said for each distro's kernels.

>  and that _sure_ as hell means that no sane gentoo admin
>  is going to have the time or inclination either - no matter
>  _how_ configurable gentoo is.  [i have an experienced sysadmin
>  friend - 15 years he's set up servers in secure environments.
>  he had to call ME in to implement up a customised bastion
>  selinux sftp server a few months back, after he explained to
>  his bosses that it would take him a MONTH to even BEGIN to
>  understand the issues involved in selinux policy, and even
>  then he wouldn't be sure where to start or even if he'd got
>  it right]

Again, this has nothing to do with the distribution or the changes I
make to the Gentoo policy.  See my above comments on the reference
policy and policy complexity.

>  ... there _are_ people however whose expertise you could ride with -
>  stephen, russell, tresys - but forking a separate gentoo/hardened
>  policy makes their expertise that _extra_ bit more remote.

I don't see how a little divergence makes their expertise remote.  BTW, I
also work on policy at Tresys if you didn't realize :)

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243

-- 
Chris PeBenito
<pebenito@gentoo.org>
Developer,
Hardened Gentoo Linux
Embedded Gentoo Linux
 
Public Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE6AF9243
Key fingerprint = B0E6 877A 883F A57A 8E6A  CB00 BC8E E42D E6AF 9243


[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: gentoo/hardened

[Luke Kenneth Casson Leighton]

On Tue, May 31, 2005 at 12:07:34AM -0400, Chris PeBenito wrote:

> >  okay - how about splitting what you classify as "dead policy"
> >  [wrt gentoo] out into separate files, then submitting
> >  a patch that then makes it easier for gentoo to "exclude"
> >  those files... WITHOUT people like me having to wade through
> >  a diff -ru to work out what you've deleted!
> 
> I think I had a poor choice of words.  Its not dead policy, its unused
> policy.  

 ah - i understood that, i just didn't make it clear that i understood
 it - apologies.

> >  it also means that people have to _explicitly_ install an
> >  selinux policy package in order to allow the service to
> >  actually... er... work!
> 
> No, as I said above, it is pulled in as a dependency.  So if you install
> ntp, selinux-ntp (the ntpd policy package) is installed first.  It does
> not have to be explicitly installed.

 oh, cool.  [hm, i'd done an explicit emerge so hadn't noticed.]

> >  valdis just this week chopped a stack-load of [iirc
> >  correctly: unused? ] macro stuff out and the memory usage
> >  dropped dramatically.
> 
> I am not concerned about the size of the policy.conf, I'm concerned
> about the size of the policy in kernel memory.  

 i understood valdis to be equally so concerned.

> >  ... there _are_ people however whose expertise you could ride with -
> >  stephen, russell, tresys - but forking a separate gentoo/hardened
> >  policy makes their expertise that _extra_ bit more remote.
> 
> I don't see how a little divergence makes their expertise remote.  BTW, I
> also work on policy at Tresys if you didn't realize :)

 :) evidently not :)
 
 thank you for evaporating my concerns.

 ... so am i allowed to ask you, after endeavouring to shoot
 everybody down in flames: any chance you could make your
 latest [experimental?] gentoo policy available?  i do need
 to get a gentoo/hardenened workstation running, asap.

 much appreciated,

 l.
 


-- 
--
<a href="http://lkcl.net">http://lkcl.net</a>
--

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo/hardened

[Stephen Bennett]

On Tue, 31 May 2005 12:05:42 +0100
Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
>  ... so am i allowed to ask you, after endeavouring to shoot
>  everybody down in flames: any chance you could make your
>  latest [experimental?] gentoo policy available?  i do need
>  to get a gentoo/hardenened workstation running, asap.

It's all in cvs --
http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/?root=gentoo-projects
would probably be the place to start. If you don't like the viewcvs
interface, there does exist an anoncvs mirror of it that's Not For
Public Consumption (or was last thing I heard from the owner) -- mail me
off list if you want the address. I also have some patches (well, one
very big patch really) to import most of the changes from nsa cvs, done
mainly for my benefit -- the mips box really needs a 2.6.12-rc kernel,
and running that with a policy that has no concept of name_connect is
painful.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo/hardened

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 632 bytes --]

On Tue, 31 May 2005 01:57:39 BST, Luke Kenneth Casson Leighton said:

>  valdis just this week chopped a stack-load of [iirc
>  correctly: unused? ] macro stuff out and the memory usage
>  dropped dramatically.
> 
>  if what valdis has done is suitable for gentoo/hardened,
>  that would [fortunately!] make this justification redundant
>  (i hope!)

What I did *seems* to work *on my laptop*.  The *correct* way to do it would
involve adding a whole bunch of m4 ifdefs.  I think for what Chris was trying
to do for Gentoo, the *right* fix wasn't deleting code, but wrapping the
code to be removed in a ifndef(`gentoo') wrapper....

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: gentoo/hardened

[Casey Schaufler]

--- Chris PeBenito <pebenito@gentoo.org> wrote:

> The complexity of policy is created by the fact
> that Linux is a general purpose OS.

Err, no. The complexity of policy is an artifact
of the ad hoc way policy is being applied to the
system. By approaching the policy one program at
a time, and putting all of ten minutes thought
into the policy for each program, you are destined
to end up with a higgeldee piggeldee hodgepodge
that grows beyond the bounds of control.

> The current policy is hard to understand,
> regardless.

And undocumented, and undesigned.

> This is something that we are working on
> improving at Tresys with our reference
> policy work.

Good. I would love to see a design for the policy.
I mean, to date it has been like you're walking
along a fence and every time you come to a post
you staple whatever happens to be lying on the
ground nearby onto it. What is the point?



Casey Schaufler
casey@schaufler-ca.com

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: gentoo/hardened

[Luke Kenneth Casson Leighton]

On Tue, May 31, 2005 at 01:29:31PM +0100, Stephen Bennett wrote:
> On Tue, 31 May 2005 12:05:42 +0100
> Luke Kenneth Casson Leighton <lkcl@lkcl.net> wrote:
> >  ... so am i allowed to ask you, after endeavouring to shoot
> >  everybody down in flames: any chance you could make your
> >  latest [experimental?] gentoo policy available?  i do need
> >  to get a gentoo/hardenened workstation running, asap.
> 
> It's all in cvs --
> http://www.gentoo.org/cgi-bin/viewcvs.cgi/selinux/?root=gentoo-projects
> would probably be the place to start. 

 _great_.  ta.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.