RE: NSA moving away from SELinux?????

RE: NSA moving away from SELinux?????

[Wagner, Grant]

The National Security Agency remains committed to operating system security
research in general and specifically in continuing our research using the 
Security-enhanced Linux prototype.  Our relationships with open source
researchers have been very beneficial and we hope to continue and expand
such relationships in the future.

Grant M. Wagner
Technical Director
Secure Systems Research Office
National Security Agency

-----Original Message-----
From: Russell Coker [mailto:russell@coker.com.au]
Sent: Friday, August 16, 2002 6:08 PM
To: Steve Tate; selinux@tycho.nsa.gov
Subject: Re: NSA moving away from SELinux?????


I'll respond to this message even though it's off-topic because it's 
something that people will want to discuss and other people will be too 
constrained to say much.

Please restrict follow-ups to private mail.

On Fri, 16 Aug 2002 23:29, Steve Tate wrote:
> It's been a while since I've been able to keep up with this list, but
> saw an interesting story on news.com today.  Here's an excerpt (full
> story at http://news.com.com/2100-1001-950083.html):

It's an interesting story, however some of the technical issues are wrong to

an extent that I question the main point of the story.

It's impossible to get a common criteria assesment for multiple 
distributions, because they are compiled by different people, have different

source trees, and are different.

>From what I've heard of United Linux, it may not be coherant enough to get a

single testing for the common criteria.

At the moment I doubt that anyone other than Red Hat will be getting it.  
No-one else seems to have the combination of money and interest.

>   SE Linux may be the NSA's last direct contribution to open-source
>   security, however. Because of loud criticism, the NSA will have a
>   far less direct role in the creation of more secure versions of
>   open-source software.

This doesn't really mean much.  Maybe they'll just pay NAI, SCC, and others 
to do work for them without it being official NSA work.  If the same people 
do the same work for the same aims it doesn't really matter what company or 
organization has it's name on the bottom line.

> Can people "in the know" say whether the NSA is going to be distancing
> itself from SELinux?  Or even abandoning it?  I think so much has

If the NSA people wanted to announce something then I'm sure that they would

have done so.

> already been done with SELinux and the influence of this project on
> other parts of Linux (such as loadable security modules) that we could
> call it a success and turn everything over to the open source
> community, but I would really hate to see NSA become less involved.
> Frankly, I think it's one of the best non-secret things they've done
> in the past decade (and probably ever, for that matter)...

I agree.  SE Linux is at a stage where it can continue without NSA support
if 
necessary.  But things will progress faster with them.

I see plenty of evidence of the NSA guys doing active work on SE Linux, I 
don't see any evidence of them slowing down or making SE Linux a lower 
priority in favour of other things.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov
with
the words "unsubscribe selinux" without quotes as the message.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: RE: NSA moving away from SELinux?????

[Ed Street]

Hello,

I for one and very glad to see this clarity (tho it's a shame this type of gossip is going on).  I read that article and noted it was lacking in factual basics.  Then when I looked at the follow ups and a famous software companies name was brought into the picture I couldn't help but laugh.  This is the very same reason i'm not a frequent visitor to that news site.

Ed

> The National Security Agency remains committed to operating system security
> research in general and specifically in continuing our research using the
> Security-enhanced Linux prototype.  Our relationships with open source
> researchers have been very beneficial and we hope to continue and expand
> such relationships in the future.
> 
> Grant M. Wagner
> Technical Director
> Secure Systems Research Office
> National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Obj.: Microsoft knick-knack business : Can we stop this ? (We must !)

[Robert Schoeni]

Hi to all !


At 1st, sorry for my poor kindergarten level english...


I saw once again that "We received a lot of loud complaints
regarding our efforts with SE Linux." - "said Dick Schafer,
deputy director of the NSA"

ref. : http://news.com.com/2100-1001-950083.html
(thanks to Sir Grant Wagner)

Well...

Surely because I live in Europe, I can't undersand why the
National Security Agency - of The United States of America,
the most powerful coutry in this damn world !!! Can't just
say "Shut up !" to the Microsoft lawyers or anything else...

SE-Linux is public, but its a Federal Project and it's
surrounds the security of the nation, the National Security,
isn't it ?

Does the business come in the question ? Of course no !

If the NSA needs to play Direct-X games, I would understand why
peoples are losing their time with Microsoft complaits, etc.
but I don't think so...

There is a bunch of people who are able to use the security
issues of all the versions of Microsoft Windows, why the
NSA isn't just reversing the situation - because the
Microsoft stuff insn't safe at all ?

How much time, how much money and informations has been
lost because of the awful quality of the Microsoft products ?

The problem is that Microsoft was everywhere since '80ies and
it really began with their BASIC interpreters... Bill Gates
and his staff were the cheapers, they were the best for the
cheap market of the cheaps family computers like the Commodore
64 and his BASIC V2... And they were cheap enough for the
cheap 1st 64KB IBM PC...

Now, cheap Microsoft produces comes with cheaps PC clones or
cheap Macintoshes (Office, and other knick-knack...) does 
the NSA need cheap stuff ? It is a cheap agency ?

Ok for the PC stuff, it's a good mean to replace >$10'000
UNIX workstations, but isn't Linux a great opportunity
to replace a proprietary UNIX with a free clone ? Or to
replace a 2D video-game like Windows (it's not really an
operating system, it is ? huh !)

SE-Linux is the great opportunity for all the goverment's
agencies to have a safe taylor made operating system, this
project has too much and too big consequences to kill it
in the egg with stupid business...

That Windows is the monopole in the end users world is quite
okay, the IQ of a group is proportionally the inverse of
the number of it's members... But I don't think that this
"rule" works with the elite people of the NSA and other
government agencies...


Why people aren't just saying "We don't make a SE-Windows
because it's impossible, that's why we are making a SE-Linux !"

And "We don't need to play Direct-X games, why should we
use Microsoft Windows ?"


Well, sorry for my poor english again and to blown a
fuse this way, but I believe it's a good reason...


Regards, (and sorry again... erm...)

Robert Schoeni.


N.B. : Why isn't SE-Linux renamed to "NSA-UNIX of death"
       with a nickname like "Lawsuits and Complaints Killer" ?

-------------------------------------------------------------
Robert Schoeni                                    Uni. Dufour
Division Informatique                Rue du Général-Dufour 24
-robert.schoeni[at]adm.unige.ch-                  1204 GENEVE
-------------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Obj.: Microsoft knick-knack business : Can we stop this ? (We must !)

[Russell Coker]

This is off-topic for this list.  This list is devoted to the development and 
support of SE Linux.  I am considering setting up a mailing list for SE Linux 
rumours etc.  It would have an open charter (IE almost anything remotely 
related to security or SE Linux would be on topic), and probably the NSA 
people would not bother reading it.

This would (hopefully) move a lot of the off-topic material off the list and 
allow it to be discussed in a more appropriate forum.  Also it would 
hopefully save some time of the NSA and LSM people.

Please let me know (via private email) if such a list would be of interest to 
you.

Also regarding the body of Robert's message, Microsoft is working on similar 
things, see the following URLs:
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html
http://microsoft.com/presspass/Features/2002/Jul02/07-01palladium.asp

Please do not reply on-list to this message.


Russell Coker

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

ipop3d policy

[david caplan]

[-- Attachment #1: Type: text/plain, Size: 542 bytes --]

Attached is a .te file for ipop3d.  I didn't see any policy for a pop
daemon, other than in Russell's courier.te.  Any comments would be
appreciated.

As far as file contexts go, I just have file_contexts/program/ipop3d.fc:

/usr/local/sbin/ipop3d          system_u:object_r:popd_exec_t

Also, in testing, I found that I needed to add the following to sendmail.te:

allow sendmail_t user_home_t:dir r_dir_perms;

I'm not sure if this is just how this particular machine was set up, or if
that should be added to the base policy file.

David


[-- Attachment #2: ipop3d.te --]
[-- Type: application/octet-stream, Size: 2036 bytes --]

#
# Author: Tresys Technology, LLC. 
#         selinux@tresys.com
#

#################################
#
# Rules for the popd_t domain.
#
# Much of the networking capabilities were not included as this
# is handled through the xinetd interface.  If pop were not run
# through xinetd, then some networking access needs to be added.

# don't need the port def because we're using xinetd to fire off
#type popds_port_t, port_type;

type popd_t, domain, privlog, auth;
role system_r types popd_t;

# testing -- for keys
type pem_t, file_type, sysadmfile;
allow popd_t pem_t:file { read getattr };

every_domain(popd_t)
type popd_exec_t, file_type, sysadmfile, exec_type;
# allow xinetd to fire off pop daemon
domain_auto_trans(inetd_t, popd_exec_t, popd_t)

# Inherit and use descriptors from xinetd.
allow popd_t inetd_t:fd use;

# Use sockets inherited from xinetd.
allow popd_t inetd_t:tcp_socket rw_stream_socket_perms;

# Use capabilities.
# don't seem to need: { net_bind_service setuid setgid fowner fsetid chown sys_resource sys_chroot };
allow popd_t popd_t:capability {  setuid setgid  };


# make sure pop has its own tmp/lock files
type popd_tmp_t, file_type, sysadmfile, tmpfile;
allow popd_t popd_tmp_t:dir create_dir_perms;
allow popd_t popd_tmp_t:file create_file_perms;
# for tmp files
file_type_auto_trans(popd_t, tmp_t, popd_tmp_t)
# for mbox lock files in home dirs
file_type_auto_trans(popd_t, user_home_t, popd_tmp_t)

# Use the network.
# Is this excessive? (probably)
can_network(popd_t)

# Connect to xinetd.
can_tcp_connect(popd_t,inetd_t)

# Send SIGCHLD to xinetd on death.
allow popd_t inetd_t:process sigchld;

# Write to /var/spool/mail 
allow popd_t mail_spool_t:dir rw_dir_perms;
allow popd_t mail_spool_t:file create_file_perms;

# need to define file type for mbox to restrict this further
# though this is also used for .forward (and .procmailrc?)
allow popd_t user_home_t:file rw_file_perms;
allow popd_t user_home_t:dir rw_dir_perms;