BSD Secure levels for linux

BSD Secure levels for linux

[Diyab]

Has anyone else run across the kernel patch that implements something 
similar to the BSD secure levels?  Has anyone tried to use this with 
selinux?  I'm also curious what the general thought of the idea is. 
Good idea? Bad idea?  What do you think?

Timothy,

PS. You can find a short note from the author and the actual patch here:
http://lwn.net/Articles/60096/  There is also a short article about it 
in the current weekly edition of LWN if you are a subscriber.

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: BSD Secure levels for linux

[Russell Coker]

On Thu, 27 Nov 2003 11:29, Diyab <diyab@diyab.net> wrote:
> Has anyone else run across the kernel patch that implements something
> similar to the BSD secure levels?  Has anyone tried to use this with
> selinux?  I'm also curious what the general thought of the idea is.
> Good idea? Bad idea?  What do you think?

The concept of secure levels is to have an option to put the system into a 
mode where module loading and various other things are denied.

You could of course have a SE Linux configuration where you have multiple 
policydb binaries, the one that loads on boot would have the current 
functionality.  Other policydb's would have limited functionality (EG prevent 
insmod_t from doing anything other than sending sigchld to init_t and 
preventing load_policy).  Then loading a new policy would give a similar 
result to changing a BSD secure level.

If someone else wants to make a start on this then I would be interested in 
merging patches into my policy tree as I think that the functionality is 
useful.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: BSD Secure levels for linux

[Diyab]

Russell Coker wrote:

> On Thu, 27 Nov 2003 11:29, Diyab <diyab@diyab.net> wrote:
> 
>>Has anyone else run across the kernel patch that implements something
>>similar to the BSD secure levels?  Has anyone tried to use this with
>>selinux?  I'm also curious what the general thought of the idea is.
>>Good idea? Bad idea?  What do you think?
> 
> 
> The concept of secure levels is to have an option to put the system into a 
> mode where module loading and various other things are denied.
> 
> You could of course have a SE Linux configuration where you have multiple 
> policydb binaries, the one that loads on boot would have the current 
> functionality.  Other policydb's would have limited functionality (EG prevent 
> insmod_t from doing anything other than sending sigchld to init_t and 
> preventing load_policy).  Then loading a new policy would give a similar 
> result to changing a BSD secure level.

I never thought about something like that.  On the plus side not only 
would you have more control over what your specific "levels" will do but 
you can easily and securely switch between levels.  The patch I 
mentioned does not have that functionality.

> 
> If someone else wants to make a start on this then I would be interested in 
> merging patches into my policy tree as I think that the functionality is 
> useful.
> 

I'm going to try this when I get a chance. I do not have time to do it 
right away though.

Timothy,

-- 
I put instant coffee in a microwave and almost went back in time.
		-- Steven Wright


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: BSD Secure levels for linux

[Roberto Nibali]

Diyab wrote:
> Has anyone else run across the kernel patch that implements something 
> similar to the BSD secure levels?  Has anyone tried to use this with 
> selinux?  I'm also curious what the general thought of the idea is. Good 
> idea? Bad idea?  What do you think?

A fellow member (jonny) of drugphish.ch has done such an implementation, which 
he called private[1]. It's based on LSM, has a user space control tool and a 
pretty straightforward configuration file. You might want to have a look at it, 
although it's far from being finished.

> Timothy,
> 
> PS. You can find a short note from the author and the actual patch here:
> http://lwn.net/Articles/60096/  There is also a short article about it 
> in the current weekly edition of LWN if you are a subscriber.

Hmm, interesting. We'll look into merging the remaining CAP_* functionalities 
into the 'private' LSM module. Thanks for the pointer.

[1] http://www.drugphish.ch/~jonny/private.html

Best regards,
Roberto Nibali, ratz
-- 
echo '[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: BSD Secure levels for linux

[Tom]

On Thu, Nov 27, 2003 at 10:45:09AM -0500, Diyab wrote:
> I never thought about something like that.  On the plus side not only 
> would you have more control over what your specific "levels" will do but 
> you can easily and securely switch between levels.  The patch I 
> mentioned does not have that functionality.

Remember that it's a _feature_ of the securelevels implementation that
you can _not_ switch back. Once locked down, nothing short of a reboot
will unlock, and a reboot is a very noisy action in any production
environment.


-- 
http://web.lemuria.org/pubkey.html
pub  1024D/2D7A04F5 2002-05-16 Tom Vogt <tom@lemuria.org>
     Key fingerprint = C731 64D1 4BCF 4C20 48A4  29B2 BF01 9FA1 2D7A 04F5

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: BSD Secure levels for linux

[Russell Coker]

On Fri, 28 Nov 2003 07:46, Tom <tom@lemuria.org> wrote:
> On Thu, Nov 27, 2003 at 10:45:09AM -0500, Diyab wrote:
> > I never thought about something like that.  On the plus side not only
> > would you have more control over what your specific "levels" will do but
> > you can easily and securely switch between levels.  The patch I
> > mentioned does not have that functionality.
>
> Remember that it's a _feature_ of the securelevels implementation that
> you can _not_ switch back. Once locked down, nothing short of a reboot
> will unlock, and a reboot is a very noisy action in any production
> environment.

I agree that it can be desirable to not permit changing back.  But SE Linux 
policies are very flexible, so it will not be difficult for the user to 
customise their system to their own desire.  If we can provide options for 
implementing secure levels in SE Linux that are more desirable to the users 
than those offered by BSD Unix then it can only increase the number of people 
using it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.