Re: Is there a SELinux tutorial for ISVs ?

Re: Is there a SELinux tutorial for ISVs ?

[Daniel J Walsh]

This string of messages brings up something I wanted to get a 
conversation going on how to handle non OS Provided policy.

We all know we need a better mechanism for handling "binary" policy in 
the future.  ( I think the future is now.)
I see three people providing policy.

1. OS Provider with base policy.  (It would also be nice if the base 
policy got broken into several policies and only the policy
of the running service would be loaded.  If we got to this state we 
would need a new mechanism for restoring file context since
file_context might not meet the currently loaded policy. 

2. Third Party application developers.  As the use of targeted policy 
has begun to take off, Third Party ISV have started to question
how they can play in this world.

I see Tresys Stuff solving the problems of both of the above.

3 Local User customization and minor policies.  Currently we have people 
using audit2allow creating files in domains/misc and then
reloading policy.   We need a mechanism for users to be able to do this 
without recompiling policy.    Also more significantly how
do we handle the small diffed apache_domain stuff.  A couple of months 
ago I redesigned apache policy to have a macro called
apache_domain.  A user could create a new apache_XYZ.te file with

apache_domain(XYZ)
Followed by a few allow rules and be able to get their cgi scripts 
working without turning off apache protection or running their script in
httpd_unconfined_script_t.

The problem is the only way to do this is to install policy sources and 
muck around.    I think we to have some shared library mechanism
where a few well known macros could be defined and users could easily 
build their own custom policy.


Anyways I think we need more discussion on handling third party and user 
customization of policy outside of the current make tree stuff.

Dan

Dan

-- 



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Is there a SELinux tutorial for ISVs ?

[Lorenzo Hernández García-Hierro]

[-- Attachment #1: Type: text/plain, Size: 1149 bytes --]

El jue, 28-04-2005 a las 11:54 -0400, Daniel J Walsh escribió:
> The problem is the only way to do this is to install policy sources and 
> muck around.    I think we to have some shared library mechanism
> where a few well known macros could be defined and users could easily 
> build their own custom policy.
> 
> Anyways I think we need more discussion on handling third party and user 
> customization of policy outside of the current make tree stuff.

I've been thinking on it when working on the SELinux deployment within
Ubuntu Linux, and binary policies are something pretty handy for binary
packages-based distributions, among the general benefit they provide.

I might be able to work on something, but I would like to know first how
many people is interested in this and how many of them would be able to
contribute to it in the long term.

The idea I thought about is something like the one shown in the diagram
at
http://pearls.tuxedo-es.org/selinux/diagrams/selinux-binary-policies-1.png

Cheers,
-- 
Lorenzo Hernández García-Hierro <lorenzo@gnu.org> 
[1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: Is there a SELinux tutorial for ISVs ?

[Stephen Smalley]

On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro
wrote:
> I've been thinking on it when working on the SELinux deployment within
> Ubuntu Linux, and binary policies are something pretty handy for binary
> packages-based distributions, among the general benefit they provide.
> 
> I might be able to work on something, but I would like to know first how
> many people is interested in this and how many of them would be able to
> contribute to it in the long term.

Tresys Technology already has a working implementation of binary policy
modules, including a module abstraction with a dependency model, a
compiler for generating such modules, and a linker for linking them
together with a "base module".  Planned for upstreaming after FC4.  See
their prior posts to the selinux list or their web site for info.

-- 
Stephen Smalley <sds@tycho.nsa.gov>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Is there a SELinux tutorial for ISVs ?

[Chad Hanson]

> 
> This string of messages brings up something I wanted to get a 
> conversation going on how to handle non OS Provided policy.
> 
> We all know we need a better mechanism for handling "binary" 
> policy in 
> the future.  ( I think the future is now.)
> I see three people providing policy.
> 

I agree, as an ISV we need a way to add custom policy to support our
applications. We currently use a processed version to the policy to have
source modules until the binary modules are part of Fedora.

> 1. OS Provider with base policy.  (It would also be nice if the base 
> policy got broken into several policies and only the policy
> of the running service would be loaded.  If we got to this state we 
> would need a new mechanism for restoring file context since
> file_context might not meet the currently loaded policy. 
> 
> 2. Third Party application developers.  As the use of targeted policy 
> has begun to take off, Third Party ISV have started to question
> how they can play in this world.
> 

Exactly, see statement above.

> I see Tresys Stuff solving the problems of both of the above.
> 
> 3 Local User customization and minor policies.  Currently we 
> have people 

Along with local user policy, there needs to be local network policy
customizations as well. This is required from an MLS perspective and I would
think be useful for TE network restrictions as well.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Is there a SELinux tutorial for ISVs ?

[Karl MacMillan]

> -----Original Message-----
> From: fedora-selinux-list-bounces@redhat.com [mailto:fedora-selinux-list-
> bounces@redhat.com] On Behalf Of Chad Hanson
> Sent: Thursday, April 28, 2005 2:29 PM
> To: Daniel J Walsh; Davide Bolcioni
> Cc: SELinux; fedora-selinux-list@redhat.com
> Subject: RE: Is there a SELinux tutorial for ISVs ?
> 

<snip>

> > I see Tresys Stuff solving the problems of both of the above.
> >
> > 3 Local User customization and minor policies.  Currently we
> > have people
> 
> Along with local user policy, there needs to be local network policy
> customizations as well. This is required from an MLS perspective and I would
> think be useful for TE network restrictions as well.
> 

Definitely - users might want to only allow apache to serve pages to one netif
for example. Also, when the remaining network functionality is finished there
will be much more need to customize the network policy.

Karl

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> http://www.redhat.com/mailman/listinfo/fedora-selinux-list


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Is there a SELinux tutorial for ISVs ?

[Karl MacMillan]

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] On
> Behalf Of Stephen Smalley
> Sent: Thursday, April 28, 2005 1:52 PM
> To: Lorenzo Hernández García-Hierro
> Cc: Daniel J Walsh; Davide Bolcioni; fedora-selinux-list@redhat.com; SELinux
> Subject: Re: Is there a SELinux tutorial for ISVs ?
> 
> On Thu, 2005-04-28 at 19:32 +0200, Lorenzo Hernández García-Hierro
> wrote:
> > I've been thinking on it when working on the SELinux deployment within
> > Ubuntu Linux, and binary policies are something pretty handy for binary
> > packages-based distributions, among the general benefit they provide.
> >
> > I might be able to work on something, but I would like to know first how
> > many people is interested in this and how many of them would be able to
> > contribute to it in the long term.
> 
> Tresys Technology already has a working implementation of binary policy
> modules, including a module abstraction with a dependency model, a
> compiler for generating such modules, and a linker for linking them
> together with a "base module".  Planned for upstreaming after FC4.  See
> their prior posts to the selinux list or their web site for info.
> 

This and the reference policy work I just mentioned in another email. As we work
on upstreaming the binary modules we are going to need feedback / testing - if
you are interested in this area I would greatly appreciate any help you can
give.

Thanks,

Karl

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> --
> Stephen Smalley <sds@tycho.nsa.gov>
> National Security Agency
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
> the words "unsubscribe selinux" without quotes as the message.



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

RE: Is there a SELinux tutorial for ISVs ?

[Karl MacMillan]

> -----Original Message-----
> From: owner-selinux@tycho.nsa.gov [mailto:owner-selinux@tycho.nsa.gov] 
> On Behalf Of Daniel J Walsh
> Sent: Thursday, April 28, 2005 11:55 AM
> To: Davide Bolcioni
> Cc: fedora-selinux-list@redhat.com; SELinux
> Subject: Re: Is there a SELinux tutorial for ISVs ?
> 
> This string of messages brings up something I wanted to get a 
> conversation going on how to handle non OS Provided policy.
> 
> We all know we need a better mechanism for handling "binary" policy in 
> the future.  ( I think the future is now.) I see three people 
> providing policy.
> 
> 1. OS Provider with base policy.  (It would also be nice if the base 
> policy got broken into several policies and only the policy of the 
> running service would be loaded.  If we got to this state we would 
> need a new mechanism for restoring file context since file_context 
> might not meet the currently loaded policy.
> 

In the binary policy work, the base is simply a binary module that is fully
self-contained to guarantee that there will be an internally consistent /
coherent policy at all times. That policy can be arbitrarily small, however.

As for only enabling policy for certain services I see three options:

1) Policy for all services is always loaded (current practice).
2) Policy for services that are installed is always loaded.
3) Policy for services that are installed is loaded on service start.

1 is obviously problematic because of wasted resources and privileged
application domains being present when they should not be (not to mention 3rd
party policy). We considered 3 when we started the binary module work, but
decided that it was too complicated with little benefit. Additionally, I think
that it is _very_ desirable to limit relabeling as much as possible. It is error
prone and risky in terms of security.

2 is what we are targeting. The installation of a new service in the model I am
proposing would

1) Install the binary policy module to a place on the filesystem managed by RPM
(for example /etc/selinux/policy-name/installed-modules).

2) Load the policy by installing it with semodule (semodule -i policy.pp - .pp
is for policy package which is the binary policy and file contexts). This will
install the module into a managed location (for example
/etc/selinux/policy-name/active-modules) and load it into the kernel.

3) RPM would then label files as it installs the application.

The binary module infrastructure also always creates a complete file_context
like the current system, so that can be used for whatever labeling needs to be
done.

> 2. Third Party application developers.  As the use of targeted policy 
> has begun to take off, Third Party ISV have started to question how 
> they can play in this world.
> 
> I see Tresys Stuff solving the problems of both of the above.
> 

That is the plan - we are porting the recent changes to
libsepol/libselinux/checkpolicy to our tree and will start upstreaming the
binary policy work soon. I am targeting getting this integrated by June.

> 3 Local User customization and minor policies.  Currently we have 
> people using audit2allow creating files in domains/misc and then
> reloading policy.   We need a mechanism for users to be able to do this
> without recompiling policy.    Also more significantly how
> do we handle the small diffed apache_domain stuff.  A couple of months 
> ago I redesigned apache policy to have a macro called apache_domain.  
> A user could create a new apache_XYZ.te file with
> 
> apache_domain(XYZ)
> Followed by a few allow rules and be able to get their cgi scripts 
> working without turning off apache protection or running their script 
> in httpd_unconfined_script_t.
> 
> The problem is the only way to do this is to install policy sources and
> muck around.    I think we to have some shared library mechanism
> where a few well known macros could be defined and users could easily 
> build their own custom policy.
> 

We are actively working on what we are calling reference policy. This attempts
to create just such a 'shared library' mechanism among other goals. On the
source level it creates abstractions in the form of layers and modules. Each
module, which contains the policy for a well-defined functional area, exports a
set of interfaces - macros that allow access to its resources.

There is a presentation that we did on this work available at
http://tresys.com/Downloads/selinux_dev/reference-policy.pdf, which may give you
an idea of what we are trying to accomplish. Also, we are starting a sourceforge
project for this that will be up soon. We are making rapid progress on this and
can release the policies that we have done so far when the project set up. If
anyone would like to see what we have let me know and I will get you a tarball
off list.

I think that the next step is to add the interface idea to the underlying binary
module language so that external policies can start being dependent not on types
but interfaces. If these stabilize enough it should be possible to write to this
abstraction layer and have a single binary module work across many base
policies.

> 
> Anyways I think we need more discussion on handling third party and 
> user customization of policy outside of the current make tree stuff.
> 

I agree. We are trying to tackle these problems, but need input about exactly
what people need.

---
Karl MacMillan
Tresys Technology
http://www.tresys.com
(410) 290-1411 ext 134

> Dan
> 
> Dan
> 
> --
> 
> 
> 
> --
> This message was distributed to subscribers of the selinux mailing list.
> If you no longer wish to subscribe, send mail to 
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as
the message.


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.