I am taking a break today from "SELinux for dummies", in order to celebrate the release of Fedora Core 5 ...
I want to talk about the many new features that are available from SELinux for this release. Most of the new features are the building blocks to making SELinux easier to use and allow higher level applications manipulate an SELinux environment.
New management environment.
Fedora Core 5 introduces a new management environment called semanage. This product set allows a system administrator to customize the way SELinux runs
on his machine without having to install policy sources. semanage is the command line tool
for doing this. It's man page describes the tool as the following:
"This tool is used to configure SELinux Policy. You can configure SELinux User Mappings, SELinux Port Mappings, SELinux Users. File Context and Network Interfaces
and MLS/MCS Translations."
This tools also comes with a python object seobject.py file that encapsulates most of the semanage functionality and could eventually be the basis for build GUI management tools (hint!!!).
Also most of the other libraries in SELinux have had python wrapper classes developed so that
you can call most of the functions from python.
Tresys describes the Reference Policy:
"The Reference Policy project makes it easier to maintain and apply baseline security policy for Security Enhanced Linux (SELinux). The project makes SELinux easier to use for a broader set of secure applications, as well as making SELinux policies compatible with new, emerging policy management technology."
Tresys over the last year has undertaken an effort to rewrite the entire NSA example Policy using a totally new structure and added new language features.
Reference Policy is further explained at the Tresys web site
In the process of moving to this new reference policy, we have cleaned up lots of cruft and every policy file in the example policy.
Fedora Core 5 is using the Reference policy as the basis for all of the shipping rpms. selinux-policy-targeted, selinux-policy-strict, selinux-policy-mls.
Loadable Policy Modules:
Along with creating Reference Policy we have also moved to a new mechanism for shipping and management of the SELinux policy called Loadable Policy Modules. also described at the Tresys web site:
"As a result of the increased integration of SELinux into distributions, the need for a robust policy management infrastructure has become clear. This policy management infrastructure should help administrators and policy authors dynamically deploy, update, and modify SELinux policies in a secure and convenient manner. Loadable policy modules attempt to address this need."
audit2allow has the capability to create a policy module from AVC messages. In FC4 you had the ability to create a local.te file and then recompile the policy. In FC5 you can use
audit2allow to create a policy and then use semodule to load it into the kernel as a loadable module. More explanation of loadable modules is available at the following :
MCS Targeted Policy
MCS is a policy that is based around a number of categories. Currently in Fedora it's an advisory policy which users can override at a whim. We intend to make it a discretionary policy and may at some future time add mandatory elements to it.
The core of MCS is a set of 256 categories that may be assigned to each process. A process must have a category set which is a super set of the categories assigned to a file if it is to access that file. Currently MCS only controls access to regular files and some IPC (signals and ptrace).
MCS uses the same kernel code and application interfaces as the MLS Policy. MCS will be significantly more popular than MLS and thus will make a good test-bed for the MLS kernel functionality as well as making it easier and more desirable for application vendors to provide support.
James Morris has a great description of what MCS:
In Fedora Core 5 we are introducing a new policy called MLS. This stands for Multi-Level Security. The MLS functionality in SE Linux is being developed as part of the Common Criteria LSPP certification work. The LSPP work aims to get LSPP, RBAC, and CAPP certification at EAL 4+
This link from James Morris blog has a lot of background information on the LSPP work.
Chris Runge Paper: The Path to Multi-Level Security in Red Hat Enterprise Linux
Introduction of MLS into a Linux Operating System
Development Environment for building policy packages.
selinux-policy, now contains the reference policy interface files that were used to build the system. These files are shipped in the selinux-policy package. They are installed under /usr/share/selinux/devel/.
We have shipped a Makefile, as well as a simple script tool policygentool, which will allow you to get experimenting with SELinux policy writing quicker. policyhelp will take you to the reference policy html pages, to describe the interfaces available.
audit2allow has been enhanced to understand the new reverence policy format, and will attempt to match a avc message to the appropriate interface(s).
Additional Protected packages.
In FC4, we locked down most of the System Space processes, we have continued working on those and have added a few new domains including xend, logwatch, pcmcia.
Additional Security Access Checks
We have added the following access checks to protect applications against malicious code.
execmem, execmod, execheap, execstack.
These are further explained by Ulrich Drepper
We have started confining Userspace from these access checks, in Fedora Core 5. This is the beginning of allowing an administrator to confine userspace from malicious code. execmem and execstack by default are still allowed although you will see AVC granted messages in your log file. You can turn off these booleans and tighten your security by executing.
setsebool -P allow_execmem=0 allow_execstack=0
We left these on, because of certain applications that were built incorrectly and need these privileges, especially the web browser plugins.
We have worked hard to clean up all code shipped in Fedora to eliminate the need for these priviledges. If you see the granted message in your log files, you should open a bugzilla on those apps that require it, and copy me. :^)
If you find a shared library that requires execmod privilege, you can allow it by executing
chcon -t textrel_shlib_t SHLIBPATH, then please report a bugzilla so we can attempt to clean up the library or get the vendor to clean it up.
We have also added domains for the following environments to allow some of these memory access:
wine, mono, java
Well that is all I can think of now, but it gives you an idea of how many changes are in FC5/SELinux...