 Thank you for coming. Hopefully, you had a great time yesterday with me. I learned something new. I learned some new words. That's not yet in chess. So it was great. Bye for me. Did you have a great time? No problem. Okay. At the beginning, we prepared a quick exercise for you. Fortunately, it isn't a fighter. We have a simple lesson for you. Do you think that people care about security? If so, just put your hands up. No. They care about it. Just not a method. I guess we are good. Unfortunately, they don't care about security. Even they are self-employed. So it isn't so good. But even so, it's fine. Today, together with Lucas, we will describe you the latest performance and disability improvements in SEMU. Thank you. Okay. How did you fix it? I will switch the cable. Today, we will describe you the latest SEMU's disability and performance improvements. And how it will help you if you see your own policy for your product. And how it improves phenomena security in general. So in the first today's topics, we call it security and fire. We will describe you how we deal with security issues, where SEMU stands, how SEMU helps you with these security issues. In the second topic, we will tell you about your demonstration in Europe. It's very amazing that Lucas will demonstrate you how SEMU is amazing. How SEMU is amazing. Technology and how SEMU will help you with your shell shock. In the third topic, it's also my favorite topic. We will tell you that SEMU is more handy. I will describe you these performance and disability improvements. And before the discussion and before the questions, Lucas will tell you how we ship February SEMU policy. And here we will describe you how we ship your own policy for your product. Okay. So let's start. If I talk about security, I use these keywords as a helper. So where, how and where. So let's start with the first word. Let's do people care about security. Right. Okay. After. Ah, they are in compromise. Yeah. That's true. But they start to care if it's too late. They start to care if there are DICs or if there are mobile or let's go, let's go. Everything already attached. So in the time, they start to ask, they start to ask, how do security, how these security issues affect me? And there are a lot of questions. So for example, where I use my personal data? Or will be my personal data share on the internet? I have a funny story about that. I can tell you, I can tell you a bit after the presentation. So the next question could be, will be my account and store. It's awesome. Or is my personal device protected anyhow? For example, the last one is, are trusted institutions very trusted and protected from these security issues? I think, I believe you think about more questions, but I believe these are representative. So, and because, yeah, people and people ask questions, they start to ask, where do security issues come from? What do you think? Where do security issues come from? Everywhere. External attacks, external attacks. Okay. Thank you. Many come from us. They come from... So, for example, of course, I remember going to the United States, but I was there. So, and if I see the mistake, I started to care and I started to ask, how are these security issues fixed? It's important. It was important for me to know it, and I guess people also, they asked about that. So, here we are talking about related security. So, if the new security issue appears, there is a time frame. There is a time frame when your assistant is unprotected. We call it, we call it a window of vulnerability. So, it means your doors and these doors are open. So, your assistant is unprotected. Your data can be shared on the Internet and you can lose your data and so on. And during the time, some engineers and security firms, they work on a fix. If we have a fix, we perform a fix and we release the fix. So, your doors are open, closed, but you can lose some data. So, what is important? Important is that your system is unprotected from consequences of exploits during the time, during the window of vulnerability. It's really important to understand. And here, and now, party security comes into the game. Party security through the window of vulnerability. So, what does it mean? Party security helps you and protects your system if your doors are open. So, can you give me any example of party security? Thank you, it's a big surprise, I would say. So, yes, SEMUX. With party security, your system is protected from consequences of exploits. And SEMUX is a good example, thank you for that party security. So, SEMUX is security enhanced limits. It's a security mechanism bringing party security for your system. So, with SEMUX, your system is protected from consequences of exploits. Do you have any? Do you know how many HTTP parts? Yeah? Yeah? Yeah, Google. Yeah, okay. So, for example, level exploits, we were able to access from one machine to another machine. So, another example could be pre-registeration in SEMUX. With telemetry, it's a SEMUX data, you know, there is a nice book about it and how SEMUX helps you. It helps you with SEMUX pre-registeration under a certain condition. You are able to access any files on your system. So, it's very cool. And, for example, Chelsea, it's the last one. And, look at it and demonstrate to you how SEMUX is amazing. And, we will show you how SEMUX helps you with shell shock. So, it's your turn. Thank you, Nick. So, hacking time. How many of you know the shell shock and some technical background? Okay, cool. One pre-reminer. The point of the shell shock is that after the environment variable, after the semicolon, you can add any arbitrary command and this command will be also executed. So, I also use this exploit to show you the example how SEMUX can be powerful. So, I started with the victim server. On this server, there is a web server and on the web server is a CGI script. And, on the other side, on the attacker side, I will start listening for 1999-99 and then I'll try to connect from the victim machine to the attacker and get the shell there. So, let's go. Do I sit for it? Do you have to write them all? Yeah, I have to write them all. Okay, thank you. Okay, don't worry about it. So, there in this shell there is a victim terminal and here is an attacker terminal. I can use this. And, okay, so I start listening using the lab cap command. And, now I'm listening. It's fine. Do you see? Okay, cool. And, okay, so now I send HTTP request and you can see after the semicolon, there is no direction. Standard output and standard input is immediately to work 1999-99. So, I execute it and here you can see I get the terminal. So, I can run IDZ, who am I? Yeah, or I can get some files in ETC, for example. Yeah, pretty simple. Okay, so this was the case with the selenux in permissive world on the victim side, as you can see. So, I switch to enforcing. So, enforce one. Okay. So, we try again. Yes, again I send the HTTP request and as you can see, I don't get the terminal here. And, for example, we can show the latest AVCs on the server. Yeah. And the most important here is the last one. And we can see that some CGI script with following contracts is trying to connect on TCP for 99-99. And this port is level as jbosman element port T. And this is not allowed in policy. So, the selenux protects the system. Yeah. So, that's all from me. Bye. Okay, thank you. No, no, no, no. Sorry. Sorry for that. And what's the conclusion? The conclusion of this demo is that if you run Linux with send, these are good. You're going to get the time. Thank you. What would happen in a few minutes? Yes, you can connect, but also you are protected because I show it that if you run IDZ, you are still the context of the ACI script. And, for example, the CGI script cannot access to some home directory. So, your home data will be protected. For example, you can chat at the channel. Yeah. Yeah. Yeah. Yeah. We have a, in our book also, we let it do soon. We look at questions. Yeah. We have a very nice example. Also, I have zero also. We have new examples. You are ready to access a CGI for example. Yeah. It's dependent on the configuration of the system of the victim server and also how clever the attacker is to use the port. I like this demo. It has been also presented on something as far as I know. And look out here. I have a question for you. What is your system protected? Yes, of course. Yeah. Yeah? Okay. You can show me. Yeah. You can show me the other video. Yeah. And everyone, you have a source for the other? Okay, so. So, really? What is your system protected? Not now because the reason is that, the reason is that I use also Confined users on my system and I have the boolean which allows to, to binding. The user can bing on some port. It's turned off on my system. Okay. So, I just quickly switch to permacillin. Yeah. If you are running on your own, then you have some problems with the system. Yeah. So, you have some problems with the system. My system. If you have some problems with the system, you see that in Coptic Farmy, my system is in function. Okay, so. You are protected. You are protected? Yes. You are protected? Yes. Do you have some problems with the system? Always. Always? Always. Just to be honest, yes, no. Okay. So, it's also protected from desktop. I remember the back and the steam application, the gaming one. Yeah. The back was something about removing your data files from, or a root directory or your home directory, can you remember? Yeah, I know about this issue. And first, from the CD-Lidon's label, and, unfortunately, I didn't see that problem. Ah, let's go. Let's go. I don't know what this is about. I have discussed it on the steam upstream and on the DLHP. Okay, thank you. Right now, I have a great news for you. Right now I will introduce the last, the last, we are going to introduce BIC. We said it improvements in a similar story and I will discuss that. So, the first one, we introduce BIC performance gains. So, previously, you tried to install the policy or if you tried to disable or enable the policy. For example, you tried to disable or enable the local policy, which means you tried to reduce the policy. You could count approximately 15 seconds. So, you have to show me 15 seconds for this guy. I don't know how to pronounce it because I look both the way. And fortunately, there is a here. So, you were traveling for Super Bowl. So, you can fix it and you can do it. Do I have to do it? Okay. He's not done it. So, is that true? Okay, so, previously, if you installed the policy or if you disabled or enable, in this case, local policy, but if you disabled or enable your local policy, it took approximately 20 seconds. So, it means you reached 70% of the speed up of the platform. So, I think it's really huge. And it's in Fedora and I'll tell you later that, oh, I don't say here, it will be also in Fedora. So, the second one. How did you make it that much faster? Well, we adopted a new user space for nothing. We did some changes to make it work in Fedora. And they completely reunite local structure. So, there are implementations because we depend on which it was pretty hard to do some implementations. So, I'll tell you later. So, the second one. So, you reached 35% of the speed up of the platform? Yeah. It's at least 70%. So, 70%. So, really? Especially for this one. So, you're also going to do it? Yes. Okay. Yeah. Well, no, no, that's the thing. It's, as you expected. It's more modern one now. Oh, see, I'm going to be able to open it up. It's just pre-linked based. Oh, yes. So, good. Thank you for that. So, the second one. So, you tell us the new easy way how to provide your own estimate policies. And look out the table about it later. And I will describe it with some real numbers. An example. So, obviously, you try to install, for example, the person who knows, or can take each. You could fail and you failed. You failed with the following error message. With a duplicate differential error message. Why? Because it's pretty easy. Because we shift all the people to see in our distributed policy. And if you try to install the person who knows, you try to shift all the people to see. And there was an outfit. So, you are not able to overwrite distribution defaults. So, there will be changes. Currently, you don't start the person who knows. And with that, you shift all the person's policy. You can see two other policies on your system. You can see the default distribution policy. With 100 priority. And you can see another policy with 400 priority. So, you can have more of the policies on your system in the same time. There is room for it. You can install your package. In this case, you can install the person who knows. And in the more, your local policy with you shift. This policy wins because there is a higher priority. And that's the point. So, we are able to assign priorities to modules. So, we come, we adopt it, and we completely enroll the module structure. And we are able to assign priorities. So, it's very cool. It's something new. And we will tell you this time, we will tell you with a real example how to shift all the policy and use these priorities. So, okay. Multiple priorities in Federal Authority 5. Federal Authority, here is the one. Let's introduce a guy. He came up with an idea. We could, we could add some, let's say default priorities. It's a plan. It will be in Federal Authority 5. And we want to let you use for default priorities. The first one is 100 priorities. It's the, it's the, it will be for system modules, which comes from SMS policy, so for the distribution policy, there is a command which we use in the SMS policies text file. And we directly declare 100 priorities. The second one is 200 priorities. It will be for your modules, coming from other packages, coming from your, from your packages. And we will use this command in your spec files. And again, we will directly define 200 priorities. The first one is 300 priorities. It's all, it's all dead. And we know that modules with the priorities come from e-cigarette food. So if you do e-cigarette food thing, we suggest you use 300 priorities. And the last one is a default. It's 430 for your local policies. So you, you don't define priorities directly. So these modules will always be real. Yeah? So it's a plan. We are working on the documentation for that, for Federa, for REL. So it will be, it will be there very soon. Okay. I do want to allow that jam just to remember. Please. I do want to allow that jam. Yeah. Yeah. Oh, yes. So if I run out of the loud dash A at all, the dash has to be in the awesome. Yeah. Federa is actually going to come out and say, now you need to run as the module dash X3. Yeah. So it's going to be. Yeah. 300 priorities. Yeah. So you're not dead. That will be 400 priorities by default. Yeah. So, okay. The last one. We're going to use the new program in terms of language. It's called SIL. I like it. I like it. Seriously. We will try to write our own policy module. Have you ever tried that? Yes. Yes. Sometimes it, yeah. It's complicated. Yeah. So for example, I was trying to, to reproduce and to fix some, some of the issues. So I created both the policy, my set of policy. Yeah. There is a policy rule and some comparisons. It's sometimes, it's not so complicated for me, but it's been sometimes. After that, you need it compiled. There's a policy file. You're using a, a serious use of X3. You went with my set of PPP, which is higher than I wish. It's higher than I wish. It's a, it's a, it's a compiled file. It's higher than I wish, and it's not in my legal. And it's higher than I wish. And after that, you wrote, you wrote, you wrote this PPP file. So your policy is correct. And your policy is correct. So how does it do? So we have, yeah. So policy files, using a serious use of X3, you wrote PPP. Again, it's a higher than I wish. It is in a legal. After that, you use a serious command. The policy is level. And this policy is after that, also in the panel. So too many steps. So it's also a reason why it took 20 percent, 20 seconds before that. What is the current state? The current state is you just declare one single rule with zero, and you just load it, load it. So there's no policy files. No compilation. You just use the zero. You use a similar command. And the policy is leveled. And you load it into the current state. And it's intermediate language. So we have read and load intermediate policy language against not read and load higher language. We call it the PPP. And there's a potential for a new higher language. We can write with you, for example, JavaScript. I feel everything good, but it won't. So there's a picture. So we have intermediate language. And there is a possibility to write a new variable higher language. So for example, there's an example. You should have load policy tool. It's being used for local policy modules. So you can define something like I as load watch in web server I want to read my works. It's an example of higher language. So it works. It works, I find. But without demo. So there's a possibility for us. And good news, it's here. It's we introduce it in federal law 3. It's federal law 4. And we introduce it also in federal law. So it's time. And for law 7. Yes. So who is? So who is behind these two keys? It's the law of the original. Yeah. Nothing else. It's major. I've been bribed. You know what I mean? The I think I need to keep writing whatever the policy is. Most people are right. Yeah, I mean it's fine. You don't have to use it. All the speed up advantages. All the speed priorities. You just write what you've got. Yeah. It doesn't matter. Yeah. I would make that. Yeah. Well, it's a thing. Silver's never really known. Yeah. No one stepped up to do the idle thing. Right, right. And what I think is wrong is Silver's new. And yes, we've been talking about Silver. Yeah. We've been talking about Silver. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Silver銀 and Silver銀. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah. Yeah, you have transformed yourself. Yeah. Wonderful. We will have a tech talk about that in August, so we will describe it with some examples. Okay, so who is behind these changes? Okay, so let me introduce myself. I was born in Nepal. I currently work in New York. Still, I am currently working as a teammate. The program is called, this is there. He is a fellow engineer that I have talked about. He is Bill Spejdan, Lukash. He is a policy guy. He is successfully replacing me. He is an intern. Why are you so mad? He has to deal with all the bugs when you found him. He is an intern, and he is a very good guy. So, nice faces, right? Okay, thank you, and stay with us. Thank you, Erik. So, Erik told you about local food style in Estonia. And the question is where can we find all these policies in Federa? And the answer is pretty simple. You can find some of these policies at the end of the package. And we call this policy distro policy. And this distro policy is adjusted for, especially for Federa. And distro policy contains mainly the policies for core components like kernel, system D. And then also contains policies for common demos like ACDPD, FTPD, SSHD, and a lot more. And then it also contains the user domains for some of the users, like users, CIS admin, or guests, for example. Distro policy does not contain any policies for third party components. This means if you download any application or some demand, you download it and install it on your system. Probably the policy will be missing the distro policy and this domain will be unconfined. And you need to write a new policy for this. We are trying to cover all demos in official Federa repositories. In Federa 23 and Federa 24, we have around 470 sales modules, which is a lot. Okay, so the next question is where I can find these sources. And we are on GitHub. We have a special organization called Federa Linux. And there is a repository for some of its policies and all source policies which you can find in Federa.desk.dev. And there are some useful links. And if you are interested in how to contribute or how to package this policy, you can click on it and read it. Yeah, no problem. So, okay, Murek told us that we know how to write on-sale-moods policy. And we also know that it's quite easy. Because I believe everybody here listened or read some documents about writing on-sale-moods policy from Murek or probably from them. But the other question is can we ship these modules easily? And I say yes. And it's also very easy and I'll show you how to do that. So, you can ship your own module as a package of the main LPM package of your application. And all you can ship the all-lesson module directly in the LPM package. It's your choice. But we prefer the sub-package. Definitely. You said just in case somebody didn't want to enable an SELenix Linux system. Why would you want a sub-package? Is it for people who are not using SELenix Linux? No, no, no. This change, if the people using the enable or disable SELenix, you will see in the spec file how I saw it. But it exists in a solution, I believe. Okay. So, another example. And you can try to install Docker on Fedora. How will you make mention? And as you can see, do you see it? You need it bigger? Maybe I can make it. Yes, go. Thank you. So, as you can see on my system, I don't have installed Docker yet. And I will use a C-module command and there is no output, which means there is no Docker module loaded to the kernel. Then I install Docker and other packages are installed, but the most important for us now is Docker SELenix package. And then you see it's installed and then I again try the S-module and we see this SELenix module loaded to the kernel. Okay. So, shipping your own SELenix module brings a lot of benefits. The first one is changes in policy can be modified immediately. That means that you don't need to wait while the SELenix maintainer is me. We'll fix your issue. Then you are also independent from SELenix policy and updates. This means that you don't need to wait while I create the update in Fedora. For example, the last one is connected also the first one and second one and I believe it is the most important. And the packages, your own SELenix module is synchronized with your application and this means that policy can affect all your features in your application. So, I believe this is the most important thing about shipping your own policy. Then I have a question on how to do this. And we will need definitely clear packages of SELenix policy. Then we will need working SELenix policy for the product. Next slide will be the make file comparison policy and of course the spec file of your application. Again, some examples are installed for packages. I created my environment and this is the really basic SELenix policy. They are just defined to types and run our rule. This is a patent enforcement file. Here you can see the file context file and there is also the interface file but it's not important right now. Okay, so we have prepared our policy. It's just an example. And this is an example of make file but as you can see the most important line is that line we've made. And you just make the policy in compiling to pp format as Murek mentioned. So, policy is ready now and let's go integrating to the spec file. Firstly, in build section you need to compile your policy to pp format and then in install section you will install firstly the interface file to user share SELenix that will include concrete directory and then you also install the policy files to user share SELenix packages. So it's pretty simple. And then in both install files of installation of your package you will be using a SELenix command you will be loaded to the kernel and you ask me about the users who use an e-book or this e-book and you can see there it's a conditional, it's a SELenix label and then after pps the policy is reloaded. And this is pretty same in both install files. Same but the model is removed. And the last one is file section where you need to mention the files to install. You can define some, if you install some your own model and you need to label some files after the installation you can ask to macro the path of some files. So by default the label only goes past only by the package? Yes, yes. It helps sometimes. Let's not tell this to me if it isn't part of RTPO. I have a very big problem with this part. Because I have a policy, a SELenix principle from my brother. And he tried to redo the reliable path, usually last an hour or so. Because I have more than that. So while you improve the speed from 20 seconds to 50 seconds to loading modules and get to more than 30 seconds to see more than an hour improvement. So when you start with the SELenix module I am basically installing it because I changed the path of some apps. So when you understand you have the information what was the previous SELenix module and what was the new one and you can generate a change, especially in those path contexts. So it would be nice if you can give me the list of the paths which are affected. So I don't need to label all those paths and just bunch of them. So we do that in the SELenix policy, I can make it. So yes, I think you know it in my head. We can talk about that. Because we are almost out of time. If you want to have a director with you, you're not allowed to. What? If you have a director with you, you're not allowed to. Yeah. It's taking a lot of your time. Yeah, but I have some kind of changes on that. Okay. Thank you. Okay, so policy model is now part of your package application and it's working. And also I am attaching some useful links and these links for my blog. And there is a tutorial, step-to-step, how to create your own SELenix model and ship it. So if you want to try it, if you want to try it, so that you don't have to start here. Okay. What about really, really near future? And as Mieck mentioned, using SELenix's feature makes shipping on models even easier. And again, another example. So now, this SELenix policy contains also the Docker package and this SELenix package, as Mieck said, has priority 100. And again, some example, you can see the priority of the package is 100 and there is no Docker SELenix policy LPM package installed. Okay. What will happen after installing Docker SELenix LPM package? And again, you see the priority 100. I have installed Docker and also with Docker is installed as a Docker SELenix package and again, you can see two different SELenix modules. And Mieck said that only the active policies, the only active policies that policy with the hierarchy. So it's pretty easy and it's changed in the parameter in the SELenix model. So it's same like the example. Yeah, but both the new policies have exactly the same name. How do I know which one is which? Well, you do numbers. Yeah. But I mean, I have the third one policy, which is the Docker. Yeah. It is called Docker. Then I can install the one. How do I know which one is the current one? The number versus both of them have Docker name. None of them has given me the distinction which is which. Well, the 100 is going to be the system. Yes. Yeah. The 100 is going to be the system. Yes. You see there's one with 300 and you know that it's going to be it. Yeah. And that one is 400, you know, to the local region. Yeah. This is the reason why we could better file the table. And it mentioned that we have us for a troubleshoot partners. We have the parity 300. The fault is 400. And this is the reason for that. Yeah. Okay. You're also in this module can be installed without any changes in this policy. And this is also, that's a new, a special point for me because if you want, it should be your own module without the new user space. Firstly, I need to know the policy from our district policy. And this is also a cool thing. And the last thing is the security with SLNXO. It's 7.1. Yeah. Okay. Any questions? I think we are out of time. Let's give you a personal view at the end. So I'll say one more question just. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you. Thank you.