 Thank you everybody. So I'm Jason. I've given S.O.N.X. Thoughts the last two. So this is the newest one in the series. Quick one for my, I'm an agent to developer as Roland said. I'm the lead on the S.O.N.X. team and the hardened project. I'm also an upstream S.O.N.X. maintainer. I also do TensorFlow and other things too, but that's not relevant now. My PGP key and those, I'll put the slides on my blog later. So quick overview. We're going to do quick intro of what is S.O.N.X. Then macros is back. We'll get there. Then into a bit about context, roles, types, users, and then different things that you can run into and why and how you can fix them. And then a few examples at the end. So this is perfect. Last night at dinner, final release of 2.9 was out. Release candidates have been for the last few weeks. So literally at dinner this was done. So this is awesome. New versions out. Not a huge update. Some of the other ones had more things. One of the notable features is that we aid Python 3 by default. It does not use Python 2 anymore by default. You can still turn that on if you want. Well, Python 2 is going, so please don't. There are other fun things recently in S.O.N.X. The kernel has added stacking of LSMs. So now you can have, or not quite yet, but very soon you'll be able to have S.O.N.X, SMAC, MapArmor, like many of these enabled all at the same time. I'm not entirely sure why you would want to, but you can, and it's better for distros, so they can just compile all of them in and then users can switch by just changing a boot argument. So it'll be quite nice. So we talked about S.O.N.X. What is it? It's security-enhanced Linux. It controls access between resources, users, files, anything on your computer. And the notable difference between S.O.N.X versus other things is that it is a Mac, mandatory access control. So it's a global policy set on the entire computer. Everything has to obey it. Like the kernel will enforce it. There are other things that we'll understand at S.O.N.X and enforce other things, but those would be D-Bus or SystemD or those kind of things will enforce extra things on top, but the kernel will enforce most things like sandboxes, different applications, so they cannot access things they're not supposed to. They only get things they get. So when you try to access something on your computer, like you have a program trying to read a file, it has several security checks along the way. So first it will check the regular Unix permissions, so like the read-write execute bits. If those are allowed, then it will proceed down the pipe and then go to the LSM, which is the Linux security modules. There are more than one of those already, and there will be even more of them in the future when that ePatch is landed. And it will basically check them all in order. Like the LSMs can register certain hooks, so they could be like read file and these kind of things, and they will check the system as to the Linux policy before allowing it. So it will go, it will start at the regular Unix permissions and then keep going. If at any point in time any of those fail, it will fail, and you'll get an audit log entry. If all of them succeed, then you'll be allowed to do it. So you need to know this order because if you are getting permission denied, maybe it's an excellent problem, but it might not be. Maybe your Unix permissions are wrong. I think you won't see an excellent problem because they never got there. It will only actually show those errors if you get that far in the pipe, which you may or may not. You cannot enable things. Excelenix is denied by default, everything, and then you can add rules to allow things, but only within Excelenix. If it doesn't get there, it's never going to get there. It just won't air out early. So you need to know the format of what these types and contexts look like. Everything in Excelenix has a user role type, and a sensitivity is optional. So, for example, programs, or demons, or Apache, or those kind of things will run under the system user. That user is fairly widely... Has quite a lot of permissions? Well, sorry, no. Users don't have permissions. Users are allowed to do different roles, and different roles are allowed to do different. So the system user is allowed all the Apache, SSH, those kind of things, but it is not allowed like X, sword, like if you want to run Chrome, those things you can't do. So there's a very big gap between system demons and user users and the roles for those. So then staff, user, and those are what different users will get. So the context is separated by colons. The first part is the user. The next part is user role type and the sensitivity. They tend to end with underscore U, underscore R, and underscore T. That's just the convention. They don't actually have to. If you look at Android, which has Excelenix enforcing on everything, they just call them really short things. So their system U is just a U, I think. And it's really short, and we just do it that way because when you write policies, it's much easier to see and understand. The sensitivity is off on a lot of systems by default. I like it. Those are used for MLS and MCS. MLS is the super hard one if you're the NSA and you really want top secret versus classified versus secret. Those things, that one is really hard to use and basically doesn't work. I have it kind of working a couple of times, but don't really bother. The really useful one is MCS, which is multi-category security. So to do any of this, you need to have sensitivity. So multi-category security just has a single one and just kind of ignores it, but then you get all the categories at the end. So if you see the S0, the S1 part, that is the sensitivity part, and then the categories are the C0 to C. Quick thing about users first and roles. So the roles are user, which is most users. If you're using the system, not administrator. Yes, human users. Like you're using Chrome, text editor, command line, whatever, these kind of things, that's a user. You and a user are. And those have, like, all the types belong to those. So the user role gets all these, like web browser and those kind of things, but it does not get any of them that allows you to switch to any other roles. It only has one role and it will never get any other ones. Staff is the one that you give to your users that are admin. So the staff role is the one that it's almost identical to user, except it also has sudo and sudo and can switch to the sysadmin role. The sysadmin role is, like, has a lot of permission. It can read and write, like, almost anything. But it does not get the types for, like, web browsers and those kind of things. Because those of you really should not ever be running as an admin. It's kind of the same deal as, like, people have their normal user and then they'll sudo it's a root to run sysadmin things, but this is another level that's orthogonal to that. You can have your regular, like, I have my JSON user and then I can sudo root. And then I will be root, but I will not have changed type. I'll still be in the staff role. So then if I try and run things, I will not be allowed, even though I'm root, it doesn't matter because I see the next part say I still can't do it. If I am my regular user, I can switch role into sysadmin and stay as my user. Now, if I do that, I still can't really do that much because it's still not... Like, I'm still on root, so I can't really do much, but I could switch roles. System R is the one that most demons and things are under. There are also other specialized roles, which are not used super often, but can be depending on what you... If you had a bigger system or, like, you wanted different roles to do different things, you could have an audit admin, which is the role that can touch the audit subsystem, which is very important subsystem because it gets, like, log messages from the entire system. So it could potentially get other, like, private, secret, secure data or whatever. So that one is quite separate and confined. Then there is, like, dbadmin and webadmin. If you want to have a user that can admin the web server or the database, but not the rest of the system, you can give them those roles. So then they will be in the main type and then they can switch up to the higher permission role. And secadmin is kind of like the audit admin, but dealing with the sotics policy part. So secadmin can reload the policy and update it, other people can. If you run on a normal system, sysadmin just gets all of those and, like, you just kind of use that one. Like, I don't really switch between all because it's only me on my laptop, so that's easy. Categories. These are the fun parts. So it's not a typo. The last part is the sensitivity range. So it's the low and the high. So in this case, the example is 0 to s2, which is anything in those ranges of securities I can read. But not anything higher than, well, s2 is the lowest. But if I had, like, 4 to 5, I could do just those. Nothing higher, nothing lower. And then on top of that are the categories. So then you can have a list of categories or you can have a range. So in the earlier thing, or at the bottom of this, it says c0.1023. That gives me all the categories. So any file with any category I can read. If I do not have a category, then I can't read it. So by default, you just give the user kind of everything. And since the names are kind of, like, ugly and not really understandable, you can add... There's this other daemon on top which can take these and translate them to, like, names that you give them. You can write them in a country file. And you could say, like, category 102 is contracts and 103 is salaries. And then when you ls, you'll see that instead. So if a file does not have any categories, so in this case at the bottom it's just a zero and nothing, then anyone can read them. If I gave it, like, c5, then as my staff user that had all the categories, I can still read it. But if I had a different user that didn't have those categories, I wouldn't be able to read it. So you see the staff line? There's the low permission and the high permission. It doesn't... It's meant for the multi-level security. And then multi-category security is just, like, a compression of that. Yeah, so if you see at the bottom, that, the root, like, that's the type on my home directory. That one is implicitly S0 to S0. But it's double, so you just write it once. But, like, it's the low and the high are the same thing, so it's only S0. Because MCS doesn't use the categories. MLS, if you wanted to have, like, S15 as the top secret and then, like, S14 could be secret and then S0 could be, like, public, then you could have... You could log in as different sensitivity levels and you could read up... Like, if you are secret, you can read public information, but you cannot write to public information. So you can, like, have different levels and it kind of is really annoying to use. So I don't really know anyone outside of the NSA that does. Yes. So there are SELINX extensions, which does all of that. Most policies just kind of let you do whatever you want and S11 sucks so you can kind of do whatever you want. But I have seen some things where the window manager will put, like, red if it's secret and green if it's not and, like, tag the windows differently. I don't actually know if anybody uses that for real, other than, like, the SELINX maintainers and developers. Yeah. Yeah, but it's... Yeah. The NSA probably uses it, but Fedora doesn't. Yeah. And I've got MLS to work on a console VM. I'm pretty sure it just wouldn't work on it, at least without, like, a lot of fixing up policies. They don't really use it much, so it kind of isn't great. So another thing people have with SELINX is they get a lot of errors and they blame SELINX a lot of the time, which is sometimes fair and sometimes not. But what is really nice about this is the audit subsystem and the kernel. It actually is not really related to SELINX. They're used very heavily together, but you could use audit even if you don't care at all about SELINX or whatever it's installed and you can use it to watch certain directories, files, like audit different events on the system. So SELINX will publish an audit entry if you do something you're not supposed to. So if you get a denial, it will show up in the audit log. If you don't see it in the audit log, there are two possible reasons. One is that it's being don't audited whereas, like, it's a harmless thing that gets checked but the program doesn't need it. So these are typically badly written programs. Like, I've seen a lot of programs that just, like, open every single file on the disk. Like, why would it do that? I don't know, but it clearly doesn't need to do that. It only needs this one file in, like, slash if you see something, its own conflict file, but it will just stat every single file anyway. Then you're going to get an audit, like, you're going to get a denial for every single file in there. So you could give it to the program, but that's probably not a good idea. So then you can just don't audit the thing and make it go away and it won't show up in the log. Or it didn't happen with SELINX. Like, see, if you get denied something, it doesn't work and you don't see an audit entry, then you can turn off don't audits, run semodule-d, or db to rebuild it, load it again without any of the don't audits in. Then if you still don't see it, it might be not an SELINX issue. Like, it might be that your Unix permissions were wrong, like the beginning. Then you can take AU searches, search the audit logs. You can say, search the ABC entries and give me them from today or recent or some timeframe in it. If you say dash today, it's going to give you all the ones that happened, like, today. And then you can just list them out and they look kind of like that line underneath. Or you can type them into audit2y, which will take an audit entry and then give you a more English-like explanation. There are not necessarily great explanations. In this case, the example is actually like completely the wrong solution. What's happened here is bar www.html is where you put your websites. So the S context in this is the source, and the T context is the target. So the source is Apache running under HTTP T. The T context is, in this case, the file or the directory that was trying to read it. So you look at the context and you see it's labeled user home T. So it probably shouldn't be labeled user home T. User home T, even if you don't know anything about Linux or S Linux at all, probably doesn't sound like a website file. So this audit2y goes, well, you're trying to read a user home file. There is a boolean to do that. So you can set the boolean, turn it on, then Apache will be allowed to read user home files. And this would then work. But that's the wrong solution. You should just fix the labels on that file because that file should be labeled like web server files, which are htd sys content. I'm trying to think like in the usual case, pretty much yes. You may have some things like you can do labeled networking. The packets over the wire can have contacts. And I'm trying to think maybe you can do weird things there. But in the general case, things you will encounter normally, yeah, pretty much. It's the user or something. Yeah, yeah, yeah. Like there may be some edge cases, but I can't think of them right now. So yes, mostly. So if you type it, there's actually several different things going on. One is that, there are other files on the other side of the pipe. So there's a permission to use file descriptor. And they have the permissions for reading. You can have it set up so you can take the file descriptor from the other process and read it. But you would not be able to write back to it or something like that if you wanted to do it that way. So pretty much anything you need to do to administrate an excellent system is done with SC Manage. There are a couple other tools. But really just like this one. A lot of the other tools are kind of like older tools. They were written first or smaller and they do only part of it. And now SC Manage just kind of does everything. Like there's an set SC Boole to turn on or off Booleans. But there's also SC Manage Boolean which will turn on or off Booleans. So you can just do that instead. If you run SC Manage to help, it will list all of them. There are more. They wouldn't fit on the slide. You can do infiniband stuff. You can set different contexts and things on the different parts of the infiniband which I don't really... I've never done infinibands. I don't really know how that works. But you could. There's a bunch of networking options. You can set labeled networking which is like on the wire it'll include the context on the packets. So the other system can understand it. You can then also have you could set firewall rules and say any packets coming from this IP address get labeled as this. And that stays within your system. There's a bunch of other ones which are like I had never used them. Ever. It's Calypso and Sipso for IPv4 and Sipso. It's an RFC for it. Like it's an RFC for a thing. It's... So you don't have to use residents. But then their packets coming back would not have them so your system would throw those packets away. Because you can set up a daemon like you could set up for example if you had a public web server and a top secret web server you could have the top secret web server running under like a different one and that one you could make only accept labeled packets from like your secure network public network and things like that. It's not super commonly used but you can do that. The most common ones you'll need are obviously the user logins the first one ports if you're doing networking stuff and then file contacts the big one and booleans which I covered booleans a lot in the previous talks you can watch those. Logins and users are a little bit complicated to understand at first you have to realize that there are Linux users which are your regular Linux users then there are SC Linux users which typically end with underscore U not always in the root case there is the system Linux user called root there is also an entry called root that is the SC Linux user and then there is the category range and things like that so this SC managed login maps SC Linux users to logging users so in this case when they log in they get the SC Linux user root and people in wheel get stuff and everyone else gets user help you could set things up if you wanted someone to run under like the database admins group you could put their user names and then they would get the database admins or you could set a group so the percent in the front means it is a group so the wheel group users are what is related to the whole user role mapping so different roles can do different things so this is how you give someone different sets of them so user U gets the SC Linux role user R and nothing else and it gets the lowest range it can't really do categories this thing U kind of gets everything staff gets all the categories if you use that if you have it MCS or MLS turned off that column of people is gone but you will see under SC Linux roles there is now two things so staff U will get staff R first then you will get that one but you are also allowed to switch to any of the other ones so you could add database admin and things too or you could make a new DB admin user and then add the database admin role later and have the staff one first or something like that like order matters in that way so switching roles if you switch to root you can do that but you will actually get an error when you sue that account reader home directory because on SC Linux the home directory is labeled different from root versus the other users so I kind of omitted that and then if you try to do things you will just get tons of errors nothing will work and if you look at your ID-Z SC Linux is early enough that we managed to claim on almost everything we will show the SC Linux context ls-lz we will show the context on the files id-z or netstat-z so if you look at that you are still staffed but you are running as root Linux user so then you can new role to just have an R and then you can look at your ID and now it will change so the staff U at the front changes you can only change that by logging in again as some other user you can change your role the roles like one user can have many different roles and then within the role you have many types so you can give someone a user and then they can switch between the roles they have like their administrator versus their normal user and they can do that but no matter how many times you sue or sudo you will keep the first part that one does not change that sucks so you can just use sudo you can do sudo-r-t to give it a role in the type and then it will do it when you just sudo that also kind of sucks so you can just add it in the sudo file and say anyone who is in the wheel group will automatically do type sysadmin role sysadmin if you do that then sudo-s it will just work as far as things are concerned and then sudo-s you can also specify the manually if you are a normal thing and you want to do the database admin stuff you can then specify the database admin role and type so those are special they run through pan as well some pan is special but stuff like sudo and sudo there is a whole bunch of really tight security on those programs when they fork they will make another sub-process in the other one but they have the ability to set to change it during that transition and there is a bunch of extra labels on those so they are all categorized in the policies you can search for them and there is a constraint set in the policy so if something that tries to do that if you try and give some random program the ability to change type you will fail the policy compile because the constraint rules won't allow you to do that you also need to give it the attribute to allow it to change roles and types just so that you can't accidentally do it you need to be really, really specific when you do that so sudo is a lot nicer you just add the thing to the bottom and it kind of works that's for your user if you want to run other programs and other domains normally there are types on the files so like rsync might be rsync exact T and then when you run it there will be a type transition but when staff runs it this executable type when it runs that program it will run it in the destination type I covered this a lot more in last year's talks if you don't have a type transition and you want to do it manually or if there is a type transition but you want to go to a different one like maybe SSH will go to SHT but you really don't for some reason you can then run something else it's useful during policy development if you haven't put all the transition stuff in yet or if you're trying to screw around but it is quite useful so this is the type you can do run-t it will keep your user in your role type on it and these types a set one that doesn't like they need to be associated at least a little bit the transition cannot be there and you can switch to it but if the type is not associated with it you can't do it so like HDPT is the Apache type staff role cannot run that that's not a thing HDPT it won't run it will try and compute the context it will say staff U, staff R, HDPT and then it will just fail and not run it if you want to run system stuff there's another thing in front called run init which does a whole bunch of stuff it will ask your password first and then do some more funny things and then it will get to init t which is init and then when you run it it's a transition from init to the HDPT daemon and then that will work but if you just as your normal user run Apache control start it probably won't work it might nowadays but like systemd has these better things we can like figure it out but if you just try and run the server binary like Apache directly it just probably won't at all work so if you want to do strange things with users if you had a finance department and you wanted to keep the finance stuff separate from everyone else you can set categories on the file you can give them 0 to 127 so the 0.127 is a range if it's 0, 127 then it's category 0 and category 127 it's 0.127 it's 0, 1, 2, 3, 4 up to 120 to 127 so in this case you make a finance U and you give it a different set of categories and then you just give it a user role again the role stuff you can just inherit and keep that's all the same you just set the categories and the sensitivity on it and then it's a whole new set of things and it'll just work really nicely then you would need to set that new finance U user like Alice or Bob or whatever and then you would need to reset the home directory of that user because if the home directory is still on user U and the user types and then they log in they log in before they read the file system they're going to log in and become finance U with whatever those roles are then they're going to try and read their home directory in batch RC and that's going to fail so you need to reset that too like they're quite different like every single thing has a different label on it you need to like keep track of them all it's not usually that hard you just kind of reset everything but the store con will read the policy that has to find the contacts and then set those like back to default R is recursive V is verbose F is force types that are marked as customizable like users want to change things in their home directory maybe like their downloads folder is somewhere else and they want to label that one as a downloads folder because Chrome can only write to the downloads folder kind of write anywhere else so if I try to say something in the home directory that won't work but if I also wanted to save it to a different downloads folder and I set that if you restore con without the force that type is marked as a customizable type like the downloads directory is then it won't change it if it's... if you do the dash F to force it it'll just override all back to default so I like to force them I like to add them to the policy and then just force everything because then I keep track of what I've done and what I haven't but if you're on a multi-user system and like only one IT admin has this permission then you would probably use customizable types a lot more um... the file contexts on these files are stored in extended attributes like on the file system you need to know that they're there as extended attributes if you're backing up your system and you don't turn on backups for X adders depending on the tool you won't get labels which means when you restore you could just like reset all the types back to default and that's probably fine but it might not be so if you're doing your backups most different tools have a way to keep the type when it was so if you do CP and copy something it's making a new file and then writing the context over so that's going to use the type inheritance of like the parent directory if that's something else and you don't want to do that then you do preserve content and then it'll copy over if you do CP dash P whatever it is you'll get a timestamp and all the other things so then you'll get the context as well but otherwise you need to do it specifically Arcync has an X adders one so it'll do SC Linux and everything else TAR has separate flags for regular X adders and SC Linux because sometimes if you're restoring things back and you don't have permission to write certain types of SC Linux labels you can't write them back but you might want the other to send out so you can pass that to the next TAR if you want to change them temporarily you can change the context just like CH owner or CH group or whatever this will change the context if you do dash T you'll do the type dash L will be the level if you don't give anything you can give you can also do you can do dash reference you can read the type from another file and set it if you want to do it permanently which is where I like to do it you can SC manage F context and then you give it a type and the directory reg X so this reg X is an actual reg X so you can set different parts under it and then it will set that type on it so if you moved apache's directory normally it's under bar www but you want to put it under serve or something else then you can set the type on it and then you restore con and things might still not quite work right because we have other types underneath like CGI bin is labeled differently from the base one and then like an uploads directory is marked as rewrite whereas the regular ones are only read only so if you actually look for bar www in like my laptops polycontext file you get 24 of them you could set them all manually in that new directory but that's kind of pain in the ass like if you add one in the policy you won't get it so there's also a dash equal or dash has equal or dash E so you can say SRV www is exactly equivalent to bar www so when it tries to label a file in there it will just realize oh it's that here instead so that's how we support like user lib64 user lib32 and these kind of things they're just handled by that you set equal one and then you set fcontext on SRV www it will not see that one when it reads the path then it will automatically happen yeah it'll rewrite the thing almost done ports a lot of people run ports or run servers and run things on ports there are the standard ports which are labeled different things and then there are other sometimes you want to run on another port for whatever reason if that's not labeled and it's port 80 and 443 and these ones are labeled as port HDP port type so then apache is allowed to bind to those ports and connect to those ports and do all that kind of thing if you want to put apache on port 8081 that's not in the policy so then you can add port 8081 TCP to that port type locally without having to edit the policy just on your machine then after that apache can bind just fine so set that restart apache mostly done thank you SNX GitHub is there the SNX coloring book is awesome I talked about it in my first talk otherwise the Wikis are pretty good Gen2 and Fedora have a lot of information on them so the point with SC Linux is that it's mandatory access set globally by the administrator on the entire system users cannot change it that permissions are discretionary access where the user can do what they want so if in my home directory I set everything to like chmod777 then anyone can read my stuff but you still need those permissions you can't get rid of it maybe SNX would allow something but you want to lock it down even more you can just use the descriptions on that or you can't get rid of SNX because discretionary the problem with them is if the user can choose themselves on the foot if they see what everything then the system can read it if you have SNX on top then even if the user sets 777 you can't read it so I have Steam will only use dot local share, steam and dot whatever no on my system it cannot do anything else so I have set the main Steam binary to steam T and then there are no transitions out of that there is no way once you get into that to get anywhere else and then I've given the steam domain permissions for like the graphics to use that, use whatever and only write to those small directories it can't write anywhere else because I'm sure you heard sometime ago there was this steam bug or bug when you upgrade steam it would nuke your entire system it just armed up everything yeah so I can't that can't happen now for me which is nice it's mostly worse on my machine but I haven't upstreamed the policy yet I can do that it's not terribly complicated I let it read for like oh we have nice macros to help but like DNS lookups you need to read resolve columns and those things so it's easy to give a domain and those kind of access really quickly