 So, I call this together to firstly report on the state of Isilin-e-Akse and unstable and to explore the possibilities of what we could do for the divine installer for edge as well as Isilin-e-Akse system. The state of support at the moment is everything except policy, the reference policy for Isilin-e-Akse is in place and mostly bugsy. The problems that we are having with policy is partially because the Isilin-e-Akse security community, we are moving from the old security policy that NSA had provided basically to jumpstart Isilin-e-Akse and which has been un-maintained for the last six months to a year now. The new policy is based on the lessons learned from the old NSA policy. It is modular. It is to think about it as current modules. You can have different modules. There is a base module that is basically compiled in. That is what you get by default. Apart from the base module, you can have any number of policy packages. A patchy, for example, can be split out of base and put into its own loadable module. The way that NSA once we split it out would be that it would be something maybe like the menu system. Every package jumps in something into a directory describing what the policy package is, what the file name is, what the policy does. Some kind of user interface would be provided that allows the admin to select whatever policies they want to deploy. And then the policy would be, like menu, it would be compiled and loaded at the end of the directory. The policy packages that we have now are the latest packages that are available. Unfortunately, the part that combines multiple packages that links them is very, very buggy. And the moment it crashes on the reference policy, as of last week, it was working two weeks ago, broke last week, so it will be working again next week. Once we get something which is working, I will obviously snapshot that version of the tools and policy and all the upgrade new ones into states that work. What else about new policy? Right. If you have multiple modules, they are module dependencies, obviously, if something needs some other bit of them. They are closely found for the package dependencies, but not quite. The dependency tracking mechanism of the C modules on that links them all together is part of the package. So, at this point, unfortunately, I can't say that I have a working SLNX box. I had a working SLNX box, which would machine two weeks ago, when I was getting all gung-ho about it in India. Joey, you had some questions about where we stand in India? I guess the kernel is already, I mean, the actual demo kernel supports that SLNX, right? Yes, yes. Every kernel that comes out has modifications for it. We have got modifications coming out in 2.6.17. There are already other patches that have been chewed up for 2.6.18. And I think they are in the MM1 series already. But there are scheduled speeds, MM1 speeds, yes. You said something about it being a problem, 2.6.16 in the end. Right. The 2.6.16 kernels, and the kernel 2.6.17 is right. Part of it, they will be fixed in 2.6.17 before. But that means the tool chain fixed will be kernel on 2.6.17. Right. There are some facilities that the modules need that might require changes in the kernel world. There was some debate about that. I have been following the SLNX mailing list to see if the consensus has changed yet, whether the changes in 2.6.17 are required or not. But the chances are that since we are in such a state of rapid development, there are a couple of companies, IBM being one of them, they are spending a couple of million dollars to have the U.S. governments certifying SLNX-enabled red hat boxes, red hat enterprise SLNX, a high level of equivalency to the C2 orange book, though they call it something different now, the common criteria of certification. Because of that, there are all kinds of things that are turning up. We should be nice to have which haven't been present yet, but now that crunch time is on us and we do want to get this certification. Because this would be a big win for SLNX getting that certification. So we are putting in changes like multi-level security. Multi-level security basically don't read up, don't write down. That means if you are at security level 1 and then higher security level, like top secret which is level 2, you can't read from the higher security level, but you can't write to a lower security level because you have confidential information, you can't write to the open space. So don't read up, don't write down. This is actually my personalization of the build up. You are people of 76. That's the kind of thing that we are building in. So you can have documents which are at certain levels in your home directory and when you are running at a certain security level, you see the high level document and then if you change your security level to something lower, you can no longer read your own document. So you can provide, every user can provide security zones for themselves. I mean you can be sure that if I were to use Thunderbird, it will go into the lowest security level that I can create in the system. There are 256 levels that are possible. I don't think there's going to be too much information. And I asked before, if you knew how much, what the size was of the SELinux toolchain that we would need to build a system if we wanted to just support basic SELinux. Is it just SELinux details and policy? Policy, what do you use? Policy, what do you use? SELinux utilizes like 350k policy for utilizes. I mean that's right, something like that. How to make a new version? Yeah, the new version to make. Is that all? SELinux A6? No, that's just a meta package that puts in. Actually look at what the dependencies are like. Check policy is the other one. Policy for utilizes and SELinux utilizes all at once. And then it recommends SE tools and SELinux policy default. Forget the defaults then. Check policy is 280k. I had estimated about two men. Yeah, I think two men sounds about right. And if we wanted the default policy, that's a big, that's fine. That's the reference policy, I guess. Well, the reference policy unless new has been processed in the last couple of days, would be called SELinux policy, REST policy, strict. I'm thinking of SELinux policy default. Yeah, that's the old NSA model that takes everything to mind policy. Okay, okay, so that wouldn't do what we do. Let me try that. Here, can you read the USB drive? Fortify it. Yeah, yeah, yeah. We'll level off from that then. There's actually one project name. There should be a directory in the document called gash C-H-C-H-E. And in that you'll find a whole lot of them files. Only one of those need to be loaded. Okay, so say that again, I'm sorry. C-H-C-H-E, gash? Oh, gash. Okay. And you look just the way Alice started with that. Yeah, right, so the reference policy is 214K, and the strict is 474K depth size. Well, but if you give them targeted policy... It impacts to 9 megabytes. It impacts to 9 megabytes. You said that's the one... That's the one super policy strict, which would be the core. That would be nice to have. But given the targeted world which is smaller... Oh, I'm sorry. It's definitely under 2 megabytes from death. Um... Yeah, and it'stes to about... I don't know how much of a shoe stock that is. Yeah. I think more of that size would be in standard C-H-C-H-E. standard and just, I don't know, it's sort of on the verge of too big to be adding to the big system of every system, including like, you know, semi-added systems. So how about a optional part of the system? That could work, but we would probably not want to ask the question of default priorities. The question would be why to, yeah. Why would we go to medium priority and expert installs? Or something. So it would be advantageous. Well, actually, the other way that we could do it, Manage, she talked about since you do have the modular system, and if we have a module for a patch sheet too, for example, and a module for a bind, and a module maybe for cups, then if you select those, if you say I want a web server, then we can give you a web server with SC1X installed. So what we also could do is make a task out of it. Yeah, I know what you're doing. Check it. If the task is installed in post-based config, then it changes the input model. Well, yeah. I mean, that's going to be fairly complex, though. I think that it'll have to just be pre-installed and have to be modified if it's really on the verge of seeing what I was thinking. Let's wait for that. Well, excepting all the policy, the challenges in that route are the developers. They'll have to save it. If they are putting the policy in their packages, they might walk at putting in something that they don't really... Yeah, but I mean, if you thought about just having a patch sheet to SC1X policy package, for example, you could do that. Yeah. So how does the task come out of the ability of having it pulled in? So if you want a web server, you get it with SC1X. But if you install a desktop, you don't get SC1X. If you install a base system with both, you know, no tasks selected, no SC1X. Unless... That sounds good. Is that good enough for the... Well, would there still be a mode in the expert install where I can say... Maybe after we think about how to do that, I had some issues with... Well, all... All right. We've got a serious basics package in there. Is there some way in an expert install where at a meeting priority, I can indicate that, yes, I do want that package to be installed? At the moment, we're limited to... What are you selecting as the task itself? Okay. And you can proceed with performance. Well, yeah, that's true. You could recede it, but that's not the right approach. That's kind of... It's too hard to... Yes. Yeah. If I... All right. I can look at... I can look at the tasks. I'll offer you more tasks. Yeah. Let's explore one more possibility. Right now, I've got my targeted policy with every possible module I can think of installed in. Okay. Oh, so if we just have an Apache policy... I've got Apache policy, I've got buying policy, I've got every single policy I can think of in there. I understand. So let's look at it without the marketing policy. So I'm saying I can create a base policy module, which is as small as you guys wanted to be so I can slide in under the bar. Yeah, I'm not sure what the bar is, but... Give me a ballpark in there. I'm going to add something like two minutes. Install or two minutes depth? I'm thinking installed. Devs would be more like three, but what doesn't really matter that much now would be... That's just an interesting base. Okay, I think I can... It will be a concept similar to a UDepstile thing. I throw out all the documentation, and you get the documentation, then you do... There's a reason that we need to include... We have to look at that side too, because we need to include it on the nettings... Well, the nettings... And the ballpark... Because it's 256 minutes. Yeah, but also the first full CD... That's true. You cannot keep on dumping stuff in... Yeah, you don't eventually push stuff out of the full CD when you put a CD on it, and it might be pushing out... an e-max or something like that. Wait a minute. There's a reason I mentioned both. I'll try and see if I can get something which is functional under two men. And it might be that what you get in that is you only get the absolute base part. You don't actually get any policy modules. And maybe as an example, I'll go in an Apache policy... Well, with a radio band, is this really just that installable in it? Or would you still have to go install additional modules? Well, then you get to pick and choose what policy you want. But you at least have a functional SCL event box that will complain about everything that you do. But you can just ignore those warnings until... Okay, I see what you mean. You don't want everybody to have a whole bunch of warnings and all that. Yeah, I mean... Yeah, I mean, if they boot up and they say, okay, I want to SCL, because I turn on SCL, and it's not what does this complain at me, and it doesn't add any security to the system. I don't know if that's really a useful... I'll get you some... Well, there will be some security. Because the policy is... with the targeted policy, you will get some security. You just won't get all the security modules that we have. So we can have a SC Linux policy, desk policy base. That base gives you a certain amount of protection. And at this point, I'm not sure how much I can put in your opinion. We can still add onto it. And then you install a SC Linux policy, desk policy, blah, blah. So if you install... The web service has to still pull in the full policy for action. Yeah, right. People that are serious about setting it up are looking for the additional policies anyway. Right. They're all going to be called SC Linux policy desk policy tools. So you look it up in the aptitude, they're all going to be right there and you can fix whatever you want. So I just have to figure out the granularity of these policy packages. And in order to do the granularity, I've got to fix the tool chain. Okay. That's your problem. So if we have some idea about what we want to install and basically how to do it, I guess the other question is how does this get turned on after it's installed? If we can do something in drug form. Right. Now drug form, if you say... Not only talking about drug, of course. We have to install all the drugs and all the... What I'm talking about is standard kernel we can compile our official kernels are compiled such that you have to say SC Linux is equal to one in your bootloader in order to turn it on. Even when you turn on SC Linux, nothing actually happens, it just yells at you. Then you have to say enforcing equal to one in order to actually have it turn on the security. I don't think we are at a point now we are too close to the release we can't work out the issues so that we can change this default. So if the user has installed all these policies and everything nothing happens. They have to change the bootloader. They say SC Linux is equal to one then they have something happens and maybe they don't get any security but it's available for them. Now if they want more security people who are interested in SC Linux can add on additional policy modules and I can create any number of basically creating a new SC Linux policy is just there is a modules.conf file for SC Linux you throw out the modules you can say something is a module it is a base and I think like we can fine tune the sizes to at least get something out there for people let me work on it for a month and we maybe meet again when I say something to figure out if it's worth it the security that I can provide is something which installs in this then we may the other thing that can be done is I won't give you a binary policy I give you a source policy so the most of the stuff that you see in there is because I have already compiled a loadable binary module but what I can do is I can give you a reference policy source of certain things and then in the posting the user or provided command or in posting somewhere the user who has elected to his policy or his quality can run and see what you will live for these things and give you a reference policy and I can also address the benchmark that you have the binary the source thing is small so the install on the default install is still small but anybody who wants to use it will end up using up stuff on there if it's not compiled until it's turned on if it's going to be compiled on install anyway no no no the user I am not going to dump a compiled policy ready to be loaded on any machine because if it happened on my machine I would want to kill somebody nobody loads policy on my boxes I am still high and I assume that my users anybody who is running this policy wants that level of control so no nothing gets compiled in install by default it's user action H plus 1 we might come and revisit this but H plus 1 is like 1.5 years away I thought we were on a 2 years special timeline well so it's 2 years away in 2 years we will be a lot further along either we will be a lot further along if it doesn't take off soon if it doesn't take off soon security through death look security is hard there is nothing else out there that gives you anything competitive but it is hard and if it doesn't get deployed by the distributions it's not going to take off Red Hat is doing a lot of good Gen 2 is going to deploy it in their next major release Suzy is going to deploy it in their next major release they just deployed so there were a lot of bad ads so the ads are quite uptime they are also talking to crisis so they are hedging their best because Aparmar has got a lot of very negative commentary inside the security community it's a joke it's you get a warm fuzzy feeling but you don't get any real security it's not in the same class of security it's not in the same class of security it's not in the same class of security it's not in the same class of security talking about it we got this in 2017 but you have probably read the discussion on the kernel adopting the 266 kernel 4x because it's going to be long term related so you have made sure that those changes make it back into the kernel 20 and my mic I can well I I can back cover this in kernel images for the architectures that I can compile on I can probably go to the build system and compile for various architectures it would be really nice if the SELinux Backboard patches were accepted by the kernel team you need to get the mic the banks the kernel team is in no no 266 is going to be forked and going to have a stable upstream maintenance team that is an initiative led by Michael Bank sorry thank you sorry yeah well I can try in the picture how much important that the SELinux yes but that looks like it's going to be set for edge and it's going to be keeping getting updates maybe even other drivers or driver fixes for about three years which makes it perfect for the lifetime fashion that's a complication I'll have to talk to you we have an issue between relationships it depends on how much how inclusive this 267 patches are there will probably be a boss about this maybe this week about kernel selections and such relationship with defining installer so please try to attempt that and we will even if it is not in the default install and it is made into a task well we really if it's going to be a task we really want it to be in the stock otherwise we're just simply playing and actually supporting it you're not really supporting it to the extent that the user is going to get it without a lot of fiddling so you can't say that means supports I see the name SELinux you know you could become an optional add-on it doesn't have anything to do with the installation itself anyway so there's no need to make the installation it's actually you have to it's just have to do with the target system and that's what task challenge for basically installing practices into the target system well actually in addition to the base system how much of a normal KDE is actually on the system where the end of your being installed run did you ask how much of it currently if you get to this hot house so if you pick it up it is supported but if you don't right but we can't really have tasks changing up no no I quickly agree about it has to I was just hoping that we can have the Debian patch on top of the 2616 a real one upstream because right now we do have a ton of features that we apply on our own and I was hoping to sneak in a tested security patch which may not make Adrian bounce requirements but might match ours you guys have influence you guys have influence I would like to talk to the team about this I think the one thing that you said before is that you would like to have SC Linux and get maybe a soft release requirement for Edge and Steve can we let him leave or something Steve he'll be here soon oh there he is so soft release requirement for Edge so we have so we have to push well that it means Steve and Andy if you count the technical I also talked to AJ who has also tentatively agreed so that's yet another tech committee member who's tentatively on board so I've been trying to line up the ducks in a row when it comes the powers that be in Debian in order to get the security back I'm knowing the way that we operate I'm sure that even if we are using Adrian bounce repository in our upstream there will still be Debian patches in the Linux column and if I can persuade I've talked to Dan Frazier and I think she's on board so I've got one duck there if Sven Luther is back on the team I might have issues he hasn't left the team ok then I have I need somebody to mediate for me I'm sorry but I need to deal with the heating I said AJ is going to be heating Sven has very good things to say about his aviation skills well the it's unfortunate but yes there have been friction between the current team and I in the past and I need help we are both too best people to be the edge for you was the edge of the stall we're going to have a 2-4 option depends on whether 2-4 partnerships with that chip it does probably will it must so many architectures is already on the edge of feed or drop each 4A 964 alpha we're not supporting it but you know if there is somebody I will make them we haven't yet we need a 2-4 we can't go dragging our feet until the current team makes a really fine position well I mean the existing current team seems to have no interest in actually doing it but they still have to remove them right and they should do that before the freeze after the freeze it's too late exactly but 2-4 is basically there's nobody it's a quite a deal to support that because you basically don't even have any upstream security to support anymore so is it really feasible to support that on new systems for edge or do we need to say if you need a 2-4 you have to run an older deviant because we can't provide some great support at all can't you back 4-2-4 after you stop that's an option that I think has been discussed as well to keep the 2.4 kernel source and say okay use at your own risk if you want deviant velour if we know beforehand I'm sorry deviant velour yeah plus if we know that at a time we are not going to be able to provide security support for it I really don't see the value of putting that in in those stable ways because that's what stable gives you is it gives you the security and the non-stability well then you get the stability but you have the stability with SARV too because that's not going to change up on you either so why not start from there unless unless a group of people come forward and say yes we're going to do the work to make sure 2.4 is still working yes we're going to provide the support that the security team needs in order to make security updates available for the 2.4 kernel I don't see any way that we can do that for that actually so the existing kernel team has not said they want to do it but the security team does not have the resources to do that on them they have enough problems with just one and right now they have enough problems with two and that's with 2.4 being not quite as stable as it will be when actually is there anyone who is wanted, has anyone indicated to us or to the team that they want 2.4 maybe not even wanted so they won't maintain or they want to use it I still use it on my server so I have to travel a thousand miles so I'm ready there's an issue with the 2.6 install on the SAR which is with the mega rate I don't know I think that's been resolved in the data that you installed so there's a number of issues there's some areas in the kernel but because it's all hardware it's not maintained as well so you have issues like ACPI not working anymore and 2.6 where it didn't work in 2.4 yeah I have a lot of hardware but 2.6 is not working on that PCI doesn't have hardware HIP well we've just learned that people can do without hardware so I just rather see it if I give back to something else AC Linux after it's installed by DI do we want to come up in the grab menu as an option to boot with AC Linux enabled that would be nice I mean it's obviously easy to do you just make the grab menu smaller I mean if you're going to do it for other bootloaders maybe if they're in here we'll just offer it to anyone and if we provide no option there will be no problem that's right our colonels currently actually think it's easy I guess you also have to bring me a demo file I will have by the once I get to 3.6 yes the documentation if you're going to do this I will take that action item I will provide the documentation for users not that I want to but yeah I'll leave it to you one I think that I came up with the targeted policy and restricted policy that we just saw they have taken policy for packages that are in optional and even policy for packages might be next time one way of logically slipping down the policy is if you're going to install by default I only provide policy for packages that are standard and then everything else goes into the either add one package or a task because we won't install an action and all the things that are looking at policy by default the user has to take some action to select that and the same action can put in SELINX versions and there is also there is something called slash TTC SELINX.con that can optionally say which policy you want to follow so this is just an idea I'm throwing out I'm not sure where I'm going with this totally we can create our own policy they're targeted which is basically what Fedora does they strict which is Gung Ho do everything secure everything policy and then we can have a policy type called Debian or Debian Clean Stalled or something and that's what we ship and that has minimal targeting we can do all that stuff and if people want to go to standard targeted or strict they can go and change things in slash TTC which is what admins do anyway you know just have to get policy types policy or policy whatever I think it's actually yeah somebody mentioned on IRC that they wanted to have a package called SELINX instead of SELINX matrix because people would otherwise not know how to get a SELINX if you could do an app get a SELINX and there we can also that would be an appropriate use of the college questions to figure out what policies you might want and then it will pull in other packages or other modules that are already on the system to load it into your running policy and that package can depend recommend and suggest various other packages that can also be would that work with the tasks or if this is a complementary if you ask them a question we want to look at the question because we don't want to have lots of random questions that are asked at high priority medium priority or something and they can always just be a package to figure out SELINX after the install the SELINX shouldn't be in the convenience package I was thinking that this is the stuff that we talked about then for people who want to have real SELINX they can do an app get SELINX which is a meta package that has depth on the questions of itself hence you figure out what you want to do for the SELINX but it will not load our convenience it won't necessarily need to load for CD but it can point people to that package if you want a user friendly installed SELINX extended with SELINX capabilities please install that package and follow the dimensions that they want so the reason I want to do this in this way is that give me a little bit more streaming down policy even more because all we are saying is that we are giving you a system that is capable of running SELINX we are giving you all the packages that we require to run a hardened Debian server installation for example and we will give you a nice easy way to set up your server by installing the SELINX package which is not installed by default we are not going to claim that we are going to have SELINX running out of the box at least I am not comfortable with giving you guys assurances that I can deliver on that promise I would like to see this darn thing working for a couple of months without working on me before I commit to that so if I could just get enough in so that by default you have got something that I can bootstrap into a stronger policy I think that would be enough for us to say that we support SELINX in the Debian installer it is not on by default you have got to take a series of steps to hide in the box but they are all within the package management so then you are going to provide policies via backports then because once the list of packages you know is frozen for a batch you know you are supporting SELINX but if you don't have these policies kind of finalized or tweaked out or solidified SELINX policies are not going to be finalized or tweaked out unless they indicate from now so actually half plus two but if there is a now it could be a four box like F plus two but you can probably use full time we don't have to go to backports they will become there is volatile up yet yes we have been on for a year okay yeah but they are fairly essential and I hear that quite a lot of people are making use of them are they anti-virus packages or what? anti-virus it's going to be on this for the time zone information now that we have been out of DST and there is who is information stop, stop like that and I think policies are good policies but talk to one day about it I'm not dealing so we continue this email that we would once I have got something a non-broken decisionist I think they will announce pointing to the modified version of my talk today which gives full instructions I have so people can set up the UMS etc and at that point I'll probably come back to you guys and can mail on the mailing list to say that this is what I have got for baseball do we have a restriction on what the length of package names can be? sir the old policies and the file name think about it so you can see that people are available that's basically it now it depends on how widely we have to deal with it normal screen size that's high we have to deal with the left policy who straight wins the policy there twice well this is the policy part of it this is not the utilities or blah blah the name upstream name of this particular branch is called the reference policy so left policy then the type of reference policy which is straight then the subset of straight that we are shipping which is base or I can go back to my old Unix rules and just you know ship the acronym but yeah I think if I split it out into base and non-base I might slide in under the to make install one thing that we don't have to be careful about is people getting a false sense security by just installing this people thing and saying oh my system is now secure we will have to look since it's not coming in compile the time they compile it they will realize I mean as long as they are going to boot up the rules will be skewed no if they boot up even if they turn on the say suppose they haven't done anything with policy you say SC Linux is equal to 1 and enforcing it to 1 SC Linux boots up tries to load policy says that you ain't got no policy spits out a big fat warning and then defaults back to non-SC Linux so you won't have to assurance your running policy until you have gone through steps and then you would know exactly what you have you could have a message too on the installer like when you say like run on grub or run on boot loader you could have a message there too exactly how would you say yeah you could one more list was expected or you can ask for CC system now that's the burden on the people if I'm going to be needing your help I'm asking for a favor I subscribe it's a heavy list I can ignore I follow through look at the tree tree and the like well you can fill out anything that we have before play until you actually you're back to first page of this I thought you made your own special people out no you said that you did I have got an AI I've got something that learns from my behavior so my message scoring system looks at whether I read ADMAG or I delete it well usually I read emails there are times when I kill and then there are times when I say you move this from the backend that person has to go a long, long way for me to read through him you guys should all of you poor VI users you really should look into IMAG and lose and oh boy IMAG makes it so hard to have a good SC Linux policy by the way Eclipse Eclipse has a plugin that can read SC Linux policy that you already have and it helps you with completion to write new SC Linux policy modules I wish if somebody was asking me about this and I forgot about it I'm going to this is one thing that has made me go for Eclipse loaded slow but it does a decent job of parsing all kinds of strange formats and providing completion by the way the last time I use IMAG I couldn't figure out how to adjust to it so I ended up unplugging the machine I thought that was what happened because you put me in VA alright are we done?