 Hi everybody and welcome to the final day to the talk session immediately after lunch, so If you don't fall asleep, I won't fall asleep So anyway, my name is Paul Moore. I maintain the SELINIC subsystem in the kernel as well as the audit labeled networking subsystems I also do libsec comp, which I think we heard mentioned once or twice. So If you're interested in any of those things beyond the talk today You can find me in the hallways or whatnot. I'm more than happy to talk with you about it by the way, we got 30 minutes to Explain everything you ever want to know about SELINX and all the stuff we've done over the past year and all the things We're going to do over the previous or the upcoming year 30 minutes. So we'll get started So what is SELINX? SELINX is flexible mandatory access control and I'm sure that means pretty much nothing to most of you but We really want to drive home the flexible aspect part of this That's that's kind of the the key notion that you see pop up a lot when we talk about SELINX and that's really kind of Driven the design and the development of it over the years and that really starts with the policy language itself That's you know, kind of the key important part of SELINX that a lot of people deal with that's kind of one of the main touchpoints of SELINX and part of having a flexible policy language is Basically first separating that from the enforcement mechanism This allows you first and foremost to have multiple different policies available And you see this on things like Fedora and other links distributions that support SELINX You know Fedora ships with a targeted by default, but we also offer a strict and MLS policies I think there's also a base policy now But point is you can you can pick and choose from some predefined SELINX policies to suit whatever you're trying to do And there's also Android I think everyone at this point knows that all Recent versions of Android from the past few years use SELINX to help enforce their security policy And that once again has an entirely separate security policy from what you'll find on Fedora or any other mainstream Linux distributions So that's kind of an important key thing to remember about SELINX is that you know If you don't like the SELINX policy that you have you can go and create your own there's nothing stopping you All the tools are freely available There's been you know more documentation written about SELINX than I can even begin to repeat in half an hour So there's plenty of resources The other part about the policy is we have very granular access controls This allows you to really craft policy that is only going to permit, you know the very bare minimum of privilege That you need for the application to do its job You know there's lots of discussion that goes back and forth as to you know What level of granularity is the right level of granularity? but with SELINX we take the approach of trying to give you as fine-grained granularity as we can within the kernel and Then we allow you as the policy writer to go ahead and you know You can abstract that out with how you write the policy You know if you if you want to go with a simple read write execute a pen you can do that with SELINX policy But we also allow you to go much finer-grained if you want and Finally, we have labels, you know rather famously I think that's one of the big things when people first approach SELINX that they kind of have to wrap their head around is We're a label-based security mechanism and we do this for good reason I you know it's not because we like antagonizing people at our user base We kind of maybe a little bit from time to time But in general we do try to make this easy on people and the point of labels Is it abstracts away a lot of the details about the objects, you know You don't have to necessarily worry about you know What's the path name for file because I think as we know and as containers have made, you know Very significant in the past few years you can have multiple path names to the same chunk of data on disk And so by kind of abstracting that and using labels instead You don't have to worry about the object specifics and you can instead focus on the security properties of the data and the objects on the system So that's kind of that's all I'm gonna say about the policy Other than I guess a little lie The other important part and this is where the mandatory access control comes in is that the policy is controlled by the system administrator Now you can write policy to allow individual users to you know Modify certain aspects or certain attributes of the policy But in general that's a right that the administrator, you know gives up to the individual users by default It's the administrator that controls the security policy Not the object creator and what I mean by that is you know a traditional Linux system If you create a file in your home directory, you can go ahead and set the mode bits on that right you can do Chimad whatever you want and on a discretionary system those mode bits That's your security policy for that object And an SELinux system you can do that, you know SELinux doesn't replace discretionary access controls But the just the mandatory access controls of SELinux are going to step in You know the discretionary controls might allow you access to the file But the mandatory access controls the SELinux policy is still going to intervene If you're doing something that it doesn't want to allow according to the policy So That's the mandatory aspect mandatory access control And I think that's probably about it, but Before I move on I will kind of try and do some questions as we go because there's a lot to digest Does this make sense to everybody so everybody kind of I'm seeing a few nods. Okay, that's good So here's something Normally I'd have more than 30 minutes and I could go into some of the more esoteric details about it But we don't really have the time so I'm gonna take a different approach today and kind of explain Here's what an SELinux system looks like here's some of the things that happen when you Install fedora on your laptop or some other links distribution that supports SELinux Here's what's going on under the hood So when you first boot the system, you know, you start up in a knit Which is probably system D for everything nowadays But regardless of what a whatever your knit subsystem is the first thing it's going to do as soon as it can It's gonna load the SELinux policy and this is important because without the policy loaded You can't really enforce anything because you don't know what your policy is. You don't know what it is You need to enforce So as soon as you get enough of a system up and running you want to load that policy and then the other thing that's kind of interesting in the init process when you're coming up in boot is You mount all your file systems, right? I mean, this is not new. We all know this but much as Like you need to be careful when you mount a file system so you mount it in the right place in your directory tree For example, you know, you don't want to mount user under slash temp That's just not going to get you anywhere You need to be careful that you mount file system with the appropriate labels because of what we were talking about last slide About SELinux is very label-based policy if you mount something with the wrong label You might not necessarily get the right access that you were expecting from your security policy And for the most part that just works, you know, if we're talking ext based file systems or Any other file systems that support extended attributes? It's not a problem because we store the SELinux labels in the extended attributes So as long as you've got a functioning SELinux system, you're fine You mount the file system. You don't need any additional options. You're off and running But there are some file systems as we all know that don't support extended attributes You know USB fat file systems SIFS network file systems We could go on So in that case we have mount options which will allow you to specify a label for that entire file system so Depending on how your individual policy is set up If you don't like the default label that we're going to assign to your USB flash drive that you plug in You just need to make sure that if you're doing this at boot that you know You set up your FS tab so that it has the appropriate option so that it gets mounted correctly but in the most cases with You know any distribution that's set up for you know interactive use you know like a workstation laptops or to use They're gonna have some defaults in place that work for you. Just fine, but Just wanted to mention that up front because that's an important part And then once you get everything mounted you've got your SELinux policy loaded. You're off and running It's it's rather uninteresting. It's pretty straightforward at this point The kernel does all the enforcement. You know we heard I believe it was James yesterday talking about you know The inevitability of failure and you know not relying on applications to enforce your security policy James is looking at me like I'm crazy. So it was probably somebody else my apologies. Oh, it was James. Okay, all right Haven't gone completely crazy but Anyway, so the kernel handles all of our enforcement of the security policy It also handles the management of the SELinux labels. So this is you know when you read a file off of disk The kernel will go out and it you know, it'll look at the extended attributes and say, okay Hey, here's my SELinux label that I'm gonna associate with this file Or if it's like we talked about where you specify with the mount option It's gonna say, okay I'm gonna grab this from the from the mount options off the super block and you know use that for all the disk Accesses all the files that come off that desk It's also gonna handle any transient objects, you know, so think of all the various IPC mechanisms network sockets pseudo file systems you name it and Processes do I mean processes aren't an object, but they're very transient by nature and the kernel will also manage labeling for those So that's pretty much it the last bullet point is management Is anybody who's maintained a system for more than a week knows there's security updates There's patches things you need to apply SELinux policy gets patched just like anything else So, you know, keep your SELinux policy up to date as long as your kernel and the user space and We also have a number of SELinux tools which allow you to manage the policy I think we mentioned Booleans during one of the Q&A sessions That's an important part of customizing the SELinux policy There's some great man pages on those which will explain what they do that's really kind of pretty cool They're generated automatically Yeah, so it's a great way to customize the SELinux policy for your individual use case Without actually having to go out write SELinux policy yourself But you can always do that. It's talked about earlier. You can brighten an entire SELinux policy from scratch You can write individual modules and there's even some cool stuff that we've done in the past few years Where we have a prioritized module store so you can do something neat of you know creating your own policy for Apache and Whenever your distribution ships an update to the Apache policy module, it won't blow away your changes That was really annoying for a long time But anyway, once again, we don't have time to go into all this stuff, but this sounds interesting to you Find me afterwards and I can give you some pointers So what does the enforcement actually look like right? So we've done all this work, but what actually happens in the kernel whenever you you do an access request So whenever kernel sees an access request, you know, we always talk about subjects and objects and the access So the subjects it's pretty simple. It's a process, right? It's a user process It's something on the system that is trying to do something to something else Is that clear? It's a lot of something's in there, but so in this particular case I always like to use Apache as my example so in this case the web web server Apache that's going to be your subject and The files on disk that it's trying to serve up that's going to be your object and In this particular example, the access is read right? We're just apaches trying to read an HTML file so it can serve it up to a client. It's pretty simple and On that third line, it's in blue, but I'm not sure how well it's coming across The presentation or on the video, but it's that last line You see SC Linux has labeled the subject as HTTB D underscore T The object is HTTB D sys content T and the access This is SC Linux policy It's a file and we're granting open and read access so that HTTB D T has open and read access for files labeled HTTB sys context T and That's SC Linux policy. I kid you not we would tack an allow on the front and A semi colon at the end and change the order of that a little bit But that's SC Linux policy. So if you can understand these three things That's all you need SC Linux is not necessarily a complicated thing now It's one of those things. It's a simple concept that of course is repeated, you know hundreds and thousands of times But at its core, this is SC Linux access controls so I Guess I'll pause for a minute. Does anybody have any questions about this? Does this kind of make sense? All right, great So here's my Marketing plug for all of you. Here's why you should use SC Linux So if you've got a system that supports SC Linux and you've got it turned off Here's why you should turn it on so Back before virtualization and containers the the big self for SC Linux was that it was a great way to restrict Services on your system that we're running in high-risk environments. So a patch is a great example, right? You've got a public network facing Damon, which has you know a huge code base You're running executables out of it Very high-risk, you know, you're you're potentially getting untrusted user input into it so you want to try and contain that as much as you can and that's what SC Linux does and in fact we You know, I don't want to say this was great, but if y'all remember shell shock from several years ago now I mean it was it was bad at the time, but considering events over the past year. It's kind of like But it was it was pretty scary at the time and SC Linux This was a great use case of people that had SC Linux, you know running on their system and containing the Apache demon You know we mitigated the exploit sure you could still exploit Apache and you know get your remote shell But SC Linux can find the Apache demon to only the accesses which you allowed in your SC Linux policy So sure they had access to your server, but they couldn't really do anything, you know They couldn't get access to Etsy password. They couldn't get access to Etsy shadow So that was you know, that's kind of the big selling point, you know SC Linux has value to you even if you're not running virtualization Even if you're not running containers although show of hands who's not running some form of virtualization or containers Hey two three. All right great So and of course, you know You can't give a talk or have any sort of technology these days if you don't have some sport for virtualization and containers Despite the fact that we have a whopping three people here that you know could care less So anyway, the big thing about SC Linux is that you know much like we can contain, you know individual Servers on the system. We want to be able to take that same principle and apply it to individual VMs and individual containers and we can do that and There's some really neat things that have done have been done called svert That leveraged some of the MCS capabilities, which I realize I'm just throwing names at you at this point But you can always Google them afterwards But basically this allows us to separate not only the guests and the containers from the host system But also from each other So, you know, you can't steal Pepsi secrets and Pepsi can't steal coke secrets and nobody can steal the host secrets and Everybody's happy in their own little silos However as Casey alluded to beforehand the tricky part about setting up these big silos is you still need to share in between and SC Linux thanks to that very granular access control policy Not gonna say it's easy because controlled sharing is never easy if anyone tells you that it is they're lying but we provide lots of mechanisms and lots of avenues for you to do that and We've got support for pretty much all the virtualization Mechanisms out there All the container ones dockers kubernetes runcy cryo. I Kind of lose track of all the container runtimes that support it But it's out there. Most likely you've you've got support for it And also we talked about a little before wide platform support, right? You see SC Linux on servers You see it on laptops We already talked about Android You see it increasingly in all the various different network appliances that are popping up. So It's it's pretty much everywhere. Thanks a lot to that flexibility that we talked about earlier And last but not least something that I think probably nobody here cares about Common criteria MLS capabilities. Yeah, it's kind of cool If you've never gone through a common criteria evaluation, I think everybody should go through it once and then walk away It's a very interesting experience But yeah, just just do it once and be good with that. So but anyway, yeah, the reason I put this on the slide is that SC Linux has gone through multiple Third-party security evaluations over the years. So it's got a really good pedigree. It's been run through the ring or more times Don't care to count So not too bad. We got 10 minutes left. I think so this is SC Linux in 2018 But first off before we talk about I just want to give you a quick little anniversary. So kind of Piggy back in why I said about common criteria SC Linux is pretty mature. It's been around for a long time First release was back in 2000s. We're almost 18 years old. So I don't think I think the drinking age here in Scotland's 18 So we're not quite there yet, but if you want to buy a sea likes a drink I will gladly take it on behalf of the code base So anyway, but and we've been in mainline for 15 years It's been shipping as part of a you know an air price links distribution for 13 years and it's been in Android for five And I think you know the general thing is roughly two billion devices at this point and that's just for Android That's not counting all the servers and the appliances and whatnot. So there's Billions and billions served So nice and now we're going to quickly go over some of the stuff that's happened over roughly the past year So I think when I was taking this into account. It was maybe July of 2017 up to I think about August of 2018 So as far as the kernel goes We added access controls for you BPF. So, you know loading programs maps You know using those leveraging them. We have access controls for those We've added proper sc tp Access controls for a long time. We had sc tp access controls just pretty much at the socket level, you know Can you create an sc tp socket? What not, you know bind to it read from right at from it, but over the past year if you know anything about sc tp It's a very complicated protocol. There's associations and there's multi-homey and a bunch of cool stuff But we actually added sc likes hooks for all those sc tp specific Niceties or functionality. So that was cool. That was a long time coming We also added us so pure sec to Sockets that you get from socket pair So pure sec you probably not used but you've maybe have heard of get pure con Which basically allows you to see what's on the other end of your socket connection and see what that SC link security domain is so it's kind of a nice way of Determining who you're talking to in a secure fashion what their label is For a variety of legacy reasons that we can't touch upon in the next nine minutes We didn't have that on socket pair until very recently. We've got that now and Just within the past month. I mean a couple weeks really We've moved to a new mailing list. So we're on vigor at colonel.org. There's the address So we announce this everywhere we could think of but I'm announcing it again here so if you if you want to be involved in SC Linux make sure you subscribe to that list and I just wanted to give a chance to say thank you to everybody Unfortunately, I can't list everyone who contributed a patch over the past year, but These are the top 10 by lines change So I was gonna say if you see your name on the list go ahead and stand up. It's nobody really You're not just being shy, right? Okay, all right. Well, I was gonna have everybody clap for you, but you're not here. So Yeah, that's true. That's true Thanks guys, and you'll note I I myself added 27 lines. So Yeah, I was really proud of that Very important 27 lines So a user space changes You know, we talked about sc tp So there was some some user space changes to add support for sc tp objects in the policy tool chain Similar thing within finnaband we added kernel support for in finnaband last year But there was a few things that were kind of trailing in user space, but we got that tanking care of this year SC manage is one of the SC Linux user space tools that allow you to Manage the SC Linux policy and we're not very creative with naming So that allows you now to list out all the potential home directory labels. We didn't have that before SC module I alluded a little bit earlier that SC Linux policy ships in modules It does SC module allows you to load and remove multiple modules at once It used to be you had to do it, you know individually, which is fine I mean the policy is reloaded in an atomic fashion We link it all together in user space and then push it down into the kernel and one one fell swoop That way we avoid any race conditions So the nice part about being able to specify multiple modules on the command line is now You don't have to do multiple reload operations in the kernel You can batch all the changes up and one link it all together push it down So it saves you a little bit of time And did I mention we move the SC Linux mailing list? Okay, in case I didn't you know, that's that's the new address We'll try this again Anybody see their name? Oh, okay. I was hoping we'd have somebody all right. Well anyway If you see these people or if you know these people drop them an email say, thank you very much This is you know, like so many open-source efforts You know, there's a whole team of people that are into this and you know, some people are regular contributors Some people just contribute a few patches and we're we're happy to have all the help we can so If you're watching this on the video on YouTube, thank you guys And reference policy this is kind of the flagship SC Linux policy We talked about earlier. You can have all sorts of policies But the reference policy is the one that all others tend to be based upon fedora is heavily based off reference policy I think androids gone way off into the weeds on their own thing, but they have reason for it It's a it's a different, you know different very specialized use case So anyway, the reference policy has been around for ages a lot of people work on it They've I think there was two significant releases over the past year A lot of fixes enablement of new software I had started to write these out under the slide and the slide was getting ridiculously long and so I just kind of Paired it off and we'll just say there's a couple releases with a lot of good new stuff in it But most significantly Over the past year, they've moved off From where they were and now they're all hosted under the SC Linux project on GitHub So we've got the user space development the reference policy our kernel test suite There's a mirror of the kernel repository on GitHub there so you can file issues and do all that stuff For just logistical reasons the canonical SC Linux Kernel tree lives on kernel.org It's just the way it is but the mirror on GitHub is Maintained every time you do a push to the kernel or it could also get sent off to GitHub So, you know, you can base off GitHub if that's easier for you and Hey, did I mention new mailing list, but you'll notice this one is different This is SC Linux dash rough policy at vigor.kernel.org We've always just had a separate mailing list for the reference policies just the way it is Sometimes you'll see stuff cross-posted Because there's just overlap for a lot of things, but if you're just interested in policy development Go ahead and subscribe to the rough policy. It's fairly low Fairly low traffic, but you know, you'll see all the changes and discussions there anybody No, okay. Well same sort of thing Now these numbers are numbers a little bit skewed so Chris Yeah, when I when I when I first did this I you know There's a git dm which will get you some statistics for a get tree and it's pretty cool in Google it When I first ran this I you know, I just copy and paste it and then I looked at I'm like whoa turns out what this was is part of when they moved to GitHub we had the reference policy was split into a Submod I get some module and the main get repository and this is one of those things It seemed like a really good idea at the time But if anybody's use get some modules you kind of learn that looks great on paper, but in practice It's a royal pain Well, I the reference policy guys decided that you know it didn't look that good anymore so they just kind of merged it all in and That's why Chris's numbers get a little inflated. It's when he basically brought everything from the Contrib submodule into the main repository, but that said Chris does a ton of work on the reference policy the reference policy wouldn't be what it is without him so But that's why he's at 96% So last but not least you got two minutes left if you want to get involved choose how to do it Go ahead and take picture of the slide. I'll leave it up there, and it's a little bit small. I do apologize But anyway, first link is to the github. I talked about it. That's that's got everything It's got the kernel mirror. It's got user space reference policy our test suite That's a good place to start if you want to check this out later Underneath it. That's the canonical kernel.org tree for the the SC Linux subsystem kernel You can go there But like I said, if you're more comfortable with github you can get it there, too These are the mailing lists in case you missed all my other comments that we've changed That's where they're at. You can also see the official archives. They're on lore that kernel.org Which is you know a pretty new thing that's set up, but It's pretty nice, and we've had problems with other archive services over the years, so At least the links foundation people have set this up and promised that it will keep working. So Last but not least this how you can get in touch with me Twitter and an email, but I would really encourage you to you know, join the mailing list participate there There's a lot of smart people that are involved in SC Linux development all the different aspects They're going to provide you much better answers much quicker than I will probably be able to I'm just one person There's a whole army of contributors. So With that I guess I'll just open it up for questions for the last couple minutes. We have questions All right. Oh So just like where would I find the mailing list? That's a good question James. Thank you. I'm not sure if I mentioned it previously But we've just recently moved mailing list to vigor so you can find a link up there in the slide Any hour questions Why hasn't the ball replied to my subscription request yet? Oh You know we had a little bit of a problem They were asking for higher wages and more time off, you know We just figured we could let them run 24 7 not pay him and they're kind of rebuking at that now Yeah, I The only thing I will say is I know there's been issues with the past on vigor with various things if you go to Your web browser if you just go to vigor. Kernel.org there's there's some tools down at the bottom of the page There's like an MX verify tool and some other things That can help you maybe troubleshoot. There's usually some sort of DNS issue or some mailing thing I I don't own vigor. So there's a limited number of things I can do I will say Mailing lists in the open-source world are a lot more difficult than you would think they would be For something so simple they can be very complicated Any hour questions Okay, so let's find the speaker