28 Jan 2013 etbe   » (Master)

My SE Linux Status Report – LCA 2013

This morning I gave a status report on SE Linux. The talk initially didn’t go too well, I wasn’t in the right mental state for it and I moved through the material too fast. Fortunately Casey Schaufler asked some really good questions which helped me to get back on track. The end result seemed reasonably good. Here’s a summary of the things I discussed:

Transaction hooks for RPM to support SE Linux operations. This supports signing packages to indicate their security status and preventing packages from overwriting other packages or executing scripts in the wrong context. There is also work to incorporate some of the features of that into “dpkg” for Debian.

Some changes to libraries to allow faster booting. Systems with sysvinit and a HDD won’t be affected but with systemd and SSD it makes a real difference. Mostly Red Hat’s work.

Filename transition rules to allow the initial context to be assigned based on file name were created in 2011 but are not starting to get used.

When systemd is used for starting/stopping daemons some hacks such as run_init can be avoided. Fedora is making the best progress in this regard due to only supporting systemd while the support for other init systems will limit what we can do for Debian. This improves security by stopping terminal buffer insertion attacks while also improving reliability by giving the daemon the same inherited settings each time it’s executed.

Labelled NFS has been accepted as part of the NFSv4.2 specification. This is a big deal as labelled NFS work has been going for many years without hitting such a milestone in the past.

ZFS and BTRFS support but we still need to consider management issues for such snapshot based filesystems. Filesystem snapshots have the potential to interact badly with relabelling if we don’t develop code and sysadmin practices to deal with it properly.

The most significant upstream focus of SE Linux development over the last year is SE Android. I hope that will result in more work on the X Access Controls for use on the desktop.

During question time I also gave a 3 minute “lightning talk” description of SE Linux.

Related posts:

  1. SE Linux Status in Debian 2012-01 Since my last SE Linux in Debian status report [1]...
  2. Debian SE Linux Status June 2012 It’s almost the Wheezy freeze time and I’ve been working...
  3. Status of SE Linux in Debian LCA 2009 This morning I gave a talk at the Security mini-conf...

Syndicated 2013-01-28 02:56:30 from etbe - Russell Coker

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!