Debian SE Linux Status

March 28, 2008 | etbe

At the moment I’ve got more time to work on these things than I have had for a while.

I’ve got Etch support going quite well (see my post about my Etch repository [1]), the next step is to back-port some packages for AMD64 to get it working as well as i386.

I’ve got an i386 Xen server for SE Linux development (which is also used for my Play Machine’s [2] DomU – so it’s definitely not for anything secret). I can give accounts and/or DomU’s to people who have a good use for them (the machine has 512M of RAM so could have 4-5 DomU’s).

Currently it seems that the 2.6.24 kernel in Debian doesn’t work for Xen (at least on with an i686 CPU). I have filed bug report #472584 about it not working as a DomU [3]. This combined with the fact that according to bug report #466492 it doesn’t work as a Dom0 (which I have verified in my own tests) [4] makes the package linux-image-2.6.24-1-xen-686 unusable.

Due to the inability to use 2.6.24 Xen I can’t do SE Linux development for Lenny in a DomU (Lenny tools build policy version 21 and the Etch kernel I’m using only supports policy version 20). So I have repurposed one of my servers for Lenny (unstable) development. I can give user accounts on that machine to anyone who has a good reason (and there are some people who I would give root access to if they need it).

The current policy packages in Unstable are built without MCS support. This is a problem as converting between a policy which has MCS or MLS and one which doesn’t is rather painful (purge policy, reinstall policy, and reboot are all required steps). I have filed bug report #473048 with a patch for this – my patch may not actually be much good (I don’t understand some aspects of Manoj’s code) but it does achieve the desired result [5]. I won’t be making Apt repositories for such things as I expect that the changes will get into Debian fast enough.

The next thing I am starting to work on is MLS support for Debian (currently it only supports the Strict and Targeted policies). See the Multilevel Security Wikipedia page for some background information on the technology [6].

I don’t expect that many people will use MLS on Debian in production environments, and it wouldn’t surprise me if no-one used it on a production server (although of course it would be impossible to prove this). But I still believe that it’s worth having for educational purposes. I am sure that there are packages in Debian of a similar size that will get less use so it’s not a waste of disk space on mirror servers!

The only real down-side to adding MLS support is that it will increase the build time for the Debian SE Linux policy packages, currently they take 13 minutes to build on a 1.1GHz Celeron system (the Xen server I mentioned previously) and I expect that the machine in question will have build times greater than 20 minutes with MLS included. I will probably need to set up an Unstable DomU on a dual-core 64bit machine for the sole purpose of building policy packages. I will also have to investigate use of the “-j” option to make when building the policy to take advantage of the dual cores. I often do small tweaks to policy and it’s annoying to have to wait for any length of time for a result.

The version of Coreutils that is currently in Unstable will have ls display a “+” character for every file when running SE Linux (I have filed bug report #472590) about this [7]. It is being actively discussed and at this stage it seems most likely that the functionality from Etch in this regard will be restored (which is using “+” to represent ACLs only not SE Linux contexts). It seems likely to me that I will find a few other issues of a similar nature now that I have started seriously working on Unstable.

For the benefit of Debian and upstream developers who get involved in such discussions, please do not be put off if you join a discussion that is CC’d to the NSA SE Linux mailing list and have your message rejected by the list server. The code of conduct is much the same on most mailing lists, and the SE Linux list is not much different to others. The difference is that before your get your email address white-listed for posting you have to agree to the terms of service for the list. The people who run the list server appear to work more than 40 hours a week so there should not be a great delay. If anyone wants to get a message about Debian SE Linux development sent to the list without delay on a weekend then they can send it to me for forwarding.

I am aware of some discussions about SE Linux and the Debian installer. I have not responded to them yet because I wanted to get some serious coding done first as an approach of “I haven’t done much coding recently but trust me I’ll fix the problems for you” might not be accepted well. I will start investigating these issues as soon as I have my Debian/Unstable server working well in enforcing mode.

Update: I’ve just filed bug report #473067 with a patch to enable MLS policy builds [8].

The Inevitability of Victory

March 19, 2008 | etbe

I just read an interesting blog post about Montenegro [1]. Apparently a key to the process of becoming a country was acting like it was inevitable.

It seems that this method can be applied to many areas, one of which is the contest between Linux and some proprietary OSs.

For many years monopolists have convinced people that it was inevitable that they would monopolise all areas of software development. Why use any other software (even if it is more reliable, faster, has more features, and is cheaper) if a monopolist is about to dominate the market? The monopolist changes sometimes, the monopolist from ~1990 to now is different from the monopolist of the 1970’s, but the tactics of a computer monopolist remain the same.

The way to beat this is largely to just ignore them. There is an ongoing debate in some circles about when Linux will be “ready for the desktop“. I’ve been running Linux as my primary desktop environment since about July 1998, it’s almost 10 years of having Linux as my primary desktop environment. It seems inevitable that the Linux will take over the desktop – it’s far better for desktop use than it was 10 years ago when I switched.

Some people claim that Linux lacks driver support. Every piece of hardware that I’ve wanted to use over the last 10 years has had adequate support. Often second-hand hardware works best with Linux, hardware vendors have no reason to continue to support their old products on newer operating systems (they make more money if you buy new hardware to run the new OS). Not only is hardware support for Linux adequate, but long-term support is far superior (and I often get to use cheap second-hand hardware). Now that an increasing number of hardware vendors are supporting Linux for their new hardware (Intel, AMD, and most laptop vendors are doing some good work in this regard). It seems that everyone who has tried both says that writing drivers for Linux is easier than writing drivers for proprietary OSs, so it seems inevitable that Linux will end up with better driver support by all metrics.

Linux is designed for users. DRM (Digital Restrictions Management) is not something that interests Linux developers. Run Linux and your computer will obey you and give full quality audio and video. It seems inevitable that Linux will dominate the AV section of the market (it already dominates the computer work involved with creating movies).

Free software (of which Linux is merely the most famous and popular example) is based on the principles of open design and open standards. When you use a free software program to save a file then you can be reasonably sure that you will be able to read it back again in a few decades. Most free software uses file formats that are well documented and standardised. Sometimes there are bugs in programs and new versions will use files in a different way, this is sometimes a case when you rely on a bug in an old version. Using the older version of the software is sometimes required to properly access old data. Fortunately when you have the source to the older programs they can be compiled on new systems (so different types of CPU won’t matter). Also the lack of DRM means that an OS image can be virtualised. One thing that is on my todo list is to create a set of virtual machine images of some of the most commonly used distributions of Linux so I can easily compare distributions of 10 years ago with modern distributions – it’s not technically challenging and there is no particular technical or legal obstacle to doing this. This would also mean that if someone gave me a file in some strange format from 10 years ago I would have a better chance of reading it. It seems inevitable that as the value of data increases the desire to avoid OSs that prevent people from accessing their own data will also increase, and that will eventually squeeze out most closed software from the market. This doesn’t mean the end of proprietary software, merely the end of software that holds user’s data hostage.

The majority of the world’s population does not use computers. The computers that they end up using will be cheap because they can’t afford to waste so much money on new hardware. To make cheap machines means that there will be limited resources in terms of RAM, mass storage, and CPU power which require more efficient software. Also to properly take advantage of machines with small screens and other limitations changes to the design of the software will be required. It seems inevitable that the most open software will be adapted to such environments more readily than proprietary software.

Now this doesn’t mean that we can take a break from development. In the free software community there are usually many different programs to perform a particular task with competition between the developers of the various projects. The fact that a monopolist is inevitably going to lose it’s position is of little relevance to the competition between the various free alternatives.

[1] http://www.airs.com/blog/archives/115

Barack Obama wants a National CTO

March 18, 2008 | etbe

I am just watching US Senator Barack Obama speaking at Google about his bid to become the next US president [1]. He has announced plans for allowing greater citizen oversight of the government including having all government data in open file formats (a great idea – the Australian Bureau of Statistics has a large amount of data online in Excel format). But his most significant item so far is to have a National CTO (Chief Technology Officer). It’s an idea that seems totally obvious now that I’ve heard it and leaves me wondering why I never thought of it before!

Barack understand technology, wants a functioning democracy, and gets a +5 Insightful from me for the CTO idea!

He also announced a plan to double federal funding for basic scientific research as part of a measure to make the US more competitive with other countries. He mentioned the US standing in the world as a problem (it’s the first mention of this that I’ve heard from anyone in the US government) and notes this as an issue which limits the ability of the US to save lives in regions such as the Darfur. He also claims that there is no clash of civilisations and cites his experience living in a Muslim country as helping to build bridges.

When discussing his reasons for running he said that he believes that he can bring his country together to solve problems better than other candidates. That’s the type of thing you often hear and ignore in political campaigns. It is often difficult to believe that someone wants to be famous and powerful for anything other than the most selfish reasons. But Barack gives me the strong impression that he is genuine.

He stated a plan to shut down Guantanamo bay (presumably just the prison and torture aspect – I’m guessing that he is not intending to close the military base) and to stop “rendition” (sending prisoners to other countries to be tortured).

His plans for education are innovative, as part of educating young children (0-3 years old) he stated an aim to teach parents to read so that they can read to their children! It’s sensible and obvious once you have heard it, but no-one seems to have publicised that idea before. He announced that he will increase teachers’ salaries.

He describes the US as having an “empathy deficit“, it’s obvious to almost everyone outside the US but not something that many people in the US realise.

He wants decisions to be based on facts and is determined to use facts when dealing with health insurance companies.

I just wish that we had some politicians like him in Australia. In terms of policy the Greens politicians would agree with him, but the combination of great policies, insight, and excellent delivery seems a lot better than any of the options in Australia.

Update: Changed the post (including the permalink) to have the correct spelling of Barack. Mental note – double check the spelling of everything in the permalink.

[1] http://au.youtube.com/watch?v=m4yVlPqeZwo

Unusual Ways of Helping the Environment

March 17, 2008 | etbe

Unusual Things to Help the Environment

Have a party! Keeping a house at a comfortable temperature on days of extreme temperature takes a moderate amount of energy. If instead of having three houses that each contained two people you had one house with six people and two houses with the heater or air-conditioner turned off then the energy use would be reduced.

In winter a house with a large party may not need any heating. Each adult dissipates an average of 100W of heat [1]. 30 adults will dissipate about 3KW – equivalent to an electric heater used for heating a room, in my experience it’s not uncommon to open windows during a winter party to cool the house down.

In summer it’s often impossible to use an air-conditioner for a medium size party. A medium size air-conditioner can remove 3KW of heat so if there are 20 people plus some cooking or 30 people without any cooking then the house will be cooler if the windows are left open.

The most energy efficient parties would be family events, as they generally involve moving all the people from several houses into a single house.

I have previously written about the benefits of using water evaporation to assist a car air-conditioner (which reduces a/c use as well as making the car cooler) and of using ice to cool a room to avoid buying a larger a/c [2].

Please try and think of the most unusual ways of helping the environment and let me know by comments or by a post on your own blog. Overall it’s most effective to use more fuel efficient cars, set your home thermostat to a temperature which is closer to the outside temperature, and to recycle as much as possible and reduce needless consumption. But if you are interested in science then it’s more fun to discover unusual ways of doing things even if they don’t do as much good overall.

Having twice-yearly “Environment Parties” on the hottest day of summer and the coldest day of winter would also be a good way of spreading the idea that we need to do something about environmental problems.

Not Visiting the US

March 13, 2008 | etbe

I won’t be visiting the US in the forseeable future.

For some time I have been concerned about the malfunctioning legal process and other related issues that arose from the so-called “War On Terror“. But the most recent news is that the TSA may just copy all the contents of your laptop or even steal it [1].

Law enforcement agents can search property if they see evidence of a crime in progress or if they have a search warrant. They can seize property as evidence in a trial, but if the property in question is not illegal then it will be returned afterwards.

The TSA take property from travellers without any reason for doing so and do not return it. This is not law enforcement, it is banditry.

It’s bad enough catching a late train while carrying a laptop and risking a junkie trying to steal it. When bandits have police protection (as the TSA do) then it becomes an unacceptable risk.

The TSA have recently apologised for making people remove iPods and other devices from their luggage [2]. Strangely this has been interpreted by some people to mean that the TSA won’t be stealing data and hardware from travellers. I’m sure that if the TSA was going to stop searching laptop hard drives and confiscating laptops then they would have announced it.

From now on I will avoid entering US territory (even for connecting flights), except in the unlikely event that someone pays me an unreasonably large amount of money such that I am prepared to travel without electronic gear.

I know that some people in the US won’t like this (some people flip out when anything resembling a Boycott is mentioned). I am not Boycotting the US, merely avoiding bandits. If the fear of bandits hurts your business then you need to get a law enforcement system that can deal with the problem.

On a related note, check out the TSA Gangstaz [3] video, funny.

Links March 2008

March 4, 2008 | etbe

Dan Bernstein wrote an interesting paper about the security of Qmail [1]. Of particular interest to me are the sections about things that might do differently if he was to do it again and the mentions of language features for security. Bruce Schneier has some interesting comments about this [2].

Interesting paper by Jessica Walpaw Reyes about the link between lead in petrol and crime [3]. The research indicates that “the reduction in childhood lead exposure in the late 1970s and early 1980s is responsible for significant declines in violent crime in the 1990s, and may cause further declines into the future“. It makes me wonder about what other health measures could be used to reduce crime.

Paul Wayper writes about a wax that is used in both floor and car polish as well as food [4].

The Australia Institute [5] has some interesting papers. Here’s a PDF about over-consumption in Australia [6]. It states that 46% of people who have household incomes greater than $70,000 say that they can’t buy everything that they really need. It uses the term affluenza to describe the tendency of middle-class people to try and emulate the life-styles of the rich. I wonder whether Gear Acquisition Syndrome [7] is related to this.

The site Unbelief.org – exposing the religious “right” in Australia [8] has some interesting information. I didn’t realise that the problem was so bad here.

etbe – Russell Coker

Linux, politics, and other interesting things

Monthly Archives: March 2008