New SE Linux Policy for Lenny

I have just uploaded new SE Linux policy packages for Debian/Unstable which will go into Lenny (provided that the FTP masters approve the new packages in time).

The big change is that there are no longer separate packages for strict and targeted policies. There is now a package named selinux-policy-default which has the features of both strict and targeted. When you install it you get the features of targeted. If you want the strict features then you need to run the following commands as root:

semanage login -m -s user_u __default__
semanage login -m -s root root

Then you can logout and login and you get the main benefit of the strict policy (users being constrained). IE you can convert from targeted to strict without a reboot! The above only changes the access for user login sessions (and cron jobs). To fully convert to the strict policy you need to remove the unconfined module with the command “semodule -r unconfined“, currently that results in a system that doesn’t boot – I’m working on this and will have it fixed before Lenny. Also it’s possible to have some users unconfined and some restricted in the way that strict policy always did.

When running in the full strict configuration you need to run the command “newrole -r sysadm_r” immediately after logging in as root. When you login you default to staff_r which doesn’t give you the access needed to perform routine sys-admin tasks.

Due to the change in the function of the policy packages (in terms of not having a strict package) it made sense to revise the naming (Fedora 9 has a package named selinux-policy-targeted which also provides the strict configuration – I don’t want to do that and don’t have as much legacy as Fedora). This is why I decided to not have package names that include the word “policy” twice. Of course all policy packages get new names, but the ones that matter needed new names anyway.

Another new feature is the package selinux-policy-mls, as the name suggests this implements Multi Level Security [1]. I don’t expect that the MLS policy will boot in enforcing mode in a regular configuration at this time (you could probably hack it to boot in permissive mode and switch to enforcing mode just before it starts networking). I uploaded it in this state so that people can start testing it (there is a lot of testing that you can do in permissive mode) and so that it can get added to the package list in time for Lenny. I expect that I’ll have it booting shortly (it should not be much more difficult than getting the strict configuration booting).

In terms of the use of MLS, I don’t expect that anyone will want to pay the money needed for LSPP [2] certification. NB The wikipedia page about LSPP really needs some work.

I believe that the main benefit for having MLS in Debian is for the use of students. I periodically get requests from students for advice on how to get a job related to military computer security. Probably the best advice I can offer is to visit the career section of an agency from your government that works on computer security issues, for US readers the NSA careers page is here [3]. The second best advice I can offer is to work on MLS support in your favourite free OS. Not only will you learn about technology that is used in military systems but you will also learn a lot about how your OS works as MLS breaks things. ;)

Finally I’d like to thank Manoj for all his work. For a while I didn’t have time to do much work on SE Linux and he did a lot of good work. Recently he seems to have been busy on other things and I’ve had a little more time so I’m taking over some of it.

5 comments to New SE Linux Policy for Lenny

  • Tiago

    Thank you for your posts. They are always the more informative and interesting. Keep it up!

  • etbe

    Tiago: I notice that you are involved with the Ubuntu project. What is the status of SE Linux in Ubuntu? I heard a rumor that they aren’t using MCS, is that true? I hope not.

  • matt

    I’m using debian testing branch and have got all SELinux packages installed, but I get an error when running audit2allow command (reported not by me Bug#486120). To resolve the error listed above I’ve installed the python-sepolgen package from ubuntu hardy repos and when run audit2allow command, then checkmodule -M -m, semodule_package and then tried to load the module with semodule it gave me an error about linking a module with an non MLS database. Any help for that bug?

  • etbe

    matt: Are you running my latest policy packages? IE Did you edit /etc/selinux/config to refer to “default” and then reboot? For a while Unstable had a non-MCS policy which causes such issues. Also rumor has it that Ubuntu has a non-MCS policy which would cause problems if you used the Ubuntu policy. You could of course skip the -M on checkmodule.

  • matt

    etbe: Sorry for so long time with no response. I was running the latest policy packages. While running Ubuntu packages I have had the error mentioned by you, but i knew the solution so I’ve skipped the -M command – so the rumor may be true. I was running SELinux from curiosity, to play a little bit with it (i don’t host a server) and I’ve found this bug – but it was reported few days earlier.