planet debian, spam, and SE Linux

In regard to my post yesterday about Planet Debian I received the following response:
James Purser said I’m betting that your feed is an atom feed. We had the same problem on PLOA with Jeff and Pias feeds when they switched to atom. Planet needs to be upgraded.
Well I am using an atom feed, so this probably explains it. Sorry for the inconvenience to the Planet Debian readers, I guess that things will stay the way they are until it is upgraded.

Also when viewing my blog entry in Planet Debian I realised that much of a spam message had got pasted in to the URL field for the Planet Debian link. Oh the irony that I only found this embarassing error because of a bug in the Planet software.

This brings me to another issue, Security Enhanced X. With SE-X (before you ask, I didn’t invent the acronym) you can use SE Linux to control communication between windows on an X desktop. With a modification to the clipboard manager (klipper in the case of KDE) every piece of data that’s copied from an application will have a security context assigned to it and this context will be checked against the context of an application that is to be the target of a paste operation. Klipper will also have to support relabeling clipboard data. Therefore if I want to cut text from my email client (Kmail) and paste it into Firefox then I would have to relabel it with the appropriate MCS categories. This would permit me to paste text from an email into a web form with a few extra mouse clicks, but would prevent me from accidentally pasting the wrong text. Keeping in mind the fact that there are many more embarassing things that could be accidentally pasted into a blog entry than the contents of a spam this doesn’t seem overly difficult.

PS Before anyone jumps to conclusions. When I receive GPG encrypted email or other material that should be kept confidential I try and avoid cutting it, and if I have to do so I clear the clipboard buffer afterwards. Keeping spam a secret is not really a priority to me so I didn’t take adequate precautions in this case.

combining two domains in SE Linux

To get the maximum value out of my writing when I am asked a question that is of general interest in private mail I will (without in any way identifying the person or giving any specifics of their work) blog my reply. I hope that not only will this benefit the general readers, but also the person who originally asked the question may benefit from reading blog comments.

The question is “I wonder whether I can define a domain which is a union of two existing domain, that is, define a new domain X, which has all the privilege domain Y and Z has got”.

There is no way to say in one line of policy “let foo_t do everything that bar_t and baz_t can do” (for reasons I will explain later). However you can easily define a domain to have the privileges that two other domains have.

If you have bar.te and baz.te then a start is:
grep ^allow bar.te baz.te | sed -e s/bar/foo/ -e s/baz/foo/ >> foo.te
Then you need to just define foo_t in the file foo.te and define an entry-point type and a suitable domain_auto_trans() rule to enter the domain.

There are other macros that allow operations that don’t fit easily into a grep command, but they aren’t difficult to manage.

The only tricky area is if you have the following:
domain_auto_trans(bar_t, shell_exec_t, whatever1_t)
domain_auto_trans(baz_t, shell_exec_t, whatever2_t)

As every domain_auto_trans() needs to have a single target type those two lines conflict so you will need to decide which one you want to merge. This is the reason why you can’t just merge two domains. Also the same applies for file_type_auto_trans() rules and for booleans in some situations.

more security foolishness

Dutch police arrested 12 people for acting suspiciously on a flight to India. A passenger said “They were not paying attention to what the flight attendents were saying”, I don’t pay attention to the flight attendents either. When you fly more than 10 times a year you learn how to do up your seat-belt and when it’s appropriate to use your laptop, so once you know where the emergency exits are you can read a book ot talk to other passengers. The 12 people who were arrested were apparently exchanging mobile phones – strange, they have never asked people not to do that.

The 12 people have since been released. The cost of canceling flights due to security scares is significant for the airline companies. The fear that this induces in the public (both of terrorism and of stupid police) causes them to be less likely to fly which hurts the airline industry even more as well as also hurting the tourism industry.

The US is more dependent on air travel than any other country due to a severe lack of public transport. Australia is also very dependent on air travel due to large distances and no land connection to any other country. The UK also seems to have more of a need for air travel than other EU countries.

If exchanging mobile phones can interfere with air travel then people who dislike the US and the other countries in the coalition of the willing/stupid can cause serious economic damage by trivial things such as exchanging phones in-flight or writing BOB on a sick bag without any risk to themselves.

The war on terror is already as good as lost. William S. Lind‘s blog is a good source of information on some of the ways that the US is losing. It’s a pity that the Australian and UK governments are determined to take their countries down with the US.

2006 Open Source Symposium

Today (well yesterday as of 30 minutes ago) I spoke at the Open Source Symposium in Melbourne. This is an event sponsored by Red Hat. The first day was the business day and the second day was the Red Hat developers day.

I attended both days and spoke on the second day (today). My talk was about designing and implementing a secure system on Red Hat Enterprise Linux 4 (the Inumbers system for gatewaying SMS to email which is currently in Beta at the time of writing). I covered the issues of designing systems for least privilege via a set of cooperating processes under different UIDs. Secure coding principles, and SE Linux policy design. My presentation notes are HERE (in OpenOffice 2.0 format).

The talk seemed to be well accepted, so I’ll probably offer variations of it at other venues in the near future. I’m thinking of making a half-day workshop out of it.

While at the symposium one of the SGI guys mentioned that an XFS expert was in Melbourne temporarily. I suggested that such experts should be encouraged to give a talk about their work when they are in town. As a result of that I arranged a venue for a talk on XFS, I had the venue arranged in about 4 hours, which resulted in about 24 hours notice given to LUV members. I wasn’t able to attend the meeting due to prior commitments, so I’m not sure how it went.

terrorist “weakest link”

In the game show The Weakest Link competitors get voted off, usually not on whether they are weak but on whether the other contestents consider them to be a threat. It’s mildly amusing as a TV game show but not funny at all when carried out on an airline.

Recently a flight from Malaga to Manchester was delayed because two passengers were considered to be suspicious by other passengers (either 6 or 7 passengers refused to get on the plane because of this). The passengers were thought to be speaking Arabic (as if there was anyone on the plane who would recognise Arabic when they heard it) and because they were wearing coats and looking at their watches. The two men in question had been searched twice and found to be clean, but a bunch of idiots on a plane thought they knew better and demanded that the passengers in question be removed.

Lessons to be learned from this for travelling to/from coalition of the willing countries:

  1. Avoid the urge to check your watch when your flight is being delayed unless you are white. Non-white people who do what white people do in this situation are considered to be terrorists.
  2. When travelling to a cold place (such as Manchester) you want to have a coat to wear when getting off the plane. The airline staff won’t allow you enough hand-luggage space to store a coat so you will want to wear it when getting on the plane. This is fine if you are white, but if not white just deal with the fact that you will shiver when disembarking.
  3. Learn to speak English for your travels. If you speak another language you will be considered to be a terrorist.
  4. Whatever country you visit, stick to major cities as much as possible. Smaller cities have more racists and nationalistically bigoted people, there probably wouldn’t have been a problem on a flight to London.

Also just avoid the coalition of the willing countries in your travels as much as possible. There are much less problems in this regard when the government doesn’t depend on terrorism hysteria to justify going to war on the basis of lies.

run an insecure system and get raped

After a recent mailing list discussion about computer security I’m going to be quoted in someone’s .sig so I think that I need to write a blog entry.

Here is an article about a 2001 case of a man who was arrested for pedophilia and spent 9 days in prison: http://www.xatrix.org/article.php?s=3549 .

This article on The Register has links to a few other articles and describes how a man has been found guilty due to the apparent actions of a hostile program on his machine (and served 20 days jail time).

Rumor has it that pedophiles are really disliked in prison and that they are often attacked by other prisoners. Even spending a few days in prison as a pedophile could be enough to get raped.

Run the latest version of the OS for your PC with all security patches. If you buy a second-hand machine reformat and reinstall as the first thing that you do just in case the last owner had kiddy porn (even though they may not have known of it).

laptop security on planes

There has been a lot of discussion recently about how to take laptops on planes following the supposed terror threat in the UK which has been debunked by The Register and other organizations. There is an interesting eWeek article about this that contains the interesting quote “The built-in locks don’t yet meet TSA specifications because they cannot be opened using the TSA master key” when reviewing a laptop case. Creating a master key is not that difficult and is explained in this PDF file. Theft by baggage handlers is quite a common occurance (see this google search for details).

So baggage handlers can easily reverse-engineer the TSA master key, steal laptops from baggage, smuggle drugs, and put bombs in baggage if they are so inclined.

There have been a number of cases of laptops containing sensitive financial, medical, and military data being stolen. Now someone who wants to steal data merely needs to work as a baggage handler and copy the hard drives of laptops before loading them. Data is more valuable if no-one knows that it has been stolen.

It would be ironic if an airline employee had their laptop hard drive copied and sensitive information about airport security was lost because of this.

a newbie question about SE Linux and anti-spam measures

An anti-spam measure that is used by a very small number of people is that of verifying the sender address by connecting to the sending mail server. For example when I send mail from russell@coker.com.au the receiving machine will connect to my mail server and see whether it accepts mail addressed to russell@coker.com.au and will reject my mail if that isn’t the case.

The problem with this is that if I try to send mail to someone who has their mail server listed as a SPAM source then their efforts to verify my email address will fail and then my message to them will bounce with a confusing error message. This means that if one of the two mail servers involved in the communication is listed in a DNSBL or RHSBL service then all communication will be impossible. There will not be an option for one person to say “please phone me on this number if you can’t send me an email”.

This happened recently when someone from Italy asked me a question about SE Linux. So I will answer here (maybe they read my blog). In any case the answer might be of general interest:

Firstly I have to note that I have a B.Sc degree and no post-graduate qualifications, so it is not accurate to address me as Dr. Coker.

The question is: Let’s imagine a user acquire root rights. Especially on Fedora Core, which modify su command to map it to sysadm_r role, couldn’t he/she simply disable SELinux, delete logs, and so on?

If a user obtains ultimate privileges then they can do all things including deleting logs etc.

One thing to note is that there is no need for any process other than kernel threads to have ultimate privs, it would be useful in some situations to make log files append-only for all processes and the SE Linux policy language supports this.

The nearest any release policy comes to implementing such things is the separation between sysadm_r and secadm_r in the MLS policy in recent versions of Fedora.

Also note that it is possible to configure a SE Linux policy that does not permit any process to request that a new policy be loaded, the policy files be changed on disk, or the use of programs such as debugfs. Using SE Linux to enforce a policy that can not be bypassed by anything less than booting from installation media is quite easy to achieve.

One idea that I had was to have GPG implemented in the system BIOS and have GPG checks performed on the kernel before it’s loaded (to verify that the kernel had not been modified). The kernel could be passed a decryption key for the root filesystem by the BIOS, and SE Linux would be enabled as soon as the root filesystem was mounted. Thus nothing less than disassembling the BIOS would allow a hostile person to access the data on the disk. This is all possible with technology that has been common for many years. I almost convincced a BIOS author to implement this in about 2002.

invasive vs inconvenient security

The recent news from the UK gives us an example of invasive security. Preventing passengers carrying on any hand luggage (even wallets) and frisking all of them is the type of treatment you expect for criminals and visitors to maximum security prisons. It’s not what you expect for people who are involved in routine (or what used to be routine) travel.

The security measures offered by SE Linux are sometimes described as invasive. I don’t believe that this is an accurate description. I admit that sometimes minor tweaks are required (such as setting the correct context of a file). But for most users (corporate users and typical home users) the distribution takes care of all this for them. A default Fedora install should just work for the typical home user and a default Red Hat Enterprise Linux install should just work for the corporate user.

The main reason that it’s so easy to use is that the default domain for user sessions and for daemons that are not specifically configured in the security policy is unconfined_t. This means that programs for which there is no policy and programs run from a user session do not have SE Linux access controls. The default configuration of SE Linux only restricts programs that are known to be at risk.

The most common case of SE Linux access controls causing inconvenience is the policy for Apache (the daemon with the most configuration options). There are a set of configuration options (known as booleans) that can be used to determine what aspects of Apache will be confined, generally it only takes a few minutes to determine and specify the correct settings to support the desired operation.

Next time you are being frisked at a UK or US airport and are facing the prospect of a long flight with books and all other forms of entertainment banned keep in mind that airlines have invasive security and should be avoided if possible. SE Linux offers security that is at most a minor inconvenience (usually not even noticed) and should be embraced.