Securing Debian: SELinux Integration Into Etch
For the longest time, Russell Coker has been carrying the torch of SELinux on Debian (helped, in the past, by Colin Walters and Brian May). Indeed, currently Russell's site is the only way for getting a SELinux installation running on Debian, though we are beginning to see acceptance of SELinux into mainstream Debian (for example, kernel support for SELinux is now included in Debian kernels (unstable branch)).
Please have a look at Russell's site for details on how to proceed on setting up SELinux on Debian Sid.
There also has been an interest in creating an SELinux UML, since it allows for rapid testing of policies, and packages, and to observe the reaction of the machine to threats and other stimuli. However, it has been tedious, traditionally, to create a UML that can be run in enforcing mode. A recipe for doing so has been created, and is kept up to date with new kernel versions, and newer versions of patches for SELinux and UML. Effort is underway to create a more flexible, automated, and configurable tool to help generate the root file systems that can be used for UML instances, or for stand alone installations.
User Land Packages
In addition to the core SELinux code, certain SELinux-patched user-space packages are required to use SELinux. While these packages were initially provided as a convenience by the NSA, but it has now delegated maintenance of these patches back to the community. A reference set of SELinux user-land patches is available in the public Fedora CVS tree. Red Hat's Fedora distributions have fully embraced SELinux, and have been keeping the patches updated with new versions of these user-land patches.
So this mini project is an effort to bring Debian's SELinux patched packages back in sync with the latest upstream and the latest SELinux patches, and to make it easier for Debian developers to access SELinux patches. What one can find here is the original fedora patches, as well as patches massaged for Debian's version. In order to facilitate SELinux related work, and a separate repository where Debian work on these user-land packages and the corresponding SELinux branches shall be tracked. The information, and archive registration information, as below:
As these packages come along, I shall attempt to create an apt-able repository for them on people.debian.org. To use, just put the following in /etc/apt/sources.list, and run aptitude update
. The archive is also signed, and the public key for the Release.gpg
file can be downloaded from here.
Luxury hotels are located in truly prestigious locations for the Debian security conference: etch SElinux Integration
Luxury hotels guarantee an excellent holiday with all the amenities and luxurious service. Only our luxury hotels host a meeting with the creator of an SELinux UML, since it allows for rapid testing of policies, and packages, and to observe the reaction of the machine to threats and other stimuli. Spend a great time in our huge comfortable conference rooms and make any deal profitable.
Recommended posts
West RoseDPKG
Dpkg is the primary package management system for Debian systems. It handles the installation and removal of packages on a Debian system. Since it is used for initial installation of packages, special care must be taken to ensure that the components file system objects end up in the appropriate domain, rather than in the sysadmin_t domain, which would normally be the case for things created by the systems administrator.
As of version 1.13.10, SELinux support is compiled in into dpkg (statically compiled). The upstream repository for dpkg is browseable. As part of the SELinux effort, a set of branches have been tagged off from upstream, and are available here.
Repository links
- dpkg--stable
- The stable upstream DPKG branch, meant for Sarge.
- dpkg--devel
- The upstream development branch for dpkg. This is meant for Etch -- and since Etch can promote libselinux1 to an essential priority, this branch of dpkg could be linked against
libselinux1
. - dpkg--selinux-old
- Russell Coker's modifications to dpkg, which introduce {pre,post}{inst,rm}.d/ directories to label installed package files correctly, using setfiles. Unfortunately, these changes were deemed too far reaching, and really suboptimal, by dpkg authors, since they were not comfortable introducing the general purpose hook directories, which could lead to non-deterministic behaviour, and could be open to all kinds of abuse.
- dpkg--selinux
- A new modification of dpkg, using SELinux library calls (
matchpathcon
andsetfilecon
) to set the security context of component files just after unpacking. This approach may be more acceptable, since it does not create a whole set of directories that are open to potential abuse, and fits in with thechown/chmod
calls that dpkg already makes.
Please note that while dpkg--selinux-old branch is tagged off the dpkg--stable branch, the dpkg--selinux branch is tagged off the dpkg--devel branch.
Bug numbers
None Needed.
SSH
Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. This is an implementation of the IETF secsh working group's specification of the Secure Shell protocol. Since it logs in to a system in lieu of a user, it needs to be modified to set the security context of the process. The Fedora core patch can be found on the fedora core cvs repository.
The public repository of the Debian development is not available directly, since it is hosted as a CVS repository on chiark, that does not offer public pserver access. However, afull repository tarball is available, updated daily.
As of 4.1p1-4
, openssh in Debian is compiled with SELinux support, so no patchs are needed.
SYSVINIT
Init is the first program to run after your system is booted, and continues to run as process number 1 until your system halts. Init's job is to start other programs that are essential to the operation of your system. All processes are descended from init
. The Fedora core patch can be found on the fedora core cvs repository.
As of version 2.86.ds1-2
, sysvinit in Debian is compiled with SELinux support, so no patchs are needed.
Repository links
- sysvinit--upstream--2.0
- This branch contains the upstream releases of sysvinit.
Bug numbers
None needed
PAM
The Pluggable Authentication Modules library. Using this library, without rewriting or recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. One may entirely upgrade the local authentication system without touching the applications themselves.
As of version 0.79-1
, pam modules in Debian are compiled with SELinux support, so no patchs are needed.
The Debian developer for PAM has a public repository on http://svn.debian.org/. pecifically, there are three parts to the packages:
svn://svn.Debian.org/svn/pkg-pam/branches/upstream/Linux-PAM/
contains the upstream (or vendor) branchsvn://svn.Debian.org/svn/pkg-pam/trunk/Linux-PAM/
contains the version of the soruces modified for Debian, andsvn://svn.Debian.org/svn/pkg-pam/trunk/debian/
contains the./debian/
directory required for packaging.
Bug numbers
None needed
CRON
The cron daemon runs programs at specified intervals on behalf of users, and mails out put back. Since the programs are run on behalf of users, the security context needs to be set appropriately. The Debian package already contains the SELinux patches. The Fedora core patches (and there are several) can be found on the fedora core cvs repository.
As of version 3.0pl1-88
, cron in Debian is compiled with SELinux support, so no patchs are needed.
Repository links
- cron--upstream--3.0
- This branch contains the upstream releases of Vixie cron.
Bug numbers
None needed
LOGROTATE
The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files.
As of version 3.7.1-1
, logrotate in Debian is compiled with SELinux support, so no patchs are needed.
Repository links
- logrotate--upstream--3.0
- This branch contains the upstream releases of logrotate.
Bug numbers
None needed
devmapper
The Linux Kernel Device Mapper is the LVM (Linux Logical Volume Management) Team's implementation of a minimalistic kernel-space driver that handles volume management, while keeping knowledge of the underlying device layout in user-space. This makes it useful for not only LVM, but EVMS, software raid, and other drivers that create "virtual" block devices.
As of version 2:1.01.04-2
, devmapper/dmsetup in Debian are compiled with SELinux support, so no patchs are needed.
Bug numbers
None needed
lvm2
LVM2 is the the rewrite of The Linux Logical Volume Manager. LVM supports enterprise level volume management of disk and disk subsystems by grouping arbitrary disks into volume groups. The total capacity of volume groups can be allocated to logical volumes, which are accessed as regular block devices.
As of version 2.01.14-1
, lvm2 in Debian is compiled with SELinux support, so no patchs are needed.
Bug numbers
None needed
COREUTILS
This package contains the essential basic system utilities, which are quintessential UNIX. Since this contains utilities like ls, id, cat, etc, several pieces need to be changed to be SELinux aware.
The Debian developer does not have a public repository for the code,a nd indeed, ships a tar.bz2 archive in the source package, and uses dbs
to unpack and patch the source on the fly. The implication of this is that the only changes made for Debian are all consolidated into the ./debian directory (repository). This means that while I have branches below that reflect the unpacked source trees, that is mostly for the benefit of people auditing the code or not using Debian. For Debian, we just need to generate a patch between the Debian mainstream and the SELinux variant versions of the ./debian
directory.
The Code below is based on the work by Gregory T. Norris, and can be seen (along with the binary .deb
packages) on his people.Debian.org site. The Fedora core patch can be found on the fedora core cvs repository. The source package for coreutils 5.2.1-2.gn1
, as well as and the binary package coreutils 5.2.1-2.gn1
, is provided in the repository mentioned above.
Repository links
- coreutils--upstream
- The upstream release branch for coreutils.
- coreutils--debian
- This is the unpacked, and patched, source tree from which the actual Debian package is built.
- coreutils--selinux
- This is the unpacked, patched, source tree, including SELinux related patches, from which the SELinux aware Debian packages should be created.
- debian-dir--coreutils
- This is the
./debian/
directory shipped with the Debian source package. Since coreutils usesdbs
, this contains all the patches that have been applied to the actual source tree. - debian-dir--coreutils-sel
- This is the SELinux patched version of the
./debian/
directory. As above, it contains all the patches applied to the SELinux patched source tree.
Patches
There are three separate patches that need to be applied in sequence.
- 60_coreutils-pam.patch This patch alows
su
to us PAM libraries for authentication. That is good, since we can then usesession required pam_selinux.so multiple
in /etc/pam.d/login to set proper security contexts seamlessly. - 61_coreutils-5.2.1-runuser.patch This adds the
runuser
utility, used run a shell with substitute user and group IDs, similar to su, but without prompting for a password. - 62_coreutils-selinux.patch This is the actual guts of the SELinux patch. Apart from
autoconf
enhancements, this addschcon
andruncon
, enhancescp
,dir
,install
, andls
.
Bug numbers
Bug#312426, Bug#193328
Packaging Software Using Gi
A analysis of schemes people use for packagingTable of Contents
- 1 Introduction
- 2 Interested constituencies
- 3 Patch flow characteristics on the topic branches
- 4 Other factors
- 5 Work-flow details
- 5.1 Merging the topic branches
- 5.2 Rebasing the topic branches
- 5.3 Rebase & merge
- 5.4 Merge & rebase
- 6 Conclusion
- 7 Acknowledgements
1 Introduction
"Are you rebasing or merging?" seems to be the 64 thousand dollar question over in vcs-pkg discussions. Various people have offered their preferences, and indeed, several case studies of work flows have been presented, what is lacking is an analysis of the work-flow; an exploration of which methodology has advantages, and whether there are scenarios in which the other work flow would have been better.
Oh, what are all these work flows about, you ask? Most of the issues with packaging software for distributions have a few things in common: there is a mainline or upstream source of development. There are zero or more independent lines of development or ongoing bug fixes that are to be managed. And then there is the tree from which the distribution package is to be built. All this talk about packaging software work flows is how to best manage asynchronous development upstream and in the independent lines of development, and how to create a coherent, debuggable, integrated tree from which to build the distributions package.
The rebasing question goes to the heart of how to handle the independent lines of development using git; since these lines of development are based off the main line of development, and must be periodically synchronized. What follows here is a first look at a couple of important factors that will have bearing on that question, and packaging software for a distribution using Git in general. This is heavily geared towards git (nothing else does rebases so easily, I think), but some of the concepts should be generic. I am not considering the stacked set of quilt patches source controlled with Git in this article (I don't understand that model well enough to do an analysis)
As a teaser, there is a third answer: neither. You can just add an independent line of development, and just let it sit: don't rebase, and don't merge; and in some circumstances that is a winning strategy.
2 Interested constituencies
Take the rebasing issue. First, rebasing is for private branches -- not for anything you publish. Whether or not you should have a private branch that you rebase or not depends on a number of factors -- firstly, there is the question of which of the stake holder constituencies are most important to you. There are at least three constituencies involved here:
- Upstream developers. These are the people who are the consumers of the independent lines of development. Usually people go out of their way to feed patches and code in the preferred form acceptable to upstream; and it is in our interests to do so: the more code pushed upstream, the less work there is to do ourselves. People upstream want the patch submissions to be clean, not have extraneous crud that has to be removed, and would like a nice, clean, uncomplicated history. They care about descriptions of each patch in a series, but are not interested history, really (they do not care that it took 15 typographical and logic fixes to arrive at this juncture.) Upstreams want topic branches to be rebased to their latest version, so that the patches apply cleanly and are minimal.
- Downstream topic developers. These are people who are basing their work on your topic branches, and they develop code, and feed their changes back to you. If you rewrite history and rebase your topic branches, downstream developers will find it very hard to merge from you back into their development tree. Indeed, if you publish your topic branches for downstream developers to base their changes on, rebasing is not an option.
If you publish a branch (whether or not you mean downstream developers to base their work on it or not), your published repository will be set up by default to deny any non-fast-forward pushes. This is done for the reason we have been talking about -- it would make it impossible for others to track the code and merge it into their local clones. So, if you plan on publishing rebased branches (with warnings to downstream developers to only cherry pick from it), you still will have to force the push.
- The distribution and its users. This is a very important constituency; and most of us packaging software for distributions are doing all this work precisely for this constituency. Through the integration branch, this is a downstream branch – though one interesting case study uses a single rebased patch branch and throw away integration branches, using a patch series in the integration branch. Since you control the integration branch, this is not strictly downstream,
Now, depending on where you are on the totem pole, some of these constituencies are more important than others. At the very top, you don't have an upstream. For example, Git development. They just use a mainline, and a rebased pending updates branch. All their downstream is cautioned never to base work on the pending updates series. So, rebased lines of development work for them, since they are upstream, and that is the most important constituency in their work-flow.
If you are too low on the totem pole to have any downstream developers, and you can live with throw away integration branches, rebased lines of development work as well. But as soon as you have downstream developers or you are working with other people (yourself on your laptop is another person as well), rebasing stops being an option. A major advantage of a distributed SCM is for accessing the repository from different locations; if you do, rebase messes with that.
3 Patch flow characteristics on the topic branches
Are the stake holders the only factor in you decision? Not by a long shot. Take, for instance, the issue of how active your independent lines of development are, and how big the patch series is, and whether you want to do a functional test for each topic branch.
- Small, inactive topic branch
If you have a single, small patch ( a simple bug fix, for example), you can just create a branch, apply the bug fix to the integration branch, and just let the branch be.
As upstream development happens, it gets merged into the integration branch where you have already merged your bug fix branch
- if there is no conflict on the integration branch, don't do anything.
- If there is a conflict, then you have a couple of options:
- resolve the conflict on the integration branch, and merge the mainline into the topic branch (aka bug fix branch), resolve the conflict the same way you did in the integration branch, and let it be. This is delayed integration into topic branches.
The problem is that with this method you can never merge back into the integration branch without any conflicts: since now you have two different commits on the topic branch and the integration branch making the same changes. This is only feasible if you only cherry pick real changes from your topic branches into your integration branch, and it makes easier to miss fixes (since you are making the same change twice).
- Back out the merge on the integration branch. Merge the upstream into the topic branch, resolve the conflict, and then merge that fix into the integration branch.
- resolve the conflict on the integration branch, and merge the mainline into the topic branch (aka bug fix branch), resolve the conflict the same way you did in the integration branch, and let it be. This is delayed integration into topic branches.
It might be better just to merge upstream into your topic branches first, resolving conflicts as you go, and then merge all topic branches into you integration branch, bringing in all the fixes. You might have to do some additional conflict resolution in the integration branch, depending on the overlap in your topics. This is the only viable option for larger or more active topic branches, so special casing for small topic branches is probably not worth the effort.
- Larger patch-sets
For a large patch on a topic branch, the chances are that you'll have to merge almost every upstream version, since the chances are higher of some changes overlapping; might as well get into a pattern of merging the upstream branch into all the topic branches, and, indirectly, the integration branch. Also, if there are downstream developers (more likely with large features like this), you need to keep the topic branch(es) up to date.
- Active development
If your topic branch is being actively developed, you need to constantly merge it into your integration branch. Whenever upstream updates happen, you need to merge the upstream branch into the topic branch, and then merge the topic branch into the integration branches. Again, delayed integration of the upstream branch into the topic branches is unlikely to work well, and works not at all if you have downstream developers basing their work on your topic branches.
4 Other factors
- Testing each topic branch independently
If you or a downstream developer need to compile and test each topic branch independently (instead of all together, in the integration branch), you must merge each upstream change into a feature branch. Rebasing or not depends on whether or not the branch has been published.
- Public or private topic branches
If your topic branches are public, then rebasing is out – unless you have strong warnings in place about people not basing their work on this branch. Rewriting history (which is what a rebase is) out from under people basing their work on yours is rude, and may cause a lot of work to stitch things back together.
- Team or collaborative development
If you are packaging software as a part of a team, team members need to have access to each other's branches (to pick up if you are busy, to see pending changes, to avoid duplication of work). This means public topic branches, and thus no rebasing.
5 Work-flow details
This section is the result of discussion with Bart Trojanowski, and incorporates material from his private communication (with permission).
In the figures that follow:
- b#: bug fixes or orginial development
- d#: Debian releases
- m#: Just a merge node
Each one of these examples has upstream making four releases, labelled A, B, C and D. There are two topic or feature branches, labeled "topic/a" and "topic/b", one of which has two commits, and the other one has one commit. In all the examples, there are four Debian releases that happen during the interval tracked. I have created these examples with an explicit upstream tracking branch; you can get away with fetch and origin/naster if you do not want a local tracking branch. The dotted lines represent a topic branch earlier in the history of the workflow which got rebased away (to get the final state, pretend that the nodes linked by the dotted lines do not exist.)
5.1 Merging the topic branches
This case is pretty straight forward. All the branches are available to eveyone, and work may be based off any of them. However, the branch history, for any topic branch, is full of merge nodes where code from upstream was merged, which some people see as clutter.
What do maintainers do?
git checkout upstream git pull origin git checkout topic/a git merge upstream git checkout topic/b git merge upstream git checkout master git merge topic/a topic/b # do the release thing git commit
5.2 Rebasing the topic branches
As mentioned earlier, The dotted lines represent a topic branch earlier in the history of the workflow. I want to stress that his work-flow has limited utility; and only when you do not have people basing their work off your banches. Since you never know who might want to base their work off you in the future …
In this case, the release is made off a throw away release branch, which essentially becomes unusable as soon as a new upstream release comes and there is a rebase operation. However, at any given time, the rebased topic branch is nice, clean, and rebased against the latest upstream, making it really easy to feed patchs into the upstream code.
However, downstream developers are seriously incovenienced, since all the branches are either thro away or rebased.
What do maintainers do?
git checkout upstream git pull origin git checkout topic/a git rebase upstream git checkout topic/b git rebase upstream # create throw away branch git checkout -b release-A upstream git merge topic/a topic/b # do the release thing git commit
5.3 Rebase & merge
The scenario is identical to the rebase case, witht he difference that we carry an additional set of branches around for the downstream folks, but we still release from throw away branches. This is almost strictly worse than the next case, since derivative distributors for not have a stable branch from which the packages are built – since we are building packages from a throw away branch.
In the figure, the two "for downstream" branches are never rebased, always merge with upstream, and cherry pick changes from the current topic branches. If there is overlap, integration work will have to be done separately in the "for downstream" branches (but will often be the same disambiguation logic as was needed when rebasing the topic branch). The "for downstream" branches are just like the branches in the pure merge case above; with the difference that merges into the master branch are not happening (since we do not have a long lasting integration branch in this scenario).
What do maintainers do?
Note:: I do not yet understand what the reset and merge -s are doing.
git checkout upstream git pull origin git checkout topic/a git rebase upstream git checkout topic/b git rebase upstream git checkout downstream/a git branch tmp/a git reset --hard downstream/a git merge -s ours tmp/a git branch -d tmp/a git checkout downstream/b git branch tmp/b git reset --hard downstream/b git merge -s ours tmp/b git branch -d tmp/b # create throw away branch git checkout -b release-A upstream git merge topic/a topic/b # do the release thing git commit
5.4 Merge & rebase
This is my preferred mechnism. I only create the submit branches on demand; and the submit branches are cherry picked and rebased from the topic branches when I am ready to submit patches upstream – so in reality, my work-flow is really like the plain merged branches above, with the proviso that I can create the submit branches easily if I needed.
The submit branches, when they exist, look very much like the topic branches in the pure rebase case, except that we never gather them to make a release (since the release is done off the topic branches, not the submit branch set).
What do maintainers do?
git checkout upstream git pull origin # the submit branch creation is optional git checkout submit/a git rebase upstream git checkout submit/b git rebase upstream git checkout topic/a git merge upstream git checkout topic/b git merge upstream git checkout master git merge topic/a topic/b # do the release thing git commit
6 Conclusion
Based on which stake-holders you have, and which ones are most important to you, how big your topic branch differences are, and how active the topic development is, you can decide whether or not you rebase or merge, and whether you do delayed integration into topic branches or not.
Now for my personal preferences: I am low down on the totem pole, mostly, but I like to publish my topic branches. So I will not rebase my public topic branches. I will have persistent integration branches, since derived distribution folks are likely to need that. I will also always merge new upstream into my topic branches, just in case someone is basing their work off my public topic branch.
But since I have to cater to upstream as well, I plan on having a private, rebasable submission branch for each topic; and cherry pick original commits from the topic branch on to that. The submission branches will be rebased before submitting to the latest upstream version before submission, or more often if I feel like doing so.
The topic branches will be named "topic/foo". submission branches will be named "submission/foo", and there will be a "tmp/bar" name space for ephemeral branches. This will make it easier to script things like new upstream versions.
7 Acknowledgements
Thanks to Martin F. Krafft and James Vega for reviewing this article, and providing feedback and corrections, and many people involved in the vcs-pkg project for the material this analysis is based on. A special mention should be made about Bart Trojanowski, who provided ideas about concrete solutions for handling topic branches.
Author: Manoj Srivastava
Tales From The Gryphon
07March2005
Securing Debian: SELinux integration into Etch
Well, yes, that sounds somewhat pompous. But I do think this is a worthwhile release goal; from where I stand I think that hard-hat security is a critical option for any OS to remain viable in the current security conscious environment, and Debian, after a period of being well ahead of the curve (thanks to Russell Coker, Colin Walters, Brian May, and others), has fallen well behind entities like Red Hat and Gentoo when it comes to providing a hardened, secure platform.
So, along with a few other people (Greg T. Norris, Lorenzo Garcia-Heirro), I have started a mini project to bring Debian’s SELinux patched packages back in sync with the latest upstream and the latest SELinux patches, and to make it easier for Debian developers to access SELinux patches. The only package that is ready to go is coreutils
, and that is thanks to Greg.
I’ve just come back from the Se-Linux symposium, followed by the Central Pennsylvania LUG Security conference, which was a lot of fun. I also managed to get myself talked into upgrading to the X Org server, which is to be 3expected after spending two days sitting Next to Jim Gettys at a conference watching the neat gizmos.
And, if I get through this key signing process, I may get my key connectivity ranking up again (also thanks to getting it signed by Russell Coker). Of course, due to my weird key signing protocol this is more tedious than the norm, but hey, that’s what you get for trying to add value to your signature