Securing Debian: SELinux integration into Etch

For the longest time, Russell Coker has been carrying the torch of SELinux on Debian (helped, in the past, by Colin Walters and Brian May). Indeed, currently Russell's site is the only way for getting a SELinux installation running on Debian, though we are beginning to see acceptance of SELinux into mainstream Debian (for example, kernel support for SELinux is now included in Debian kernels (unstable branch)).

Please have a look at Russell's site for details on how to proceed on setting up SELinux on Debian Sid.

There also has been an interest in creating an SELinux UML, since it allows for rapid testing of policies, and packages, and to observe the reaction of the machine to threats and other stimuli. However, it has been tedious, traditionally, to create a UML that can be run in enforcing mode. A recipe for doing so has been created, and is kept up to date with new kernel versions, and newer versions of patches for SELinux and UML. Effort is underway to create a more flexible, automated, and configurable tool to help generate the root file systems that can be used for UML instances, or for stand alone installations.

User land packages

In addition to the core SELinux code, certain SELinux-patched user-space packages are required to use SELinux. While these packages were initially provided as a convenience by the NSA, but it has now delegated maintenance of these patches back to the community. A reference set of SELinux user-land patches is available in the public Fedora CVS tree. Red Hat's Fedora distributions have fully embraced SELinux, and have been keeping the patches updated with new versions of these user-land patches.

So this mini project is an effort to bring Debian's SELinux patched packages back in sync with the latest upstream and the latest SELinux patches, and to make it easier for Debian developers to access SELinux patches. What one can find here is the original fedora patches, as well as patches massaged for Debian's version. In order to facilitate SELinux related work, and a separate repository where Debian work on these user-land packages and the corresponding SELinux branches shall be tracked. The information, and archive registration information, as below:

~% tla register-archive \
http://arch.debian.org/arch/private/srivasta/archive-2005-selinux

As these packages come along, I shall attempt to create an apt-able repository for them on people.debian.org. To use, just put the following in /etc/apt/sources.list, and run aptitude update. The archive is also signed, and the public key for the Release.gpg file can be downloaded from here.

deb http://people.debian.org/~srivasta/ packages/
deb-src http://people.debian.org/~srivasta/ packages/

DPKG

Dpkg is the primary package management system for Debian systems. It handles the installation and removal of packages on a Debian system. Since it is used for initial installation of packages, special care must be taken to ensure that the components file system objects end up in the appropriate domain, rather than in the sysadmin_t domain, which would normally be the case for things created by the systems administrator.

As of version 1.13.10, SELinux support is compiled in into dpkg (statically compiled). The upstream repository for dpkg is browseable. As part of the SELinux effort, a set of branches have been tagged off from upstream, and are available here.

Repository links

dpkg--stable: The stable upstream DPKG branch, meant for Sarge.
dpkg--devel: The upstream development branch for dpkg. This is meant for Etch -- and since Etch can promote libselinux1 to an essential priority, this branch of dpkg could be linked against libselinux1.
dpkg--selinux-old: Russell Coker's modifications to dpkg, which introduce {pre,post}{inst,rm}.d/ directories to label installed package files correctly, using setfiles. Unfortunately, these changes were deemed too far reaching, and really suboptimal, by dpkg authors, since they were not comfortable introducing the general purpose hook directories, which could lead to non-deterministic behaviour, and could be open to all kinds of abuse.
dpkg--selinux: A new modification of dpkg, using SELinux library calls (matchpathcon and setfilecon) to set the security context of component files just after unpacking. This approach may be more acceptable, since it does not create a whole set of directories that are open to potential abuse, and fits in with the chown/chmod calls that dpkg already makes.

Please note that while dpkg--selinux-old branch is tagged off the dpkg--stable branch, the dpkg--selinux branch is tagged off the dpkg--devel branch.

Bug numbers

None Needed.

SSH

Ssh (Secure Shell) is a program for logging into a remote machine and for executing commands on a remote machine. This is an implementation of the IETF secsh working group's specification of the Secure Shell protocol. Since it logs in to a system in lieu of a user, it needs to be modified to set the security context of the process. The Fedora core patch can be found on the fedora core cvs repository.

The public repository of the Debian development is not available directly, since it is hosted as a CVS repository on chiark, that does not offer public pserver access. However, a full repository tarball is available, updated daily.

As of 4.1p1-4, openssh in Debian is compiled with SELinux support, so no patchs are needed.

SYSVINIT

Init is the first program to run after your system is booted, and continues to run as process number 1 until your system halts. Init's job is to start other programs that are essential to the operation of your system. All processes are descended from init. The Fedora core patch can be found on the fedora core cvs repository.

As of version 2.86.ds1-2, sysvinit in Debian is compiled with SELinux support, so no patchs are needed.

Repository links

sysvinit--upstream--2.0: This branch contains the upstream releases of sysvinit.

Bug numbers

None needed

PAM

The Pluggable Authentication Modules library. Using this library, without rewriting or recompiling a PAM-aware application, it is possible to switch between the authentication mechanism(s) it uses. One may entirely upgrade the local authentication system without touching the applications themselves.

As of version 0.79-1, pam modules in Debian are compiled with SELinux support, so no patchs are needed.

The Debian developer for PAM has a public repository on http://svn.debian.org/. pecifically, there are three parts to the packages:

svn://svn.Debian.org/svn/pkg-pam/branches/upstream/Linux-PAM/ contains the upstream (or vendor) branch
svn://svn.Debian.org/svn/pkg-pam/trunk/Linux-PAM/ contains the version of the soruces modified for Debian, and
svn://svn.Debian.org/svn/pkg-pam/trunk/debian/ contains the ./debian/ directory required for packaging.

Bug numbers

None needed

CRON

The cron daemon runs programs at specified intervals on behalf of users, and mails out put back. Since the programs are run on behalf of users, the security context needs to be set appropriately. The Debian package already contains the SELinux patches. The Fedora core patches (and there are several) can be found on the fedora core cvs repository.

As of version 3.0pl1-88, cron in Debian is compiled with SELinux support, so no patchs are needed.

Repository links

cron--upstream--3.0: This branch contains the upstream releases of Vixie cron.

Bug numbers

None needed

LOGROTATE

The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files.

As of version 3.7.1-1, logrotate in Debian is compiled with SELinux support, so no patchs are needed.

Repository links

logrotate--upstream--3.0: This branch contains the upstream releases of logrotate.

Bug numbers

None needed

devmapper

The Linux Kernel Device Mapper is the LVM (Linux Logical Volume Management) Team's implementation of a minimalistic kernel-space driver that handles volume management, while keeping knowledge of the underlying device layout in user-space. This makes it useful for not only LVM, but EVMS, software raid, and other drivers that create "virtual" block devices.

As of version 2:1.01.04-2, devmapper/dmsetup in Debian are compiled with SELinux support, so no patchs are needed.

Bug numbers

None needed

lvm2

LVM2 is the the rewrite of The Linux Logical Volume Manager. LVM supports enterprise level volume management of disk and disk subsystems by grouping arbitrary disks into volume groups. The total capacity of volume groups can be allocated to logical volumes, which are accessed as regular block devices.

As of version 2.01.14-1, lvm2 in Debian is compiled with SELinux support, so no patchs are needed.

Bug numbers

None needed

COREUTILS

This package contains the essential basic system utilities, which are quintessential UNIX. Since this contains utilities like ls, id, cat, etc, several pieces need to be changed to be SELinux aware.

The Debian developer does not have a public repository for the code,a nd indeed, ships a tar.bz2 archive in the source package, and uses dbs to unpack and patch the source on the fly. The implication of this is that the only changes made for Debian are all consolidated into the ./debian directory (repository). This means that while I have branches below that reflect the unpacked source trees, that is mostly for the benefit of people auditing the code or not using Debian. For Debian, we just need to generate a patch between the Debian mainstream and the SELinux variant versions of the ./debian directory.

The Code below is based on the work by Gregory T. Norris, and can be seen (along with the binary .deb packages) on his people.Debian.org site. The Fedora core patch can be found on the fedora core cvs repository. The source package for coreutils 5.2.1-2.gn1, as well as and the binary package coreutils 5.2.1-2.gn1, is provided in the repository mentioned above.

Repository links

coreutils--upstream: The upstream release branch for coreutils.
coreutils--debian: This is the unpacked, and patched, source tree from which the actual Debian package is built.
coreutils--selinux: This is the unpacked, patched, source tree, including SELinux related patches, from which the SELinux aware Debian packages should be created.
debian-dir--coreutils: This is the ./debian/ directory shipped with the Debian source package. Since coreutils uses dbs, this contains all the patches that have been applied to the actual source tree.
debian-dir--coreutils-sel: This is the SELinux patched version of the ./debian/ directory. As above, it contains all the patches applied to the SELinux patched source tree.

Patches

There are three separate patches that need to be applied in sequence.

60_coreutils-pam.patch This patch alows su to us PAM libraries for authentication. That is good, since we can then use session required pam_selinux.so multiple in /etc/pam.d/login to set proper security contexts seamlessly.
61_coreutils-5.2.1-runuser.patch This adds the runuser utility, used run a shell with substitute user and group IDs, similar to su, but without prompting for a password.
62_coreutils-selinux.patch This is the actual guts of the SELinux patch. Apart from autoconf enhancements, this adds chcon and runcon, enhances cp, dir, install, and ls.

Bug numbers

Bug#312426, Bug#193328

Manoj Srivastava <srivasta@debian.org>