BLAG

BLAG Forums
It is currently Sat Dec 20, 2014 5:57 am

All times are UTC




Post new topic Reply to topic  [ 14 posts ] 
Author Message
 Post subject: selinux and Blag
PostPosted: Sat Jan 20, 2007 7:59 am 
Offline

Joined: Sat Mar 18, 2006 8:33 pm
Posts: 26
Location: Brunswick, MD, USA
First a short introduction. I'm not a new user, but a returning one. I operate a television production studio in Northern Virginia, USA, and have been in audio video production since the late 60's. I became interested in blag because I'd been searching for a Linux distro that was heavily focussed on the creative content production community and had found other attempts such as dyne:bolic and mediainlinux to be wanting. My preferred distro has been Fedora for the past 3.5 years because I found it to be the perfect combination of cutting edge software rapidly introduced, substantial but not overly intrusive corporate backing to give it necessary resources, and a huge community of end-users that made support stellar. Then I found blag. Kudos to Jeff and the rest of the development team for your efforts - the progress since I tried blag last year is impressive. I think you're treading a path that resolves one of the principal downsides of Fedora, balancing the need for rapid development with making the distro a bit less unwieldy by reducing the need to periodically wipe and reinstall to keep on the cutting edge - much could be said about that issue, but I digress.

So to my question. To preface it, I recently started what may have become the longest running thread in the history of the Fedora list - I haven't done the actual numbers, but, it's certainly in the running. I posted a small extract from an old article questioning the discovery of a possible back door in the Windows operating system for the U.S. National Security Agency. I followed the quote with a link to the entire article and then posed the simple question, "what about Fedora and selinux?" That thread has now run for several days, and still seems to have steam though it's tending towards a shouting match at this point.

Question: I've noticed that Selinux is disabled on default installation of blag. Is that it, is it simply disabled or has more than that been done? If it is simply disabled, are there any caveats to turning it on?

_________________
Claude Jones
Brunswick, MD USA


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 20, 2007 2:29 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
The way it is disabled in blag is a bit more "thorough" than the way it's done with Fedora disables it. We disable it with "selinux=0" at the kernel boot line, whereas Fedora just uses a config file, so with their setup it does get loaded into the kernel. I opened a bug report with them but it got closed a NOTABUG.

https://bugzilla.redhat.com/bugzilla/sh ... ?id=145881

If you were to re-enable selinux you'd likely have to re-label your filesystem. We have selinux=0 when the CD boots too.

As for the NSA having code in there, I'm sure they know a few holes into the Linux kernel and various programs common in GNU/Linux distros...

-Jeff


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 20, 2007 2:50 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
Heh. That is a huge thread....

Starts here:
https://www.redhat.com/archives/fedora- ... 01901.html

Interesting to see someone from the NSA itself chime in frequently (Stephen Smalley).


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jan 20, 2007 4:10 pm 
Offline

Joined: Sat Mar 18, 2006 8:33 pm
Posts: 26
Location: Brunswick, MD, USA
jebba wrote:
Heh. That is a huge thread....

Starts here:
https://www.redhat.com/archives/fedora- ... 01901.html

Interesting to see someone from the NSA itself chime in frequently (Stephen Smalley).


The thread just exceeded 200 replies this morning, and that's not counting a small fork that split off. I've followed the measured responses carefully, and have had numerous private messages sent to me with further leads for follow-up. I tend, after having spent some not inconsiderable time on this, to tend towards believing the argument that the back door is probably not an issue - that the open source nature of the contribution makes the scrutiny too intense for the NSA to try such a thing, and that whatever the reasons the NSA chose to involve their resources in the project, creating the back door was not one of them. That's not to say I would consider the true reasons for their involvement to be totally benign. But those are purely my conjectures, and I wouldn't remotely characterize my position as scientific. As far as Dr. Smalley is concerned, he's been on the list for a long time, and has always been a positive contributor to discussion of resolving problems. As I stated in the thread, I do run Selinux on all my FC boxes, and I've filed a couple of bug reports - I've had very few problems with it, and until I find more convincing arguments regarding malevolent intentions for it, I'll probably keep running it. The only other thing I wonder about it is how much of a resource drain it constitutes - as I get more and more into my hoped for project of transferring my video editing to the Linux OS, resources become more and more an issue due to the major demands of software based video editing apps. So, that's another issue of concern behind my question. If anyone has any insights to the resource question, I'd really like to hear them.

_________________
Claude Jones
Brunswick, MD USA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 21, 2007 12:24 am 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
Well, it /does/ take a resource hit, and probably a pretty big one. You'd have to benchmark your apps in particular to really know. I have a (worthless?) hunch that one of the main speedups people see in BLAG as compared to fedora is that we have selinux nixed.

How do we know you're not in the NSA? ;)


Top
 Profile  
 
 Post subject:
PostPosted: Sun Jan 21, 2007 1:27 am 
Offline

Joined: Sat Mar 18, 2006 8:33 pm
Posts: 26
Location: Brunswick, MD, USA
jebba wrote:
Well, it /does/ take a resource hit, and probably a pretty big one. You'd have to benchmark your apps in particular to really know. I have a (worthless?) hunch that one of the main speedups people see in BLAG as compared to fedora is that we have selinux nixed.

How do we know you're not in the NSA? ;)


I can safely presume I'm in their database '-)

_________________
Claude Jones
Brunswick, MD USA


Top
 Profile  
 
 Post subject:
PostPosted: Sun Feb 18, 2007 8:22 pm 
Offline

Joined: Sun Feb 18, 2007 6:54 pm
Posts: 21
Hi! Security geek here.

I've followed a little of the selinux discussion, and saw mention in one thread of SuSE's alternative approach ("AppArmor"). I don't know whether or not it would run afoul of BLAG's standards regarding free software (it was commercial, but was made "free" as in beer, and was then open-sourced as well), but it does seem to be a better product. The security is roughly as good, but it is much easier to configure and use, the overhead is much lower, and it doesn't demand anything special of the filesystem. I haven't yet tried porting it into a distro, but someone claimed that doing so was easier than writing a single selinux configuration file. Comparison of the two may be found here: http://www.linux-magazine.com/issue/69/ ... ELinux.pdf

For the record: I have no connection whatsoever with SuSE, and have serious misgivings about the direction that Novell's going in. But I am willing, within limits, to take and use good things which come from questionable quarters -- particularly when it's a matter of replacing something which comes from an even creepier place.


Top
 Profile  
 
 Post subject:
PostPosted: Sun Feb 18, 2007 8:32 pm 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
I'll dwell on AppArmour for awhile.... ;)


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 14, 2009 7:45 am 
Offline

Joined: Sat Aug 16, 2008 1:12 am
Posts: 8
Quote:
particularly when it's a matter of replacing something which comes from an even creepier place.


Sorry to be a troll...but I have to agree with that. The NSA (or Canada's CSIS, the UK's SIS/MI5, &c.) may want to trapse through your computer, but what will they find--anti-Bush diatribes (your computer)? Pervarazzi pics of starlets and power-pop mp3s (my computer)? Embarassing crossdressing coprophagia pictures on someone else's computer? All they'll do is laugh... What you really have to worry about are all the criminals who want to get your credit card and/or SIN, learn the whereabouts of your children, and stuff like that.

Here in Canada, there was an extraordinary incident you may have heard of, involving the Canadian Human Rights Commission and Richard Warman. For the uninitiated, the CHRC, like its Provincial sisters, was originally created to stop things like people refusing to rent homes to people because of their race. However, it's morphed into an Orwellian system that targets politically-incorrect speech. Funny thing is, radical Islamists--spouting the most vicious anti-Semitic, violently homophobic hate libel--are never taken to task... Anyhow, Warman and his CHRC cohorts hacked into some poor woman's computer and used it to post racist hate stuff on a Neo Nazi bulletin board, as part of an entrapment plan.

Imagine all the horrible things people can do with your computer. Even worse than emptying your bank account, imagine being used as a proxy for trading kiddie porn, posting death threats and hate speech, or even plotting organized crime activities or terrorist attacks. Selinux was developed by the NSA, to keep their systems secure. They made it open-source, so zillions of other people could maintain, debug and develop it for them without them having to spend one red cent. This is why Sun open-sourced Solaris, why IBM likes free software, &c. Just vulgar economics.

Adam


Top
 Profile  
 
 Post subject:
PostPosted: Wed Jan 14, 2009 6:38 pm 
Offline

Joined: Fri Nov 18, 2005 3:07 am
Posts: 699
I think the real reason Fedora tries to make people use selinux is to get the bugs out for a stronger Redhat product. I see no reason for selinux to run on a workstation or even most servers.


Top
 Profile  
 
 Post subject:
PostPosted: Tue Jul 21, 2009 10:29 am 
Offline
Site Admin

Joined: Sun Mar 14, 2004 3:17 pm
Posts: 4492
Location: Loveland, Colorado, USA
https://bugzilla.redhat.com/show_bug.cgi?id=145881

BLAG used "selinux=0" at boot fwiw.

Quote:
Actually NOTABUG, turns out to be a bug that gives local root access (without
need of suid pulseaudio). Bummer.

http://lwn.net/Articles/342460/
Posted Jul 20, 2009 22:15 UTC (Mon) by spender (subscriber, #23067)
In reply to: mmap_min_addr and security modules by corbet
Parent article: Fun with NULL pointers, part 1

That's not the right check. security_file_mmap (which is either set by the
capabilities module or overriden by the SELinux module) is what implements the
final check. The one you pasted doesn't even apply for MAP_FIXED but is just to
ensure that the allocator doesn't choose an address below mmap_min_addr when
only a hint is specified.

If SELinux is compiled into the kernel, it needs to be disabled at boot via the
kernel command-line, otherwise it registers its hooks with LSM and overrides
that of the capabilities module for security_file_mmap which performs the
mmap_min_addr check.

-Brad


Top
 Profile  
 
 Post subject:
PostPosted: Sat Apr 03, 2010 3:20 am 
Offline

Joined: Sat Apr 03, 2010 2:42 am
Posts: 2
===snip

Quote:
Imagine all the horrible things people can do with your computer. Even worse than emptying your bank account, imagine being used as a proxy for trading kiddie porn, posting death threats and hate speech, or even plotting organized crime activities or terrorist attacks. Selinux was developed by the NSA, to keep their systems secure. They made it open-source, so zillions of other people could maintain, debug and develop it for them without them having to spend one red cent. This is why Sun open-sourced Solaris, why IBM likes free software, &c. Just vulgar economics.

Adam


I know this is an old thread, but it is still relevant. No, I don't work for NSA or any of the other spooks or semi-spooks so I have no direct knowledge about backdoors or other tracking, etc. elements that might exist in selinux.

Adam is correct that a big reason for releasing it as open source is to get free improvements, but have you looked at it from the other end of the barrel?

If you develop or improve anything in it and have your name, handle or other paw prints on your work then NSA has you in their sights as potentially someone sufficiently skilled to be a threat to them or the powers that be, governmental or corporate.

The key to remember is that it is amalgamated data that creates a profile or identity that can be tracked and if they feel like, made harmless by one means or another.

Yeah, label me paranoid if you wish, but look at how many times we find out about black bag jobs years after they are done and gone. The same might, only might, be true here.

I deal in risk management. There are really only four responses to risk: acceptance, transfer, mitigation and avoidance. Running selinux is risk acceptance even if the risk is so small that it can not be seen. Can't really transfer risk in this instance and how do you mitigate a risk if you don't know what it is? Given that there really is no such thing as "no risk" the only smart move is risk avoidance. Just don't play with their toys and you are much less likely to be burnt.

It might seem OT, but read Naomi Klein's "The Shock Doctrine." You can get a quick overview on the net by looking her up with the words shock-doctrine. This will give you some idea of how far the Chicago School of Economics way of thinking has become pervasive. FLOSS threatens corporate profits of many companies in addition to Micro$loth because they can't use DRM to slip their hands into your pockets like Wall Street did with the "bailout."

As to actual "backdoors," etc., I'm about as certain that money has been spent on very clever programming as that the sun will rise tomorrow. It's a mighty big black budget they have to play with. Given how many of the new PhD mathematicians they hire every year I'm sure they are thinking about how to leave bread crumbs to follow.

Oh, BTW Ixquick is the only search engine that doesn't save your search terms or IP address. Check it out.


Top
 Profile  
 
 Post subject:
PostPosted: Tue May 04, 2010 2:21 pm 
Offline

Joined: Sat May 01, 2010 8:52 pm
Posts: 9
Quote:
Oh, BTW Ixquick is the only search engine that doesn't save your search terms or IP address. Check it out.


Cuil? They *say* they don't.


Top
 Profile  
 
 Post subject:
PostPosted: Tue May 04, 2010 6:11 pm 
Offline

Joined: Mon May 19, 2008 10:54 am
Posts: 65
impert wrote:
Quote:
Oh, BTW Ixquick is the only search engine that doesn't save your search terms or IP address. Check it out.


Cuil? They *say* they don't.


Afaik cuil.com is the only one not saving queries at all. ixquick saves for 48h and so does https://ssl.scroogle.org/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 14 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group