[CALUG] July 10 Meeting Announcement - Demystifying SELinux

Bryan J Smith b.j.smith at ieee.org
Mon Jul 1 13:20:40 EDT 2013


On Mon, Jul 1, 2013 at 12:10 PM, Chuck Frain <chuck at chuckfrain.net> wrote:

> ...
> At the end of the talk you’ll be flying high with your new understanding
> of SELinux and be ready to take on the world. Next time someone says
> SELinux instead of having that nauseous feeling in the pit of your
> stomach you’ll be able to stand tall and say “Wait a minute! I saw a
> talk on SELinux and I know WTF its saying to me!”
> ...
> About Dave Quigley
> David Quigley started his career as a Computer Systems Researcher for
> the National Information Assurance Research Lab at the NSA where he
> worked as a member of the SELinux team. David leads the design and
> implementation efforts to provide Labeled-NFS support for SELinux. David
> has previously contributed to the open source community through
> maintaining the Unionfs 1.0 code base and through code contributions to
> various other projects ...


Just to tack on to this ...

Beyond the various SELinux sessions at Summit [1] a few weeks ago, along
with the RHEL Roadmap [2] I know many of you use Linux Containers (lxc).
 So I want to bring up another presentation you might be interested in,
especially since "Security" comes up a lot when lxc are talked about.

The lxc approach has been not only a focus in Fedora, but also with using
SELinux to sandbox them, the combination being planned for RHEL7 in various
forms. [3]  For those of you deploying the entstream (Enterprise Stream),
possibly a Rentstream** (Rebuild Enterprise downStream), the latter
document provides Red Hat's planned RHEL7 combined lxc + kvm strategy (not
including RHEV), and how they will and won't overlap in capabilities.

And regarding David's most excellent work on NFS 4.2 Labels, there was a
related presentation on NFS [4] with more information as well, a very
missing piece of SELinux for Enterprise making use of NFS, such as NFS4
with GSSAPI security options (e.g., sec=krb5p).  This includes a new proxy
approach to keytabs in GSS-proxy, along with FedFS and other details.
 Combined with Identity Management (IdM) via Identity, Policy, Audit (IPA)
[5], if you're using NFS and really want to get to NFS4 sec=krb5[ip] with
GSSAPI security, these are developments you might be interested in.

I know many users of many distros are recommending the System Security
Services Daemon (SSSD) over separate, legacy PAM/NSS modules, and some are
even building the IPA Client to make integration easier as well, but the
GSS-proxy might be an added solution for different systems that vary in
their support.

Again, just FYI.  I didn't want to detract from David's presentation, so I
didn't want to talk SELinux 101.  I just wanted to provide supplementary
links once you get using SELinux to realize where it's going.  I.e., I
professionally see it most requested with kvm and, for those who use them,
lxc, because no one wants users breaking out of a Hypervisor and going
promiscious on network interfaces (e.g., tapping traffic/VLANs used by
instances).  The NFS4.x developments are also of interest, both for SELinux
lables (which David is involved with) as well as GSSAPI for
authorization/privacy in communication/payloads.

-- bjs

References:
[1] http://www.redhat.com/summit/2013/presentations/
[2]
http://rhsummit.files.wordpress.com/2013/06/dumas_w_0120_rhel_roadmap1.pdf
[3]
http://rhsummit.files.wordpress.com/2013/06/sarathy_w_0340_secure_linux_containers_roadmap.pdf
[4]
http://rhsummit.files.wordpress.com/2013/06/dickson_t_0230_evolvingimprovingredhatenterpriselinuxnfs.pdf
[5]
http://rhsummit.files.wordpress.com/2013/06/saldhana_dpal_f_0945_stitching_infrastructure.pdf

**Just a term I started using so it doesn't favor any distro over another.
 DISCLAIMER: I hung around with the co-maintainer of Scientific Linux at
Summit, and mentioned my thoughts of not calling any [R]entstream by brand
name (or Red Hat(R) for that matter).  I am also trying to coin the term
"Free Rent" because everyone needs a place to live that is maintained
long-term by others (after all, what Red Hat does is more like
"maintaining," but returns the investments upstream as well), but not
everyone can always afford it (e.g., companies operating in the red,
instead of black).
"Free Rent ... in the Rentstream (Rebuilt ENTerprise downStream)"
 - http://bjs-redhat.livejournal.com/5147.html


--
Bryan J Smith - Professional, Technical Annoyance
b.j.smith at ieee.org - http://www.linkedin.com/in/bjsmith
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.unknownlamer.org/pipermail/calug/attachments/20130701/a7ceb25c/attachment.htm 


More information about the CALUG mailing list