The Practical Part Starts Now
May 27th, 2007 By shazkhan

As soon as I am over with Recluze, I am going to start working with IPSec and SELinux now that my literature survey is complete (I think so). Next I plan to get some help from MR. MMA to let me in on his findings regarding how to stack IMA on SELinux.

I personally think using TPM’s PCR will be another good thing instead of IMA because IMA has more then I need. But according to Mr. MMA its very problematic. Sir have you tried to copy the technique IMA uses to address PCR.

Side by side I am trying to understand the functionality of the Tresys’ Policy Management Server and the module support it provides for policies because I am looking forward to incorporate it for ditributed MAC implementation.

One thing that confuses me, this is for Mr TAT and Mr. MMA, can we skip DAC if we use MAC? Is MAC’s use enough for OS requirements?

If we could just have a few more people we could start adjusting applications for MAC implementations! Its also a good idea for BSc/BCS projects. We could also move towards LDAP NIS etc.

12 Responses to " The Practical Part Starts Now "
 
alam78
May 28th, 2007

I agree with your point of view. The IPsec is really the part that we can go together for an implementation. We can divide the tasks and start working on the implementation. I will provide you my findings regarding IMA and SELinux stacking.

Your question regarding DAC
Answer: DAC is a security check by original Linux/Unix distributions. There was a very big effort for integrating SELinux — MAC into the main Linux distributions. Still, many application areas like the network one — you identified, needs to be pure-MAC based. So if MAC is not fully integrated into the application areas, how one can think to leave DAC. It will take time i think so. Secondly, within the Linux community, i have noticed that changes come very slowly and there is a proper forum for that. Even NSA has to do “alot” to convince the Linux community for integrating SELinux into original Linux kernel. IBM IMA is another example.

Best,
MM Alam

 
shazkhan
May 28th, 2007

I am going to subscribe to selinux, ipsec and PMC related mailing lists to get relevant not known info regarding these technologies w.r.t. our directions. Can you give me some other good sources as well.
What do you think about the direction. Is it the same as I concluded any changes? U can email me if you do not want to go open about it. IMS net was down again so we could not establish communication with you today.

 
alam78
May 30th, 2007

I think its a nice way to ask from experts regarding your preferred idea. No problem at all, whenever, you want to discuss, i can write my views both on the blog and to you on email.

Best,
MM Alam

 
shazkhan
May 30th, 2007

Sir what do you have in mind regarding my directions? I have gone through brindle’s tutorial regarding ipsec and iptables with regards to selinux. Its easy, neat and great. Here is the link:

http://securityblog.org/brindle/2007/05/28/secure-networking-with-selinux/

This guy is the person who is working as the lead designer of Policy Management Server at Tresys. He is a friendly and helpful person too.

I am waiting for you comments.

 
shazkhan
May 30th, 2007

As far as I can figure out
selinux_init() and selinux_register_security() calls are used for stacking.
Lets see what else I find out!

 
shazkhan
May 30th, 2007

module stacking was rejected in kernel sumit but there is a code named stack.c developed by david wheeler which seems to be good. Did you try it. Kernel people think there is no need to change the kernel model because curent modules are enough for enhanced security. People should so other things at user level. I think they are somewhat right.
Lets see what I find next….

 
shazkhan
May 30th, 2007

I also found another stacker at sourceforge named as lsm stacker/ing(?). Now I have to confirm with some mailing list which is the best one and least problematic. LSM Stacker is for kernel 2.6.16 while the other one stack.c was made in 2002.

 
alam78
May 31st, 2007

Yes, i have tried that stacking, but it is quite basic. See the list Linux-kernel-module for further information. There you can get more infor.
The sourceforge lsm package is quite old, and i think it is not perused any more its authors. Regarding your idea, i will read this tutorial again and then inshAllah tell you tonight about my feelings.
Best,
MM Alam

 
shazkhan
May 31st, 2007

I had an email exchange with dave (David Safford) of IBM Watson Lab and he said that they are working on a project to transform IMA such that it will not need to be stacked. This will make things easier.

Linux mailing list had similar signs but work on it had stalled because it had some problems with SLIM and EVM. They are similar to IMA according to my limited knowledge. Maybe Mr. TAT can shed some light on these topics.

I have tried so that if they could disclose their framework, we could join them in this effort because our objectives are similar to some extent. And it seems a better idea because a simple implementation can be widely implemented. Lets hope its a quick fix! But I don’t think so.

 
shazkhan
May 31st, 2007

Sir MMA, I am waiting to know ur feelings regarding the tutorial. Most of all I am desperately waiting to get something regarding ur experiance with selinux and ima+trousers. At the same time I am woried about TPM Emulator.

 
Joshua Brindle
June 3rd, 2007

I’m very glad to see you guys working on distributed MAC and thinking about what we are doing with the policy management server. If you need any advice or help or additional information I’d love to help out.

 
shazkhan
June 5th, 2007

There is no linux-kernel-module mailing list!

Leave a Reply


(Required)

(Required)