17:14:57 <smooge> #startmeeting 17:14:57 <zodbot> Meeting started Sat Dec 5 17:14:57 2009 UTC. The chair is smooge. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:14:57 <zodbot> Useful Commands: #action #agreed #halp #info #idea #link #topic. 17:15:24 <smooge> Dan Walsh's talk on virtualization 17:15:53 <smooge> He went over virtualization is and what is selinux 17:16:16 <smooge> The RHEL-5 xen had an actual attack that went past selinux because of how the policy was written 17:16:46 <smooge> it was written that way due to limitations to deal with direct hardware 17:17:01 <smooge> on getting past that the xen attacks were available. 17:18:29 <smooge> clint savage just came in to say that nothing has been recorded due to bad mike. 17:18:30 <smooge> fixed 17:19:15 <smooge> ok standard virtualization attack: browser -> local os -> virtualizer -> every virtual system 17:19:29 <smooge> so if you have a cloud system where you have lots of different companies on the clusters.. 17:19:42 <smooge> who protects pepsi from looking at coke if they end up on the same box 17:20:15 <smooge> enter selinux with its ability to labeling things on kvm 17:21:05 <smooge> kvm policy does not trust any qemu processes. it keeps things from P-colored sugar water from talking to C-colored sugar water vm 17:21:25 <smooge> mandatory access control puts it down further. 17:22:09 <smooge> libvirt does dynamic labeling through random unused MCS label 17:23:42 <smooge> depending on what the virtual machine is set up... each qemu only can do what its allowed to (eg unless you have shared /home on KVM-host you cant get to it from qemu-A 17:25:36 <smooge> we now go over the MLS labeling (or MCS in RHEL-5) so we can have top-secret and secret on the same box and not talk to each other unless allowed through special rules). 17:26:17 <smooge> except due to long story (see selinux lists) MCS wasn't really used in RHEL-5.. but its perfect for libvirt so it gets used finally 17:30:08 <smooge> MCS doesn't work in DOD environments due to rules needing MLS and no relabeling allowed 17:31:30 <smooge> question about security and common criteria rules. 17:32:25 <smooge> MLS environment labels are static with Top_Secret/Secret/Classified 17:34:15 <smooge> kvm asks how should it be labeled.. in MCS environment its random unused label. in MLS the administrator needs to set up preset rules *British TS talks to Australian S to US something else. 17:34:43 <smooge> future ideas will be to confine a Windows 2003 box to only run as an ISS server 17:36:51 <smooge> question: could selinux look inside the virtual machine? answer no 17:37:17 <smooge> selinux can see the ports that th evirtual opens but doesn't know what its running 17:38:26 <smooge> dan says that he would prefer iptables being the solution on the kvm host, but it can be done through selinux if policy etc needs it (and can be done now) 17:40:21 <smooge> the mcs label is generated off of multiple numbers from 0-1024 but can have limits from that they can't be the same number etc. 17:41:53 <smooge> shows a demo of labeling 17:42:37 <smooge> and is going into sandboxing which is related. 17:42:57 <smooge> sandbox means execing a process, some file descriptors and nothing else 17:43:52 <smooge> macos-x offered this last year? as an OS level thing.. which pushed people to ask "hey can we do this in linux" 17:44:20 <smooge> which got Dan to saying sure.. could have done that right now... and wrote sandbox to show it could be done 17:44:59 <smooge> say : cat /etc/passwd | sandbox grep foo 17:45:22 <smooge> and grep has a problem that somehow causes /etc/passwd to rewrite /dev/sda :) 17:45:44 <smooge> so he got it working and the first question was "How can you do this with acroread?" 17:46:50 <smooge> and so started a long rabbit hole of ways acroread which is basically uncontainable because it needs to talk to dbus, printers, /tmp, home directories, X, fonts etc etc 17:47:33 <smooge> and we got a selinux warning him running a sandbox that was questionable 17:48:08 <smooge> sandbox xterm 17:48:29 <smooge> /usr/bin/xterm Xt error: Can't open display: :0.0 17:49:07 <smooge> add some stuff to get X working and then you get a directory that is mktempd with bare minimal files to get stuff working 17:50:27 <smooge> you can't look at all the procsses, you can't talk with your normal namespace to get to your home directory. 17:50:47 <smooge> then an example of getting acroread/evince to be sandbox'd 17:52:27 <smooge> he only uses sandboxs to look at pdfs now.. it can talk with printers and fonts. 17:53:07 <smooge> there is a blog entry to get it working for you 17:53:24 <smooge> he then went over bugs... like zephyr resize bug 17:54:48 <smooge> as each sandbox runs its inside of its own X server to lock it down further. 17:59:29 <smooge> #endmeeting