Re: CoreOS membership to linux-distros (updated)

[Stiepan <stie@itk.swiss>]

Back to CoreOS, I think that the practical answer is https://coreos.com/os/docs/latest/selinux.html .
Now is it good / acceptable to rely on it (over classical Unix privileges, or another MAC) is actually an interesting, 
relatively unexplored research subject...
What makes no doubt is that it is in line with the use made by Google of Linux, including in Android and therefore, 
very probably makes sense for Google.
We lack some literature to back this choice for general-purpose use by the public at large, however.
http://www.cse.psu.edu/~trj1/cse544-s13/slides/cse544-selinux.pdf and 
https://www.ibm.com/developerworks/library/l-selinux/ * provide good starting points for such research; (public) 
research seems to have stopped since then (= more or less in 2009 apparently)†.
*With pointers to some alternatives in Linux and other operating systems, likewise many references
†The first presentation cites www.isoc.org/isoc/conferences/ndss/09/pdf/16.pdf, which provides an analysis of MAC 
mechanisms' (remote) attack surface.
A more recent, Android-centered presentation (http://kernsec.org/files/lss2015/vanderstoep.pdf) cites Wikipedia, 
stating that "[...] the security of an SELinux system depends primarily on the correctness of the kernel and its 
security-policy configuration", further highlighting the lack of in-depth research.
(the emphasis / bold typeface on the second part of the sentence was left as in the original quote)
I guess the question now is - do we trust Wikipedia articles on such matters? - and if we do, was the correctness in 
question attained in CoreOS's case?
Likewise, could we somehow measure / quantify a level of this correctness using a formal method? (and if so, what about 
generalizing it to other OS + xAC pairs so as to evaluate their suitability for specific use cases, target 
demographics, likewise threat models?)
Stiepan
P.S.: Full disclosure - I have an interest in finding a secure, yet broadly compatible enough OS. CC-ing Martin Decky, 
who was 1st to propose a formal approach to it.

> -------- Original Message --------
> Subject: Re: [oss-security] CoreOS membership to linux-distros (updated)
> Local Time: July 20, 2017 7:04 PM
> UTC Time: July 20, 2017 7:04 PM
> From: jesse_hertz () apple com
> To: oss-security () lists openwall com
> Additionally, Docker doesn"t maintain a kernel distribution, whereas OpenVZ does, making this request strange to say 
> the least.
> I also think its disingenuous to imply there"s "one patch" that divides a secure containerization system from 
> another. Container/Kernel security is... quite complicated to say the least.
> > On Jul 20, 2017, at 6:42 AM, Greg KH <greg () kroah com> wrote:
> >
> > On Thu, Jul 20, 2017 at 07:13:03AM +0300, gremlin () gremlin ru wrote:
> > > On 2017-07-18 14:56:23 -0700, Euan Kemp wrote:
> > >
> > > > I???ve listed each criterion and why I think we, the Container
> > > > Linux team at CoreOS, qualify.
> > > >
> > > >
> > > > > 1. Be an actively maintained Unix-like operating system distro
> > > > > with substantial use of Open Source components
> > > > All components of the distro are open source, as are all the
> > > > tools used to build it.
> > >
> > > Prior to any decision to be made, I"d ask you to show the kernel
> > > patch which you use to avoid escaping from the container to host
> > > system (Docker allows such escape, OpenVZ does not). Could you,
> > > please, show it?
> >
> > All of CoreOS"s kernel patches are public, here"s their latest branch:
> > https://github.com/coreos/linux/tree/v4.12.2-coreos
> >
> > But what does a specific kernel patch have to do with linux-distro"s
> > membership requirements?
> >
> > confused,
> >
> > greg k-h

Stiepan Aurélien Kovac

IT Kovac + itk AVtobvS Sàrl
Geneva + Jussy, Geneva CH