From Fedora Project Wiki

Revision as of 10:46, 22 June 2024 by Py0xc3 (talk | contribs) (add matrix channel)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Confined Users Special Interest Group (SIG)

SIG to co-ordinate efforts related to different means to confine (which means achieve secure process, data and account isolation and protection but also mitigate privilege escalation) users and their accounts, but also to bring beginners and intermediate users with security-interest together with developers and experts to contribute to the testing efforts, which can be time-intensive but to which it can be already contributed without much related experience (usability testing, identify and report issues and unintended behavior, and so on). However, we also aim to develop and improve yet underdeveloped means to achieve confinement, which might involve more sophisticated testing but also developing, as conducted by more experienced users (and those who want to become experienced).

Scope

Our efforts can be split into four pillars:

In the center of the first two pillars is working with and contributing to SELinux confined users, which can achieve a precise and radical isolation/protection of data, processes and user accounts within graphical desktop environments as it cannot be achieved by containerization technologies (at least not in GUIs). Any experience level can contribute to these efforts and learn a lot about Linux, SELinux and their behavior and impact with and on user applications. The focus is to contribute with data and reports that help to improve the SELinux policies to increase security and user experience (which can also improve default Fedora installations without user confinement).

1. On one hand, we contribute to confinement profiles that keep allowing the users to work with su and/or sudo (staff_u, staff_r, sysadm_u; sysadm_r), so that at the end of our efforts, a confinement can be enabled without it changing the user experience compared to the default Fedora, whereas it then still achieves a process/data/account isolation and protection within GUIs that can compete with non-GUI container environments.

2. On the other hand, we want to also make Fedora working smoothly with profiles that forbid any privilege escalation through su and sudo (user_u, user_r), which aims for users with the highest security demand who are also willing to change their behavior and user experience to further increase security. Again, we aim that this becomes usable also by users without sophisticated experience and without much efforts.

3. Beyond SELinux, we also aim to make Fedora deployable with all SUID root binaries being removed, which is another approach to achieve confinement. This is a contribution that aims for people who have already deeper experience with Linux or aim to develop such knowledge. This approach is more generic and might also contribute to Linux operating systems in general because it uses means that are common to most (if not all) widespread desktop Linux distributions, without the need to involve SELinux. On the long term, our goal is that this means also does no longer need sophisticated experience or efforts to be usable by non-experts.

4. Coordinate efforts within and among the first three pillars and exploit their synergies (including testing and deploying "mixes" of the first three pillars' approaches/means), develop and distribute related knowledge, but also promote and propagate the possibilities and aims of the first three pillars within and beyond the community.

This SIG is for all kinds of security enthusiasts, from beginners to experts of the related means, tools and the kernel itself (and those who want to become experts).

Getting Involved

If you want to get involved then that's awesome! Membership is currently ephemeral and defined by participation - there's no sign-up page or list. So, how to "join"? Get involved!

You can review the discourse topic (especially the opening post and this one) and if you are interesting, open a new topic in the Project Discussion category with the #confined-users tag to say "Hi". You might also read the summary of the Pagure repo, although discussions and collaborations take place primarily in the Project Discussion.

We aim to involve users and developers and create feedback loops between them. The ask.Fedora category tag #selinux-confined-users aims to help people but also to get data about how to adjust and improve SELinux policies that are shipped in Fedora by default. The #su-confined-users tag shall serve a comparable purpose, but for questions about approaches and implementations with the goal to restrict or mitigate the use of su , sudo, SUID, wheel and so on (the list is not exhaustive). At the same time, our SIG organizes itself in the Project Discussion category tag #confined-users. We use the latter category also to summarize and analyze data, and prepare information for and evaluate feedback from upstream: we collaborate upstream with the dedicated SELinux team of Fedora to finally implement our knowledge into improved SELinux policies, which are then shipped with Fedora by default.

However, the SIG is much more then SELinux: as you can see in our objectives, SELinux confined users are just one of the means we aim to improve and embed in Fedora to increase user confinement. If you have any idea or want to contribute to any type of user confinement improvement / testing / development, feel free to open a topic with the #confined-users Project Discussion tag!

Issue Tracker and Discussion

For any kind of help about user confinement or related reports, feel free to open a ticket in our Pagure repo, or use the #selinux-confined-users or #su-confined-users tags in ask.Fedora for technical "How to get X done in Fedora Linux" questions (ask.Fedora preferred!). You do not need to be or become an active contributor to be allowed to use the ask.fedora tag! Even if you only use SELinux confined users on your own, feel free to use the tag to get help! Our goal is to make SELinux confined users and their massive (and especially preventive) security capabilities available to everybody - every question helps us to improve our understanding of user needs.

If you have any issue with non-SELinux confinement, use the #su-confined-users ask.fedora tag, but also feel free to open a separated topic in the Project Discussion category to make us aware that there is room for confinement improvements! If it is about SELinux-related confinement, it should be the #selinux-confined-users tag in the ask.Fedora topic. If you are unsure, use the tag that feels most appropriate at first glance.

Chat (Matrix)

Our Matrix room is #confinedusers. This room is for everything about user confinement: if you have any question, feel free to ask it there. If you have any idea about user confinement or want to exchange about our and your ways to confine, or just want to have some tech talk around confinement-relates issues, that's a good place to join. Of course if you want to contribute and team up in related areas, the channel is also a good point to start. However, the channel is quite new and we do not yet know if and how much users will make use of it. But there will always be Fedora Discussion topics with our tags as alternative. You are also welcome to idle and see if interesting conversations come up.

Meetings

There are currently no regular meetings planned. But feel always free to open a new topic in the Project Discussion category or contribute to the current discussions there: #confined-users tag.