Security Module Stacks: Flexibility and Pitfalls in System Security Configuration

Explore the intricacies of security module stacking in Linux systems with kernel developer Casey Schaufler from Intel. Learn about the new flexibility in configuring system security, potential risks of combining security models, and how to avoid pitfalls. Discover the configuration of existing modules, known conflicts, and best practices for new modules to reduce potential conflicts. Gain insights into networking security challenges and their solutions. Delve into topics such as Linux Security Modules, security blobs, packet labeling, Netlabel configuration, and process attributes. Benefit from Schaufler's extensive experience in Unix kernels, access control systems, and Linux security infrastructure as he shares valuable knowledge on creating robust and useful security module stacks.

Intro
Casey Schaufler Kernel developer from the 19705
Linux Security Module Collection of security hook
Security Module Stack A collection of security modules
Major Security Module
Stacking as of 4.18
Security Blobs
Stacking with infrastructure managed blobs
32 bits allows one module's data
Identify which to use
Unrecognized Option
Packet Labeling
Pushed attributes
Netlabel Configuration
Granularity
Redundant purpose
User Space
Networking
Process Attributes
Think twice about using secids
Be careful with state