Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security Software Linux

SELinux Moving Into The Mainstream 24

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."
This discussion has been archived. No new comments can be posted.

SELinux Moving Into The Mainstream

Comments Filter:
  • by NZheretic ( 23872 ) on Friday December 09, 2005 @04:49AM (#14217753) Homepage Journal
    Browsers and internet accessing applications really need a series of targeted policies that can limit what third party extention, plugins and applet/scripting systems have access to.

    Almost all plugins should only need read access to its install directory/libraries, to a dedicated subdirectory for plugin for each application, and maybe ( at the users agreement ) common incoming and outgoing directory.

    • Apache is one application that really needs a targeted policy. In FC/RHEL the idea is to separate Apache from the rest of the server. That's fine if you only run one website per server or cluster. If you have multiple virtual hosts wich all need to be able to run scripts and write to the filesystem, to files owned by the correct user, you end up having to switch off the ACLs. It's a security nightmare, which SELinux has done nothing to improve - in the default configuration anyway.

      Sun managed to set up T

  • by Adi ( 18939 )
    Why should anyone use this instead of grsecurity [grsecurity.net]? I'm just curious, it's not meant to be a flamestarter. :)
    • Re:grsec? (Score:3, Interesting)

      Because they are different in spirit. SELinux is something that gives the necessary features for an organization like NSA where they require a level C or B or higher classified system.

      Grsecurity is more like for the common user wanting to make their system more secure.

      I'm aware that this is very vague like this, but it gives the general idea I hope. Personally I use Grsec for my home box, but an organization wanting to replace old mainframes needs to look into a bit different solutions, like SELinux.
    • After taking a cursory look at that project, which I can say I have not dealt with personally, or even installed. I can tell you that I see many serious problems on the web page 'support forum'. I dont have the time to spend fixing all the possible errors that I dont currently run across when dealing with the FC3 version of SELinux that I have been using for some time now, across a few different kernels.

      Can you tell me why Id want to use that over a distribution that already has that functionality built i

      • from what i understood reading an article on SElinux last year: its origins go back quite far infact they seem to be speculated as lost in some red tape... as to connections to AT&T labs. the intentions where to create a security system specifically designed for intranet and networking specifics and where tested in university networks and government based internet projects way back when.. according to sources who have taken interest in this type of security and are spent on introducing it to the open so
    • by NZheretic ( 23872 ) on Friday December 09, 2005 @07:32AM (#14218241) Homepage Journal
      Russell Coker posted one of the most concise rationals to the SELinux Mailing List [nsa.gov]:
      GR Security includes PaX for protection against stack smashing and other similar attacks. But it also has an ACL system of it's own and limited chroot's (IE process in chroot can't touch the outside environment or other chroot's).

      SE Linux is an implementation of the domain-type security model. The domain a process is in determines that access it is given. Domains can change automatically on execution of certain processes (eg getty, login, and ping) or when executing a process a SE Linux aware program can specify the security context of the child process (within a certain range), login, sshd, and cron do this.

      The grsec ACL system and RSBAC don't support modifying applications to specify the security context, so they don't support giving different access to different non-root users.

      I think that Grsec has better support for some aspects of IP networking control, such as controlling which IP address a process can bind to (currently SE Linux only supports controlling bind access by port).

      RSBAC has lots of options for a huge number of things as they take the kitchen sink approach. You have to answer about 40 questions at kernel configuration time, and it's not clear which combinations of options are viable.

      Also visit the SELinux Frequently Asked Questions [nsa.gov].
  • by Kelson ( 129150 ) * on Friday December 09, 2005 @12:26PM (#14220910) Homepage Journal
    ...to BSD and Darwin. I've been using Fedora Core since it was first released, and I've watched SELinux go from a slightly clunky annoyance in FC2 to just another part of the system in FC4 as they refined the targeted policy. I'm not sure how much of that was done by the NSA and how much by Red Hat, but it's made a huge difference -- more, even, than the slowly improving security GUI in Fedora Core (though SELinux desperately needs something to make it easier to administer).

    Back to BSD/Darwin, I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model? The page on the website talks about 10.3 and the latest snapshot is dated July.
    • I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model?

      Quite a bit of it is in there. The problem is that Darwin has a different kernel level security model... there is a difference between single user mode and root in terms of permissions. So for example you can chflags the schg bit on but not off when running in Aquaish modes. There certainly are going to need to be better tools to handle this (sort of like the way XP does stuff during the
    • Mandatory Access Control has been available (but not turned on by default) in FreeBSD since its 5.0 [freebsd.org] release (Jan 2003). Documentation on using MAC is available in the FreeBSD Handbook [freebsd.org]. Manual pages [freebsd.org] are also available.

  • I checked on this a few months ago and found that SELinux may be patented by the company that appeared to write it for the NSA, the secure computing corporation.(SCC)

    Patents owned by the SCC include:

    5,867,647 System and method for securing compiled program code
    5,822,435 Trusted path subsystem for workstations
    5,796,836 Scalable key agile cryptography
    5,596,718 Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices with
    • Straight from the horse's mouth [theaimsgroup.com] :

      --snip--
      Despite recent speculation concerning patents, we remain confident that we had the necessary rights to release SELinux in the manner and under the conditions in which we did and that SELinux may be used, copied, distributed, and modified in accordance with the terms and conditions of the GPL.
      --
      Peter Loscocco
      SELinux Project Leader
      National Security Agency
      --snip--

    • My attempts at getting some kind of feedback from the SCC were in vain because no one called me back. Does Redhat license this? Will the patent trolls come after me if I attempt to use it in a commercial OSS way?

      I asked a few questions on the SELinux mailing list and to members of the SELinux development team and the universal consensus was that these patent "issues" aren't issues at all, that this patent scare is old news that was settled years ago, and that SELinux is unencumbered and fully GPL compat

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...