New Release Of NSA SELinux

rstewart writes: "The NSA has released a new version of SELinux for public consumption. It is based on the 2.4.9 kernel and the utilities patches are known to work on Redhat 7.1. More information and the source can be found at the NSA SeLinux site." You can read the what's new for more information.

Grsecurity

[chrysalis]

Actually, I'm very satistied with Grsecurity, a nice kernel patch to enhance the security of a linux kernel.
What would be the benefit of switching to NSA (but more complexity to admin) ?

Re:Grsecurity

NSA's patch gives linux the permissions/ user tracking that allow linux to exist in military environments.

It doesn't actually make anything more secure.

Re:Grsecurity

[BeBoxer]

The main difference is that they address totally different security needs. Grsecurity is focused on preventing various common buffer overflows, race conditions, port scans, etc. It doesn't really do anything to make the basic Unix permissions any more fine grained than the currently are.

On the other hand, the SELinux is focused on exactly this. It allows you to specify much more finely grained permissions for users and processes. This actually complements the grsecurity work. SELinux is focused on minimizing or containing the damage that can be done with a given application. This can both minimize the things that a buffer overflow can do, and minimize the evil tricks that a user might be able to get away with using installed software. For example, a user could restrict what directories netscape is allowed to read and write to. Or an admin could restrict 'top' to opening the kernel read-only so that a buffer overflow wouldn't enable root access. Or preventing even 'root' from changing important system-level libraries and binaries.

All sorts of really neat things are possible. The downside of course, as you mentioned, is more complexity to administer. But it doesn't make sense to compare Grsecurity and SELinux. They address different security shortcoming of Linux.

Re:Why is the NSA in this?

[wumingzi]

The sole purpose of the NSA is to spy on you, now why are they trying to make your system more secure?

Incorrect. Read the NSA's charter.

Pay attention to section 1, Article 5, Section 3 et. al. The NSA also is charged with creating standards for the security of information held in DoD computers (specifically), other govt. computers (generally), and promulgating those standards for use in other systems. Here is a nice link to the NSA's computer security guidelines if you haven't seen them.

Yes, the NSA spies on people. No this isn't nice. Yes, the government of the USA does some awfully screwy things, like the DMCA. Tarring the whole government with the same brush is simple-minded.

Besides, the code is available for your perusal. If you think the uberspooks have put in a back door, get to work and find it!

Re:Just a question...

[FooGoo]

Yes... Executive Order 12333 of 4 December 1981 describes in more detail the responsibilities of the National Security Agency. The resources of NSA/CSS are organized for the accomplishment of two national missions:

The Information Assurance mission provides the solutions, products and services, and conducts defensive information operations, to achieve information assurance for information infrastructures critical to U.S. national security interests.

The foreign signals intelligence or SIGINT mission allows for an effective, unified organization and control of all the foreign signals collection and processing activities of the United States. NSA is authorized to produce SIGINT in accordance with objectives, requirements and priorities established by the Director of Central Intelligence with the advice of the National Foreign Intelligence Board.

Re:BSD?

[benedict]

I believe the NSA has provided some funding for TrustedBSD.