Slashdot Mirror
Would You Use SELinux?
silent_tyr asks: "I am going to re-install my Linux box and being security conscious I am looking for a secure distribution. After a couple of Google searches I found a version called Secure Linux, which sounded ideal. So I followed this link, which turned out to be what I assume is a genuine NSA web-site. All in all, it looks like a good idea and I can play around with it as I wish, but eventually I will be using this machine as my base-system. So before I start I want to ask two questions:
1) Do you think that it is a good idea to trust the NSA not to put in back-door/spy-ware type code to enable them to snoop my personal information? 2) What other security-patched distro's can people recommend? I don't want to open up the floor for generic NSA-bashing, but I also don't want to have to work my way through every line of code before I install." There was a similar question that was asked a while ago, but there wasn't much to the discussion. For those of you who are running SELinux, what have your experiences been, so far?
Check out EnGarde Linux.
Also, LinuxSecurity.com is a very helpful and informative site.
Co-founder and designer at Music Nearby: http://musicnearby.com
Am I mistaken, or is SE Linux not a source distribution?
How about reading the link you are given?
Security-enhanced Linux is being released under the same terms and conditions as the original sources. The release includes documentation and source code for both the system and some system utilities that were modified to make use of the new features. Participation with comments, constructive criticism, and/or improvements is welcome.
grsecurity
LIDS
As far as the NSA planting a back door into SELinux, I really doubt it. A backdoor in open source code would be discovered eventually, and the NSA would have a very hard time denying it.
It seems much more likely that they would put back doors into closed source products, which do not receive as much scrunity.
Not quite.
(1) It's not just your kernel...
(2) Sure, you could spend weeks browsing through the source by yourself (and probably not find any backdoors even if they do exist).
(3) Having a source distro in itself doesn't guarantee that said source hasn't been tampered with. I seem to remember there was something like this that came up a few months ago with sendmail where somebody (IIRC) had replaced the source tgz file on some servers. If people do not check MD5sums at the original point of distribution then sooner or later they're going to get their fingers burnt.
SELinux is directly supported under Gentoo.n ed/selinux-qui ckstart.xml
See
http://www.gentoo.org/proj/en/harde
for details on installing.
Or dig on the mailing lists for a recent post to gentoo-dev about it for a lot more information.
ICQ# : 30269588
"I used to be an idealist, but I got mugged by reality."
Debian also includes SELinux, and the "details for installing" seem to be: 'apt-get install selinux'. :)
So, that's at least two major community-oriented distros that have found SELinux worth offering on at least an optional basis; two communities of sometimes-paranoid developers that have probably at least scanned for obvious backdoors. Given that, I suspect that SELinux can probably be considered reasonably safe. (At least as safe as anything else available with your system: when was the last time you reviewed KDE or GNOME for potential backdoors?)