Slashdot Mirror
NSA Releases Updated SELinux
darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it
where they talk to Gentoo and Red Hat about the release's significance."
SELinux is included in 2.6 kernels. Of course, you also need the right userspace tools to take advantage of it. I imagine distros will use SELinux when they migrate to 2.6.x.
February 24, 2004
Linux Gets Security Boost from NSA
By Sean Michael Kerner
Most stories about government deployments of Linux involve a distributor helping various federal and municipal agencies install the open source operating system. But in this case, a federal agency is helping Linux.
The U.S. National Security Agency (NSA), also known as the codemakers and codebreakers cryptologic division within the Department of Defense, has helped to harden Linux with newly-released Security Enhanced Linux (SELinux) kernel modifications.
The latest release, which updates the base kernel to 2.6.3 and 2.4.24, contains numerous significant improvements to security in the open source operating system. The SELinux improvements mark a major breakthrough for Linux. Because of the NSA's contributions to the kernel, the new security features will now show up in mainstream distributions of Linux.
"Conditional policies are significant and also networking hooks were added, which makes SElinux all that much more powerful," Joshua Brindle, hardened Gentoo Linux Project Leader and the NSA's SELinux contributor, told internetnews.com.
"They also exported AVC (define) controls to userland to facilitate strong X-based access control and privilege separation," he added.
SELinux was released by the NSA under the GNU GPL open source license. SELinux is essentially a Linux Kernel with a number of utilities that provide enhanced security functionality. But the critical component of SELinux is how it implements and handles mandatory access controls.
"SELinux is important because mandatory access controls are essential to limiting access to daemons and users to only what they need. It also solves the age-old almighty powerful superuser problem in Linux," Gentoo's Brindle told internetnews.com.
"We stress however that it isn't an end-all solution, that it must be combined with additional layers of protection."
Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core 2 all currently make some use of SELinux. Red Hat also plans to incorporate SELinux into its next Red Hat Enterprise Linux release
This "marks an important milestone in what enterprises globally feel is an important issue," Red Hat spokesperson Leigh Day said of the SELinux update. "One of the first issues we hear from our customers when talking with them about solution requirements is security," she told internetnews.com. "Were pleased to be working with the NSA to bring SELinux to our distribution. We will incorporate SELinux fully in our next release of RHEL 4."
The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.
I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
http://www.nsa.gov/selinux/
Treehugger? Treehugger... Treehugger!
Apparently, you don't understand the difference between a "page impression" and a "read". Now, here's what the normal slashdot user does:
1)clicks on link
2)looks for colorful photos
3)Presses Ctrl-F, then types "screeshots", then Enter
4)Clicks on any links he finds in that context.
5)If he finds nothing, clicks "Back", clicks "Reply", and makes an uninformed comment
Very little reading usually goes on; just viewage of pretty pictures. And, of course, this just makes the slashdot effect worse; text doesn't really hurt webservers as bad as big JPGs. That's why two hours after the posting on slashdot, the site admins are always back online with a text-only version of their site saying something like "I've never seen so much web activity in my life".
There were some selinux related posts on slashdot, consider checking www.rsbac.org too.
RBAC, MAC, ACL, extensible, malware-scan (virus protection on kernel ('access') level), network protection, other methods (FF,...) and whatever you wish
It's not financed by NSA, and not programmed in the US., can you be happier?
Anyhow, don't tell me SeLinux is better because.. it would cause a flame-thread only...
Alot of my Gentoo specific comments were taken out of the article so I'll provide them below:
MAC's are only the enforcement part, auditing is also very important and sadly something lacking in LSM. We are looking into different auditing schemes to compliment SELinux.
Recently we have completely integrated PaX memory protections into the SELinux policy. Unfortunatly Redhat's Ingo wrote execsheild, which he admits provides less protection so most of the SELinux camp is not interested in the work we are doing in this area.
We also provide much tighter policies by default whereas Redhat/Fedora has chosen to make the user domains much less restrictive and 'user-friendly'. This isn't in line with the goals we've cited on out page http://hardened.gentoo.org . While user friendliness is important taking restrictions away from domains inevitably loosens security.
From the SeLinux website: "All source code found on this site is released under the same terms and conditions as the original sources. For example, the patches to the Linux kernel, patches to many existing utilities, and some of the new programs available here are released under the terms and conditions of the GNU General Public License (GPL). The patches to some existing utilities and libraries available here are released under the terms and conditions of the BSD license. Some new libraries and new programs available here are released into the public domain." So to answer your question, the US govt is clearly allowed to use the GPL.
What kinds of changes in SELinux would be NOT welcome in mainstream Linux distros?
1.) anything that breaks compatibility will be rejected
2.) anything that slows the kernel down will be rejected.
Security isn't linus's highest priority unless it can be achieved seamlessly, And nobody wants to break away from mainline kernel compatibility. Except the nitch people Adamantix, SElinux itself and a couple others. That's why Red Hat pushed for SElinux in 2.6 so hard and has employees who package SElinux and exec-shield for Debian. A great change for Linux indeed.
-- "of course thats just my opinion, I could be wrong." --Dennis Miller
Except that this isn't necessarily true. It's probably true that there's an inverse relationship between convenience and security within a given security architecture, but the whole point of SELinux is that it changes the architecture. There's no loss of convenience to a user when suid programs are replaced by ones that have specific limited privileges, but there is a big gain in security. An average user probably won't even notice that they're using a SELinux system instead of an older system. It may be more of a pain for administrators, and certainly will be more of a pain for distribution writers, but they're professionals who should be able to deal with it.
There's no point in questioning authority if you aren't going to listen to the answers.
that was darpa that stopped the funding on openbsd. a nice summary is available here
I'm almost certain that if they had the ability to tweak security in MS, they would do so.
They did, sort of, with the security guides, which are well-documented (if rather dry) explanations of how to use existing Windows functionality to improve security on the systems. Some of them are pretty clearly overkill for most people (minimum 12-character passwords and 4GB max size for each log file, for example), but they're generally pretty good use. Apparently, they had such an effect on Microsoft that MS wrote up a "Securing Windows Server 2003" document that was good enough that the NSA people decided that their own document wasn't needed. It's not a matter of laziness, either; they're still publishing and updating the other documents.
Still doesn't make Windows flawless, but it makes it a helluva lot better for those needing to lock things down.
You can never go home again... but I guess you can shop there.
I haven't even delved to deeply into what SELinux is or what it does, but it is definitely included by default in the upcoming release of Redhat Fedora.
Afraid to install SELinux but interested in what it does? The Hardened Gentoo project maintains a SELinux Demo Machine that allows you to ssh in as root. More information here: http://selinux.dev.gentoo.org/
Ken Thompson's compiler hack
KFG
Gentoo do have an SELinux profile (consider this to be like a distribution) already, currently based on 2.4 I believe, which will install a different base system to normal and set up different defaults for the way things are installed. They even have a document describing how to "upgrade" from a non-SELinux installation.
Karma: It's all a bunch of tree-huggin' hippy crap!
Some services are harder to set up, because the permission issues get in the way, especially if they expect to have an all-powerful root doing the work for them, or if the application does lots of work to secure themselves (chroot jails, etc.), but most applications aren't affected much. Anything that does much with Setuid() can expect a radically different environment underneath.
The big security win is that you can define different security compartments, including one or more for the operating system itself, and applications can only read from lower-security-level compartments, not write to them. This means that even if somebody finds an egregious buffer overflow bug in your email client, and uses it to mail your precious files to kgbvax.dhs.gov, they still can't use that to r00t your machine, and it's very hard for them to accomplish much by leaving Trojan Horse files around in your home directory because root usually isn't allowed to read them without you explicitly authorizing them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's the NSA's job to enhance the security of US government systems as well as attack the security of enemy systems. For a good example of the former see the changes they made to the DES algorithms S-Box selection function which made is more resistant to differential cryptoanalysis 20 years before the technique was reinvented by the public sector.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
How many operating systems can boast about having ***NSA***-quality security?
Seeing as how NSA publishes security guides for NT, 2000, XP, 2003Server and Solaris 8, I'd say it is more than just Linux.
The SE Linux mailing list is a good place to ask questions about it, see http://www.nsa.gov/selinux/ for the details.
Also see #selinux on irc.freenode.net.
Then you can discuss it with the people who are involved in SE Linux development.
SE Linux has been going for a long time, I've been working on it for almost three years, and I wasn't involved at the start.
The NSA gets some significant benefits from releasing the code under the GPL. See the list of non-NSA contributors for a list of the work that was done for free by the community instead of having to be paid for by the NSA.
Russell Coker
That might be funny, if it were true. Fortunately, it's not.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
I think you're confused about how hard SELinux is to administer. Distributions can use an SELinux system to provide packages that give themselves the bare mininum of rights so that if an application is taken over it is less significant (frequently a lot less). Think of it as chroot plus. For the user and even the admin, it's completely unnoticably.
Of course, depending on how the distribution sets it up, SELinux can be more complicated to administer but it doesn't have to be this way and I don't think a lot of distros will go that route.
SELinux rocks now and it's going to rock even more as more and more packages that previously used root will use more finely tuned security to prevent rooting (without the admin doing a thing -- although when necessary the admin can use SELinux to tighen the security even further).
isn't it much more likely that having their own key in there allows them to sign their own Crypto components for internal use without having to have Microsoft see their secret alterations, or without having Microsofts private key?
http://www.schneier.com/crypto-gram-9909.html#NSAK eyinMicrosoftCryptoAPI
i mean, really... I can understand Tin Foil Hat theories, but sometimes I think that the hat must be too constricting, affecting mental processes...
-- My Sig is a P228.
As a former Airman who was a Systems Administrator, I definitely saw this first hand. Granted I got out 3 years ago, but that's definitely where it was headed. We were replacing rock-solid *nix boxes with buggy NT4 servers because "they ran windows." It certainly made some aspects of my job much more PITA. I'm sure you can imagine the wonderful experience of upgrading base-wide email servers to a central MS Exchange server. The one nice side to all the equipment "upgrading" is that before I left, I had a stack of Sun SparcStations, a few spare racks, some RAID arrays and a two high speed switiches, and some time on my hands. A few late nights, and voila! The best server on base thanks to Linux and clustering software. I even put OpenBSD on another one to act as a firewall. My commanders were impressed, but it would never go on the live network because the OSes weren't "certified." We also had 18 new Sun boxes sitting there ready to go with a custom USAF application loaded that we never used because a new "faster, better, cheaper" solution, that was slower, crashed all the time, & feature-lacking, was coming for the the new NT4 servers. Oh well...typical gov't spending...
Amigori
"The quality of life is determined by its activites."--Aristotle
I don't know a great deal about the NSA, however, I can call myself an expert on the DSD.
There are countless advocates of linux throughout the organisation. (though management has the 'microsoft, oooh shiny' mentality)
I have asked a few about the backdoor thing in SELinux, and they have all said 'it's not going to happen'
I'm told it is about a 'standard' in secure computing, not an easy kill for collectors. Most people do not trust government anyway, let alone NSA, so their work is an uphill battle right from the start. (SELinux started around 1998/99 if I recall correctly)
At work I'm a solaris guy anyway - management do not trust linux anywhere near as much as they trust Sun. (Too much eye candy)
This is all just for what it is worth, my opinion does not reflect the DSD's.
(And despite my sig, no, I will not sell secrets, so stop asking!)