Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Updated SELinux

Posted by timothy on from the now-they-have-to-kill-you dept.

darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it where they talk to Gentoo and Red Hat about the release's significance."

11 of 319 comments (clear)

  1. Re:Shouldn't this be our default system? by MrHanky · · Score: 5, Informative

    SELinux is included in 2.6 kernels. Of course, you also need the right userspace tools to take advantage of it. I imagine distros will use SELinux when they migrate to 2.6.x.

  2. Article Text (seems sluggish) by sik0fewl · · Score: 4, Informative

    February 24, 2004
    Linux Gets Security Boost from NSA
    By Sean Michael Kerner

    Most stories about government deployments of Linux involve a distributor helping various federal and municipal agencies install the open source operating system. But in this case, a federal agency is helping Linux.

    The U.S. National Security Agency (NSA), also known as the codemakers and codebreakers cryptologic division within the Department of Defense, has helped to harden Linux with newly-released Security Enhanced Linux (SELinux) kernel modifications.

    The latest release, which updates the base kernel to 2.6.3 and 2.4.24, contains numerous significant improvements to security in the open source operating system. The SELinux improvements mark a major breakthrough for Linux. Because of the NSA's contributions to the kernel, the new security features will now show up in mainstream distributions of Linux.

    "Conditional policies are significant and also networking hooks were added, which makes SElinux all that much more powerful," Joshua Brindle, hardened Gentoo Linux Project Leader and the NSA's SELinux contributor, told internetnews.com.

    "They also exported AVC (define) controls to userland to facilitate strong X-based access control and privilege separation," he added.

    SELinux was released by the NSA under the GNU GPL open source license. SELinux is essentially a Linux Kernel with a number of utilities that provide enhanced security functionality. But the critical component of SELinux is how it implements and handles mandatory access controls.

    "SELinux is important because mandatory access controls are essential to limiting access to daemons and users to only what they need. It also solves the age-old almighty powerful superuser problem in Linux," Gentoo's Brindle told internetnews.com.

    "We stress however that it isn't an end-all solution, that it must be combined with additional layers of protection."

    Debian, Gentoo and Red Hat Fedora's latest test release of Fedora Core 2 all currently make some use of SELinux. Red Hat also plans to incorporate SELinux into its next Red Hat Enterprise Linux release

    This "marks an important milestone in what enterprises globally feel is an important issue," Red Hat spokesperson Leigh Day said of the SELinux update. "One of the first issues we hear from our customers when talking with them about solution requirements is security," she told internetnews.com. "Were pleased to be working with the NSA to bring SELinux to our distribution. We will incorporate SELinux fully in our next release of RHEL 4."

    The Security-enhanced Linux kernel enforces mandatory access control policies that confine user programs and system servers to the minimum amount of privilege they require to do their jobs.

    --
    I remember when legal used to mean lawful, now it means some kind of loophole. - Leo Kessler
  3. Dunno why the link wasn't in the article. HERE: by MikeCapone · · Score: 4, Informative

    http://www.nsa.gov/selinux/

    --
    Treehugger? Treehugger... Treehugger!
  4. Not at all mutually exclusive! by qortra · · Score: 4, Informative

    Apparently, you don't understand the difference between a "page impression" and a "read". Now, here's what the normal slashdot user does:
    1)clicks on link
    2)looks for colorful photos
    3)Presses Ctrl-F, then types "screeshots", then Enter
    4)Clicks on any links he finds in that context.
    5)If he finds nothing, clicks "Back", clicks "Reply", and makes an uninformed comment

    Very little reading usually goes on; just viewage of pretty pictures. And, of course, this just makes the slashdot effect worse; text doesn't really hurt webservers as bad as big JPGs. That's why two hours after the posting on slashdot, the site admins are always back online with a text-only version of their site saying something like "I've never seen so much web activity in my life".

  5. Re:I am curious by temojen · · Score: 5, Informative
    Does the security enhancements developed by the NSA slow down the kernel?
    No
    Does it make it harder to set up services such as email or apache? Yes
    How much more secure is it than a standard vanilla kernel?

    It's not much more secure, except that it's based on a more flexible permissions system. So even Root may not have full root access, and it's not nescesary to be root to run a server (bind to ports lower than 1024), so long as you're given permission to that port. Also there's a lot more auditing support.

    So for standalone home desktops, it's mostly not nescesary, but for Banks, the military, and others than need a major paper trail for everything it's worthwhile.

  6. Hardened Gentoo by MadMethod · · Score: 5, Informative

    Alot of my Gentoo specific comments were taken out of the article so I'll provide them below:

    MAC's are only the enforcement part, auditing is also very important and sadly something lacking in LSM. We are looking into different auditing schemes to compliment SELinux.

    Recently we have completely integrated PaX memory protections into the SELinux policy. Unfortunatly Redhat's Ingo wrote execsheild, which he admits provides less protection so most of the SELinux camp is not interested in the work we are doing in this area.

    We also provide much tighter policies by default whereas Redhat/Fedora has chosen to make the user domains much less restrictive and 'user-friendly'. This isn't in line with the goals we've cited on out page http://hardened.gentoo.org . While user friendliness is important taking restrictions away from domains inevitably loosens security.

  7. Re:Shouldn't this be our default system? by rgmoore · · Score: 5, Informative

    Except that this isn't necessarily true. It's probably true that there's an inverse relationship between convenience and security within a given security architecture, but the whole point of SELinux is that it changes the architecture. There's no loss of convenience to a user when suid programs are replaced by ones that have specific limited privileges, but there is a big gain in security. An average user probably won't even notice that they're using a SELinux system instead of an older system. It may be more of a pain for administrators, and certainly will be more of a pain for distribution writers, but they're professionals who should be able to deal with it.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  8. SELinux Demo Machine by Lord+Tocharian · · Score: 5, Informative

    Afraid to install SELinux but interested in what it does? The Hardened Gentoo project maintains a SELinux Demo Machine that allows you to ssh in as root. More information here: http://selinux.dev.gentoo.org/

    1. Re:SELinux Demo Machine by MadMethod · · Score: 4, Informative

      ok, slashdotting via ssh is a Bad Thing, the machine is essentially at a standstill, calm down a bit and try later, or there are also other demo machines for debian and fedora here http://www.coker.com.au/selinux/play.html Thanks :)

  9. How its predecessor worked by billstewart · · Score: 4, Informative
    I worked with AT&T's Multi-Level-Secure System V/MLS systems in the late 80s. Some details have changed since then (:-), but the basics are mostly the same. Most of the changes were in file and device access permissions and logging. The permissions features don't slow anything down significantly (except of course by stopping unapproved accesses altogether), and at the time, the logging functions were implemented very cleanly and rapidly, typically burning under 5% of horsepower (mostly disk access to save the very compact log entries.)

    Some services are harder to set up, because the permission issues get in the way, especially if they expect to have an all-powerful root doing the work for them, or if the application does lots of work to secure themselves (chroot jails, etc.), but most applications aren't affected much. Anything that does much with Setuid() can expect a radically different environment underneath.

    The big security win is that you can define different security compartments, including one or more for the operating system itself, and applications can only read from lower-security-level compartments, not write to them. This means that even if somebody finds an egregious buffer overflow bug in your email client, and uses it to mail your precious files to kgbvax.dhs.gov, they still can't use that to r00t your machine, and it's very hard for them to accomplish much by leaving Trojan Horse files around in your home directory because root usually isn't allowed to read them without you explicitly authorizing them.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  10. Re:eeeeenteresting.... by afidel · · Score: 4, Informative

    It's the NSA's job to enhance the security of US government systems as well as attack the security of enemy systems. For a good example of the former see the changes they made to the DES algorithms S-Box selection function which made is more resistant to differential cryptoanalysis 20 years before the technique was reinvented by the public sector.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.