Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Updated SELinux

Posted by timothy on from the now-they-have-to-kill-you dept.

darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it where they talk to Gentoo and Red Hat about the release's significance."

5 of 319 comments (clear)

  1. Re:Shouldn't this be our default system? by MrHanky · · Score: 5, Informative

    SELinux is included in 2.6 kernels. Of course, you also need the right userspace tools to take advantage of it. I imagine distros will use SELinux when they migrate to 2.6.x.

  2. Re:I am curious by temojen · · Score: 5, Informative
    Does the security enhancements developed by the NSA slow down the kernel?
    No
    Does it make it harder to set up services such as email or apache? Yes
    How much more secure is it than a standard vanilla kernel?

    It's not much more secure, except that it's based on a more flexible permissions system. So even Root may not have full root access, and it's not nescesary to be root to run a server (bind to ports lower than 1024), so long as you're given permission to that port. Also there's a lot more auditing support.

    So for standalone home desktops, it's mostly not nescesary, but for Banks, the military, and others than need a major paper trail for everything it's worthwhile.

  3. Hardened Gentoo by MadMethod · · Score: 5, Informative

    Alot of my Gentoo specific comments were taken out of the article so I'll provide them below:

    MAC's are only the enforcement part, auditing is also very important and sadly something lacking in LSM. We are looking into different auditing schemes to compliment SELinux.

    Recently we have completely integrated PaX memory protections into the SELinux policy. Unfortunatly Redhat's Ingo wrote execsheild, which he admits provides less protection so most of the SELinux camp is not interested in the work we are doing in this area.

    We also provide much tighter policies by default whereas Redhat/Fedora has chosen to make the user domains much less restrictive and 'user-friendly'. This isn't in line with the goals we've cited on out page http://hardened.gentoo.org . While user friendliness is important taking restrictions away from domains inevitably loosens security.

  4. Re:Shouldn't this be our default system? by rgmoore · · Score: 5, Informative

    Except that this isn't necessarily true. It's probably true that there's an inverse relationship between convenience and security within a given security architecture, but the whole point of SELinux is that it changes the architecture. There's no loss of convenience to a user when suid programs are replaced by ones that have specific limited privileges, but there is a big gain in security. An average user probably won't even notice that they're using a SELinux system instead of an older system. It may be more of a pain for administrators, and certainly will be more of a pain for distribution writers, but they're professionals who should be able to deal with it.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  5. SELinux Demo Machine by Lord+Tocharian · · Score: 5, Informative

    Afraid to install SELinux but interested in what it does? The Hardened Gentoo project maintains a SELinux Demo Machine that allows you to ssh in as root. More information here: http://selinux.dev.gentoo.org/