Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Releases Updated SELinux

Posted by timothy on from the now-they-have-to-kill-you dept.

darthcamaro writes "Looks like our federal tax dollars are hard at work - improving security on Linux! The NSA - you know the folks that are shadowy figures on X-files - have released the latest updates to SELinux (security enhanced). Internetnews.com has got a piece on it where they talk to Gentoo and Red Hat about the release's significance."

20 of 319 comments (clear)

  1. X-Files Eh? by mattdev121 · · Score: 5, Funny

    ScullyEnhanced Linux?
    I'm in. Where do i get it?

    --
    mattdev@server$ touch /dev/genitals
    cannot touch `/dev/genitals': Permission denied
  2. Context by lukewarmfusion · · Score: 5, Interesting

    This comes right on the heels of a report by a security firm that Linux was the most vulnerable server OS...

    On the other hand, I think this is a great example of why open source software is a good thing - anyone, the government included, can improve the software. I'm sure they feel much better about using an OS that they've personally inspected and tested than something else.

  3. Re:eeeeenteresting.... by DrLZRDMN · · Score: 5, Funny

    I don't know, compare them
    Tin Foil Hat Linux

  4. Rather generous of the NSA by mrdaveb · · Score: 5, Insightful

    Seeing as any changes the NSA make are presumably only used internally by the agency, they are under no obligation to release the source. So this is quite a community spirited move on their part.

    Unless of course they are trying to sneak some NSA backdoors into Linux kernels :-)

    --
    Homme petit d'homme petit, s'attend, n'avale
    1. Re:Rather generous of the NSA by Gorath99 · · Score: 5, Insightful

      Well, since it's all GPL anyone can go though the code to look for backdoors. If the NSA has actually planted backdoors and they're found, then that is sure to backlash at them bigtime (nobody will trust them ever again), so I don't think they actually put any in.

      However, that doesn't mean that taking a long and critical look at the modifications isn't worthwhile...

    2. Re:Rather generous of the NSA by AndroidCat · · Score: 5, Funny

      They'll regret such foolish generousity when Darl and SCO bitch-slap them with a law-suit and a request for n*$699 (for secret values of n). [Bugs voice] Please Jacques, not this distro!

      --
      One line blog. I hear that they're called Twitters now.
    3. Re:Rather generous of the NSA by multiplexo · · Score: 5, Funny

      "Hello Mr. McBride, welcome to the National Security Agency Before we talk about your lawsuit and IP claims
      we'd like to show you a few things. Exhibit one. A picture of you entering a hotel room in Orem with two live nanny goats, a
      rubber raft, a pair of chaps and a can of Frymax fryer grease. Exhibit 2. Pictures from within the room of activities which violate the laws of God and Man, if not those of the State of Utah. Exhibit 3, credit card receipts for animal tranquilizers and male goat hormones. Shall we continue?"

      --
      cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
  5. I am curious by enrayged · · Score: 5, Interesting

    Does the security enhancements developed by the NSA slow down the kernel? Does it make it harder to set up services such as email or apache? How much more secure is it than a standard vanilla kernel?

    I have not had the opportunity to play with SELinux but am interested in how it works, how difficult it is to set up properly and all that fun stuff

    1. Re:I am curious by temojen · · Score: 5, Informative
      Does the security enhancements developed by the NSA slow down the kernel?
      No
      Does it make it harder to set up services such as email or apache? Yes
      How much more secure is it than a standard vanilla kernel?

      It's not much more secure, except that it's based on a more flexible permissions system. So even Root may not have full root access, and it's not nescesary to be root to run a server (bind to ports lower than 1024), so long as you're given permission to that port. Also there's a lot more auditing support.

      So for standalone home desktops, it's mostly not nescesary, but for Banks, the military, and others than need a major paper trail for everything it's worthwhile.

  6. Re:Shouldn't this be our default system? by MrHanky · · Score: 5, Informative

    SELinux is included in 2.6 kernels. Of course, you also need the right userspace tools to take advantage of it. I imagine distros will use SELinux when they migrate to 2.6.x.

  7. A few quick comments by picklepuss · · Score: 5, Interesting

    I just want to toss out the notion that the general complaint that slashdot readers don't read the article, and the slashdot effect are mutually exclusive. There were only 8 replies to this thread when I clicked the main article link, and although it wasn't completely slashdotted, it was incredibly slow coming up.

    My second comment is really a question: How do we weigh this up against Mr. McBride's letters to congressmen? It seems like they would probably lean on the NSA for advice on what's secure and what's not, rather than the seemed ravings of a madman.

    I would also throw out a little pointer that probably one of the major reasons that the NSA is working on the Linux Kernel is simply because they can. I'm almost certain that if they had the ability to tweak security in MS, they would do so.

    Kutos to the NSA for sharing it all with us.

  8. Pure gold? by Kiyooka · · Score: 5, Interesting

    Isn't this one of the best things to have happened to linux in the past year? How many operating systems can boast about having ***NSA***-quality security? Whether that's the whole story is another issue: this is marketing pure gold! That line in and of itself would be enough to catch the interest of most managers, I think. This may really kick open the door for Linux moving into the corporate space.

  9. Agree Strongly. by Anonymous Coward · · Score: 5, Insightful

    You can say whatever you like about backdoors and the like, but you can be goddamned sure i want some of the brightest minds in this country looking at the code i use as opposed to the dumbfucks that i graduate with that go to work for regular companies. As for the brightest minds? Just take a look at the requirements to work for the NSA vs. Microsoft (and NO, i'm not talking about security requirements).

  10. Re:Better go over the source... twice by Tackhead · · Score: 5, Insightful
    > Whoooo nelly... It kind of makes you wonder what kind of "enhanced security" those boys loaded that thing up with?

    Well, those who are able should be going over the source closely anyways. The adversaries are!

    Remember, NSA has two mandates:
    1) Help Americans secure their boxen, and
    2) Be able to 0wnz0r any non-American's boxen.

    Just because #2 gets all the press on Slashdot doesn't invalidate #1. The net effect of "more machines on the network are secure, even though some of those machines are used by non-Americans, and even if that fact makes some things a little more difficult for the other half of NSA" is still an increase in security for Americans.

    SELinux is consistent with NSA's goals in providing a secure information infrastructure for US Citizens. Given that NSA knows that the code will be closely examined by both NSA-friendly and NSA-hostile folk alike, I'd expect SELinux code to be safe, and would treat such code with a policy of "trust, but verify." (More precisely: "Verify, but trust.")

  11. Re:eeeeenteresting.... by kfg · · Score: 5, Funny

    At least they have a sense of humor about it. Among the reasons to use Tinfoil Linux:

    The Illuminati are watching your computer, and you need to use morse code to blink out your PGP messages on the numlock key.

    KFG

  12. Hardened Gentoo by MadMethod · · Score: 5, Informative

    Alot of my Gentoo specific comments were taken out of the article so I'll provide them below:

    MAC's are only the enforcement part, auditing is also very important and sadly something lacking in LSM. We are looking into different auditing schemes to compliment SELinux.

    Recently we have completely integrated PaX memory protections into the SELinux policy. Unfortunatly Redhat's Ingo wrote execsheild, which he admits provides less protection so most of the SELinux camp is not interested in the work we are doing in this area.

    We also provide much tighter policies by default whereas Redhat/Fedora has chosen to make the user domains much less restrictive and 'user-friendly'. This isn't in line with the goals we've cited on out page http://hardened.gentoo.org . While user friendliness is important taking restrictions away from domains inevitably loosens security.

  13. Re:eeeeenteresting.... by Darby · · Score: 5, Funny

    At least they have a sense of humor about it. Among the reasons to use Tinfoil Linux:

    I don't get it. What's so funny?

  14. Re:Shouldn't this be our default system? by rgmoore · · Score: 5, Informative

    Except that this isn't necessarily true. It's probably true that there's an inverse relationship between convenience and security within a given security architecture, but the whole point of SELinux is that it changes the architecture. There's no loss of convenience to a user when suid programs are replaced by ones that have specific limited privileges, but there is a big gain in security. An average user probably won't even notice that they're using a SELinux system instead of an older system. It may be more of a pain for administrators, and certainly will be more of a pain for distribution writers, but they're professionals who should be able to deal with it.

    --

    There's no point in questioning authority if you aren't going to listen to the answers.

  15. SELinux Demo Machine by Lord+Tocharian · · Score: 5, Informative

    Afraid to install SELinux but interested in what it does? The Hardened Gentoo project maintains a SELinux Demo Machine that allows you to ssh in as root. More information here: http://selinux.dev.gentoo.org/

  16. Please clariify by brain1 · · Score: 5, Funny

    OK, Darl says that Linux is a threat to National Security, but the NSA who is responsible for National Security contributes to Linux.... Therefore logic says that Linux is good for National Security. But Microsoft says that they are more secure than Linux. Who's on first, what's on second...

    Yeeow! Nothing like a paradigm shift without using the clutch!