Red Hat Seeks to Deliver Most Secure Linux

Jack writes "ITO is running a story on Red Hat's plan to become the most secure Linux platform. From the article: "Red Hat officially joined The National Information Assurance Partnership to bring an improved level of security and assurance to Linux. This means that the next version of Red Hat Enterprise Linux will contain kernel and Security Enhanced Linux policy enhancements, developed by IBM, Red Hat, TCS, NSA and the community.""

Re:RedHat poised to become the next Microsoft

[99BottlesOfBeerInMyF]

RedHat could be well on it's way to becoming the next Microsoft.

I think you are mistaken. It is entirely probable that RedHat the company will partner up with lots of big businesses. Big businesses, however, want a commodity OS, competitive advantages, and for that matter, open source at this point. Having been burned by MS for so long, many companies at the heart of the Linux community are unlikely to swiftly move to closed formats, APIs, code, etc. Even assuming RedHat did exactly that, introducing formats and closed source code as much as possible, they are still working on a base that is GPL and that they cannot close and still sell. That means there is nothing stopping others from modifying that code or even redistributing it. RedHat would basically have to write their own OS from scratch or based upon BSD licensed code in order to get us close to the situation we have with MS. Even were they to do that, we'd still be several steps ahead for compatibility and security from where we are now with Windows.

To summarize, sure RedHat can become "evil" but that does not stop Linux, and RedHat has no way to "take over" Linux since they don't own it. I'm just not too worried, they have a long hard road ahead to become MS, and they will need a new OS to do it.

Re:RedHat poised to become the next Microsoft

[An+Onerous+Coward]

I don't understand why people keep trying to make that comparison.

If you want to argue that RedHat has turned its back on the community, or jumped in bed with big business, or whatever, go right ahead. But it simply isn't possible for any Linux distributor to "become Microsoft", because unlike Microsoft, anybody who can obtain a copy of Distro X can legally rebrand, recompile, and sell it as Distro Y. Somebody running Distro Z can go through Distro X, figure out any new features, and bring those features to Distro Z.

RedHat can't do a thing to stop RH-based distros like CentOS and White Box. The GPL ensures that, while one distro might dominate the Linux landscape, nobody will ever have a lock on Linux itself. Linux World Domination would mean that nobody can dominate.

So please, elaborate your reasoning. What is RedHat doing that scares you?

Re:Missed a link :)

Except 'most people' and 'sufficiently large government organizations and corporations' are not interchangeable. The NSA or FBI doesn't look at the complexity of SELinux and say decide they are gonna turn it off for that reason. I don't need SELinux on my notebook or my desktop and I don't need it in my 20 man organization, so I turn it off. SELinux isn't designed for me or my organization or my desktop or a good majority of computers out there. But for what it is designed for it does it well.

Re:Missed a link :)

[andyross]

SELinux does not make anything more secure. [...] OpenBSD has a policy that security must be on by default, must not create a significant performance hit, and must be simple enough that people actually use it.

Um, the SE linux configuration shipped with Fedora is on by default, does not create a significant performance hit, and is simple enough that most users (those who aren't making fundamental changes to the installed daemon processes, basically) don't even know it's turned on.

This is mostly a defensive flame. SELinux clearly is useful as a security tool. It provides MAC features that you simply can't get with traditional unix security model. Now, clearly, this kind of change in worldview brings complexity. And lots of installations, even secure ones, don't necessarily need it or want it. And early Fedora (FC2 prereleases, I think) implementations were far too restrictive, and cause much confusion and flamage. I have it turned off on my laptop, for example.

But to baldly claim that "SELinks does not make anything more secure" is just silly.

Re:Missed a link :)

[duffbeer703]

You're missing the point -- SELinux doesn't make software secure -- it allows you to define secure behavior.

The OpenBSD approach is to raise the quality level of the code to eliminate flaws in the operating environment. That's great -- except not every software development process is shipping flawless software and not every security problem is a result of bugs in software. If Apache or a database or any other application running on BSD has a flaw or is misconfigured, the OS isn't going to protect you or your data.

The SELinux approach gives the operating system control over what is happening on the system. If a hacker or worm compromises an application, and tries to do something that the application is not permitted to do, those actions can be blocked and audited & the impact of flaws or misconfigurations in software can be contained.

SELinux or Trusted Solaris aren't competitors to OpenBSD at all -- they are really in different niches entirely.