SELinux Moving Into The Mainstream

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."

Next priority should be targeted policies for apps

[NZheretic]

Browsers and internet accessing applications really need a series of targeted policies that can limit what third party extention, plugins and applet/scripting systems have access to.

Almost all plugins should only need read access to its install directory/libraries, to a dedicated subdirectory for plugin for each application, and maybe ( at the users agreement ) common incoming and outgoing directory.

You mean like how DARPA funded the internet?

[NZheretic]

A Brief History of the Internet.

Also Larry Wall, author of Perl, was originally funded by the U.S. National Security Administration (NSA) as part of the "Blacker" project ; AND
DARPA grants largely funded the development of UNIX 4.1 BSD (Berkeley Software Distribution) as well as the later development of the TCP/IP networking protocols.

grsec?

[Adi]

Why should anyone use this instead of grsecurity? I'm just curious, it's not meant to be a flamestarter. :)

Re:grsec?

[A+beautiful+mind]

Because they are different in spirit. SELinux is something that gives the necessary features for an organization like NSA where they require a level C or B or higher classified system.

Grsecurity is more like for the common user wanting to make their system more secure.

I'm aware that this is very vague like this, but it gives the general idea I hope. Personally I use Grsec for my home box, but an organization wanting to replace old mainframes needs to look into a bit different solutions, like SELinux.

Re:grsec?

[PhreakOfTime]

After taking a cursory look at that project, which I can say I have not dealt with personally, or even installed. I can tell you that I see many serious problems on the web page 'support forum'. I dont have the time to spend fixing all the possible errors that I dont currently run across when dealing with the FC3 version of SELinux that I have been using for some time now, across a few different kernels.

Can you tell me why Id want to use that over a distribution that already has that functionality built into it? I have enough customization to do after a distro install for a server, why do I need one more thing?

Im not being a troll either, but if you can offer convincing examples, I would be interested to hear them.

Re:grsec?

[kopykat]

from what i understood reading an article on SElinux last year: its origins go back quite far infact they seem to be speculated as lost in some red tape... as to connections to AT&T labs. the intentions where to create a security system specifically designed for intranet and networking specifics and where tested in university networks and government based internet projects way back when.. according to sources who have taken interest in this type of security and are spent on introducing it to the open source community, unix users globally and new coorporate sectors who have migrated to unix.. its basic function at this current time is based on security in networking environments that are too large for base unix security. as basic security for smaller systems it is still not convincing and to tell the truth in situations where smaller systems are able to secure themselves unix based security is probably still the answer.

Re:And by mainstream, we mean

[kopykat]

it just sounds to gruesome to me that anything that has to do with the .gov analysis is "bad!" considering that berkeley bsd, and really all unix before the introduction of the internet was government and university based as its primary source of development and contingency to the IT world at the time... SElinux is basically a strategic move to inspire and solidify the security of networking and internet services globally where the use of black art hacking has become a problem in every nation that has any form internet communication and the developers who developed it happen to have been open source experts in congruency with NAS developers... . !

To quote Russell Coker

[NZheretic]

Russell Coker posted one of the most concise rationals to the SELinux Mailing List:

GR Security includes PaX for protection against stack smashing and other similar attacks. But it also has an ACL system of it's own and limited chroot's (IE process in chroot can't touch the outside environment or other chroot's).

SE Linux is an implementation of the domain-type security model. The domain a process is in determines that access it is given. Domains can change automatically on execution of certain processes (eg getty, login, and ping) or when executing a process a SE Linux aware program can specify the security context of the child process (within a certain range), login, sshd, and cron do this.

The grsec ACL system and RSBAC don't support modifying applications to specify the security context, so they don't support giving different access to different non-root users.

I think that Grsec has better support for some aspects of IP networking control, such as controlling which IP address a process can bind to (currently SE Linux only supports controlling bind access by port).

RSBAC has lots of options for a huge number of things as they take the kitchen sink approach. You have to answer about 40 questions at kernel configuration time, and it's not clear which combinations of options are viable.

Also visit the SELinux Frequently Asked Questions.

Re:And by mainstream, we mean

[legalize.ganja.now.]

not that i'm a nsa-fanboy but:
selinux is both free and open (see http://www.nsa.gov/selinux/info/license.cfm)...

Q: best way to learn it?

My only experience with SELinix has been when an old reliable sysadmin procedure stopped working. I acknowledge that I need to know more. Should I pop for the (overpriced, IMO) O'Reilly book, or plow through the online stuffs?

Re:Q: best way to learn it?

[PaxTech]

My only experience with SELinix has been when an old reliable sysadmin procedure stopped working. I acknowledge that I need to know more. Should I pop for the (overpriced, IMO) O'Reilly book, or plow through the online stuffs?

The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

<shameless plug>
I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
</shameless plug>

Interesting to see it being ported

[Kelson]

...to BSD and Darwin. I've been using Fedora Core since it was first released, and I've watched SELinux go from a slightly clunky annoyance in FC2 to just another part of the system in FC4 as they refined the targeted policy. I'm not sure how much of that was done by the NSA and how much by Red Hat, but it's made a huge difference -- more, even, than the slowly improving security GUI in Fedora Core (though SELinux desperately needs something to make it easier to administer).

Back to BSD/Darwin, I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model? The page on the website talks about 10.3 and the latest snapshot is dated July.

Re:Interesting to see it being ported

[jbolden]

I do have to wonder -- how well would a successful Darwin port of SELinux interact with Mac OS X's security model?

Quite a bit of it is in there. The problem is that Darwin has a different kernel level security model... there is a difference between single user mode and root in terms of permissions. So for example you can chflags the schg bit on but not off when running in Aquaish modes. There certainly are going to need to be better tools to handle this (sort of like the way XP does stuff during the next reboot).

Re:Interesting to see it being ported

[jkoshy]

Mandatory Access Control has been available (but not turned on by default) in FreeBSD since its 5.0 release (Jan 2003). Documentation on using MAC is available in the FreeBSD Handbook. Manual pages are also available.

Re:And by mainstream, we mean

[poopdeville]

You should try putting your punctuation between sentences instead of letting it all cluster up at the end like that.

Re:And by mainstream, we mean

[kopykat]

off topic?! but its really out of habit that I punctuate this way.. since I am blogger by nature (if that the the right word) but i create dummy files for my database on daily basis and keep track of progress, notes, any new material i have learnt or acquired and so on.. (thousands of files and I am the only one who reads them so:-) i guess in a humerous way I am the only person who could actually decipher my own punctuation although it is valid.. ( i know this from british boarding school and straight A's). like i said in my bio ( a little metally challenged :-))

SELinux and the Patent Trolls

[mpapet]

I checked on this a few months ago and found that SELinux may be patented by the company that appeared to write it for the NSA, the secure computing corporation.(SCC)

Patents owned by the SCC include:

5,867,647 System and method for securing compiled program code
5,822,435 Trusted path subsystem for workstations
5,796,836 Scalable key agile cryptography
5,596,718 Secure computer network using trusted path subsystem which encrypts/decrypts and communicates with user through local workstation user I/O devices without utilizing workstation processor
5,502,766 Data enclave and trusted path system
5,499,297 System and method for trusted path communications
5,276,735 Data enclave and trusted path system
5,272,754 Secure computer interface
6,772,332 System and method for providing secure internetwork services via an assured pipeline
6,658,571 Security framework for dynamically wrapping software applications executing in a computing system
6,640,307 System and method for controlling access to documents stored on an internal network
6,453,419 System and method for implementing a security policy
6,357,010 System and method for controlling access to documents stored on an internal network
6,332,195 Secure server utilizing separate protocol stacks
6,321,336 System and method for redirecting network traffic to provide secure communication
6,301,658 Method and system for authenticating digital certificates issued by an authentication hierarchy
6,219,707 System and method for achieving network separation
6,209,101 Adaptive security system having a hierarchy of security servers
6,182,226 System and method for controlling interactions between networks
6,144,934 Binary filter using pattern recognition
6,072,942 System and method of electronic mail filtering using interconnected nodes
6,003,084 Secure network proxy for connecting entities
5,983,350 Secure firewall supporting different levels of authentication based on address or encryption status
5,968,133 Enhanced security network time synchronization device and method
5,950,195 Generalized security policy management system and method
5,918,018 System and method for achieving network separation
5,915,087 Transparent security proxy for unreliable message exchange protocols
5,913,024 Secure server utilizing separate protocol stacks

My attempts at getting some kind of feedback from the SCC were in vain because no one called me back.

Does Redhat license this? Will the patent trolls come after me if I attempt to use it in a commercial OSS way?

Any insight would be great.

Re:SELinux and the Patent Trolls

[PaxTech]

Straight from the horse's mouth :

--snip--
Despite recent speculation concerning patents, we remain confident that we had the necessary rights to release SELinux in the manner and under the conditions in which we did and that SELinux may be used, copied, distributed, and modified in accordance with the terms and conditions of the GPL.
--
Peter Loscocco
SELinux Project Leader
National Security Agency
--snip--

Re:SELinux and the Patent Trolls

[PaxTech]

My attempts at getting some kind of feedback from the SCC were in vain because no one called me back. Does Redhat license this? Will the patent trolls come after me if I attempt to use it in a commercial OSS way?

I asked a few questions on the SELinux mailing list and to members of the SELinux development team and the universal consensus was that these patent "issues" aren't issues at all, that this patent scare is old news that was settled years ago, and that SELinux is unencumbered and fully GPL compatible.

Red Hat has been shipping product with SELinux enabled since Feb 2005 and has neither licensed any of the above patents nor had any infringement claims made against them.

This is the second time I've seen you on /. bringing up these patent issues with regards to SELinux. Are you sure YOU'RE not the patent troll? I ask because you could have simply done what I did and asked the developers and maintainers of the project directly, rather than ominously allude to unreturned calls from SCC. Frankly, it smacks of FUD to me.

Re:SELinux and the Patent Trolls

1. Thanks for the link.
2. I work in an unrelated security software area and I really want to use SELinux but couldn't prove the IP was clear. This is a very sensitive area in our business.
3. I wanted to get a good answer one way or another for a long time and the topic was another opportunity to test it out. I find using provocative titles gets a few more eyeballs.

Re:SELinux and the Patent Trolls

[PaxTech]

I wanted to get a good answer one way or another for a long time and the topic was another opportunity to test it out. I find using provocative titles gets a few more eyeballs.

I find that implying there are patent issues with an open source project in a public forum when you don't know for sure and haven't taken the basic steps like asking the project developers about it is irresponsible at best. You could have gotten a good answer by just asking the developers, like I did, rather than immediately resort to spreading rumors on Slashdot. It is amazing the amount of damage one can do just by suggesting a patent claim, without any actual evidence.

Re:Next priority should be targeted policies for a

[pyrotic]

Apache is one application that really needs a targeted policy. In FC/RHEL the idea is to separate Apache from the rest of the server. That's fine if you only run one website per server or cluster. If you have multiple virtual hosts wich all need to be able to run scripts and write to the filesystem, to files owned by the correct user, you end up having to switch off the ACLs. It's a security nightmare, which SELinux has done nothing to improve - in the default configuration anyway.

Sun managed to set up Trusted Solaris to deal with this a few years back. Having each virtual host have its own sandbox is the way to go.

http://www.sun.com/blueprints/0202/trustedsoe.pdf

I'm waiting fot the day when Linux distros do this out of the box.