Slashdot Mirror

← Back to Stories (view on slashdot.org)

SELinux Moving Into The Mainstream

Posted by CowboyNeal on from the into-its-own dept.

PaxTech writes "Security Enhanced Linux is moving into the mainstream rapidly, bringing its implementation of mandatory access control to a wider audience. The agenda for the 2006 SELinux Symposium has just been announced, distributions such as Fedora are including SELinux in the default build, and ports are underway to bring SELinux functionality to BSD and Darwin. Security minded systems administrators should be learning about this technology as it provides another strong layer of security for Linux servers."

5 of 24 comments (clear)

  1. You mean like how DARPA funded the internet? by NZheretic · · Score: 3, Informative
    A Brief History of the Internet.

    Also Larry Wall, author of Perl, was originally funded by the U.S. National Security Administration (NSA) as part of the "Blacker" project ; AND
    DARPA grants largely funded the development of UNIX 4.1 BSD (Berkeley Software Distribution) as well as the later development of the TCP/IP networking protocols.

  2. To quote Russell Coker by NZheretic · · Score: 5, Informative
    Russell Coker posted one of the most concise rationals to the SELinux Mailing List:
    GR Security includes PaX for protection against stack smashing and other similar attacks. But it also has an ACL system of it's own and limited chroot's (IE process in chroot can't touch the outside environment or other chroot's).

    SE Linux is an implementation of the domain-type security model. The domain a process is in determines that access it is given. Domains can change automatically on execution of certain processes (eg getty, login, and ping) or when executing a process a SE Linux aware program can specify the security context of the child process (within a certain range), login, sshd, and cron do this.

    The grsec ACL system and RSBAC don't support modifying applications to specify the security context, so they don't support giving different access to different non-root users.

    I think that Grsec has better support for some aspects of IP networking control, such as controlling which IP address a process can bind to (currently SE Linux only supports controlling bind access by port).

    RSBAC has lots of options for a huge number of things as they take the kitchen sink approach. You have to answer about 40 questions at kernel configuration time, and it's not clear which combinations of options are viable.

    Also visit the SELinux Frequently Asked Questions.
  3. Re:And by mainstream, we mean by legalize.ganja.now. · · Score: 2, Informative

    not that i'm a nsa-fanboy but:
    selinux is both free and open (see http://www.nsa.gov/selinux/info/license.cfm)...

  4. Re:Q: best way to learn it? by PaxTech · · Score: 2, Informative
    My only experience with SELinix has been when an old reliable sysadmin procedure stopped working. I acknowledge that I need to know more. Should I pop for the (overpriced, IMO) O'Reilly book, or plow through the online stuffs?

    The O'Reilly book is very outdated, most of it talks about the SELinux implementation in FC2 IIRC, and a LOT has changed since then. You'd be better off with the online stuff until that book gets revised.

    <shameless plug>
    I wrote a series of four articles on SELinux you can find here: 1 2 3 4 and the company I work for has an SELinux strict policy server distro available here.
    </shameless plug>

    --
    All movements for social change begin as missions, evolve into businesses, and end up as rackets.
  5. Re:Interesting to see it being ported by jkoshy · · Score: 2, Informative

    Mandatory Access Control has been available (but not turned on by default) in FreeBSD since its 5.0 release (Jan 2003). Documentation on using MAC is available in the FreeBSD Handbook. Manual pages are also available.